|
EssOEss posted:I recommend KeePass with Google Drive cloud sync of the password database. FolderSync works great on Android for this (the Drive app sync was pretty broken last time I tried it). No browser integration, just auto-type and clipboard on PC and the KeePass keyboard on Android. KeePass2Android syncs to Drive or Dropbox automatically, no need for another program to do it.
|
#
?
Oct 9, 2017 14:51
|
|
|
|
| # ? May 22, 2024 05:11 |
|
|
I quite like 'pass' - it runs on most Unix-likes, and has clients with UIs for the systems that it doesn't run on. Not-quite-ninja edit: Whoops, accidentally linked to the FreeBSD manpage; the project actually has its own website here. BlankSystemDaemon fucked around with this message at 15:10 on Oct 9, 2017 |
|
#
?
Oct 9, 2017 15:08
|
|
|
Hey what about Lastp- 
|
|
#
?
Oct 9, 2017 15:17
|
|
|
Furism posted:Like people said I feel SMS 2FA is good enough for 99% of home users. The problem there is "good enough for what?" Flip it around because the user isn't the target, the service is. It's never acceptable for banks or financial institutions, buttcoin exchanges or Google login. Facespace maybe. Nobody is waiting for an exploit, they know how to already. They're just looking for someone to use it on.
|
|
#
?
Oct 9, 2017 15:21
|
|
|
https://twitter.com/gitlost Twitter that automatically posts git updates that contain swearing, it's p good https://twitter.com/gitlost/status/917132589894336514
|
|
#
?
Oct 9, 2017 15:33
|
|
|
Thermopyle posted:KeePass2Android syncs to Drive or Dropbox automatically, no need for another program to do it. I remember I tried it but there was some reason I did not use the builtin stuff but I have totally forgotten what it was. Did it perhaps require network connectivity (it did not sync, just downloaded from Drive)?
|
|
#
?
Oct 9, 2017 15:36
|
|
|
EssOEss posted:I remember I tried it but there was some reason I did not use the builtin stuff but I have totally forgotten what it was. Did it perhaps require network connectivity (it did not sync, just downloaded from Drive)? It works offline and when it has connectivity it does a sync. I always had problems with using it and Drive though. I don't remember the exact issue, but I think it had something to do with how Drive handles changes to files whose names haven't changed. There's something you should do if you ever edit your database on your phone. (maybe the problems I was having with Drive were before I set up the triggers mentioned in that above link...I honestly can't recall what was going on now) The best part about using KeePass is that with the KeeAgent plugin, I can store my SSH keys in KeePass. When putty needs to connect to a server, KeePass asks for my KeePass password and automatically provides the key to putty. Thermopyle fucked around with this message at 16:31 on Oct 9, 2017 |
|
#
?
Oct 9, 2017 16:28
|
|
|
I seem to remember some of these anonymizing VPN providers being bad at keeping you actually anonymous but I can't remember any details or what the actual problem is (was?). Anyone know what I'm talking about? I'm asking because the following post in another thread made me think that I remembered something but I'm not sure... tzirean posted:I'm probably wrong, but this seems worse for privacy than typical VPNing. Instead of tracking your IP to a VPN service that doesn't keep specific logs, it's tracked to a cloud service that can happily hand over your exact details as the only user who could possibly have been at that IP at that time. Am I an idiot?
|
|
#
?
Oct 10, 2017 20:11
|
|
|
Thermopyle posted:I seem to remember some of these anonymizing VPN providers being bad at keeping you actually anonymous but I can't remember any details or what the actual problem is (was?). I don't remember reading anything specific, but in general there is so much other identifying information being broadcast by your web browser, that just using the internet from a different IP address isn't going to do a whole lot to keep you actually anonymous.
|
|
#
?
Oct 10, 2017 20:42
|
|
|
Thermopyle posted:I seem to remember some of these anonymizing VPN providers being bad at keeping you actually anonymous but I can't remember any details or what the actual problem is (was?). I was just reading through my RSS feeds and funnily enough this popped up. quote:Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,
|
|
#
?
Oct 10, 2017 20:48
|
|
|
https://arstechnica.com/tech-policy/2017/10/trumps-doj-tries-to-rebrand-weakened-encryption-as-responsible-encryption/Some jackbooted idiot posted:Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop. Nice shell game there trying make voluntary, opt-in key-escrow equivalent to mandated master-keys for government access.  you fascist.Fortunately, this is kind of like trying to put toothpaste back in the tube.
|
|
#
?
Oct 10, 2017 23:50
|
|
|
http://www.zdnet.com/article/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers/quote:Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.
|
|
#
?
Oct 11, 2017 00:59
|
|
|
Proteus Jones posted:https://arstechnica.com/tech-policy/2017/10/trumps-doj-tries-to-rebrand-weakened-encryption-as-responsible-encryption/ Best possible counterargument: Would these keys be more or less important to keep secure than every American's credit history and identity details, the personnel information of every single government employee, or the NSA's most closely guarded secrets?
|
|
#
?
Oct 11, 2017 05:03
|
|
|
Thermopyle posted:I seem to remember some of these anonymizing VPN providers being bad at keeping you actually anonymous but I can't remember any details or what the actual problem is (was?).
|
|
#
?
Oct 11, 2017 08:15
|
|
|
Endless Septemper keeps on giving: A critical vulnerability has been identified in TPM 1.2 and 2.0.
|
|
#
?
Oct 11, 2017 14:44
|
|
|
|
|
#
?
Oct 11, 2017 14:49
|
|
|
Ahahaha every single system people use has vulnerabilities that have been used for years I can't wait for SSL's, it's gonna be glorious Also, I thought I'd posted this in this thread, but Outlook was without S/MIME for 6 months
|
|
#
?
Oct 11, 2017 15:05
|
|
|
And the best part is that the two updates Microsoft have published for the issue apparently cannot co-exist since a lot of machines have been breaking and the only fix being to remove KB4041691 with dism.exeorange sky posted:I can't wait for SSL's, it's gonna be glorious
|
|
#
?
Oct 11, 2017 15:07
|
|
|
Yeah, if you're using SSLv3/TLS1.0/1.1 you deserve whatever you get.
|
|
#
?
Oct 11, 2017 15:40
|
|
|
yeah my bad (and I'm not using any of those, not my responsibility)
|
|
#
?
Oct 11, 2017 15:47
|
|
|
I'm an rear end in a top hat, I know this, but I can't help correcting people who say SSL when they mean TLS. I even have a few slides in my training content just for that. If you mean TLS say TLS. You don't call SSH as Telnet, do you?
|
|
#
?
Oct 11, 2017 16:03
|
|
|
D. Ebdrup posted:Endless Septemper keeps on giving: A critical vulnerability has been identified in TPM 1.2 and 2.0. More more MORE
|
|
#
?
Oct 11, 2017 16:13
|
|
|
How Israel Caught Russian Hackers Scouring the World for U.S. Secrets Turns out "Kaspersky" is just Russian for botnet. 
|
|
#
?
Oct 11, 2017 16:43
|
|
|
Furism posted:If you mean TLS say TLS. You don't call SSH as Telnet, do you? Yeah but TLS 1.0 was basically a new (and not very different) version of SSL3, vs a totally new protocol for ssh/telnet.
|
|
#
?
Oct 11, 2017 17:27
|
|
|
Imagine the minds blown, when they figure out STARTTLS also works with SSL.
|
|
#
?
Oct 11, 2017 17:31
|
|
|
Furism posted:I'm an rear end in a top hat, I know this, but I can't help correcting people who say SSL when they mean TLS. I even have a few slides in my training content just for that. I do actually, at least in informal conversation. You've never heard someone say "Yeah I'll just telnet in from home" or whatever?
|
|
#
?
Oct 11, 2017 17:31
|
|
|
https://googleprojectzero.blogspot.ca/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html Another part is up, this is a super technical but absolutely fascinating read. quote:In this blog post well complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone. Awesome poo poo imo
|
|
#
?
Oct 11, 2017 17:47
|
|
|
I'm just going to stop reading this thread. You guys give me anxiety / make me drink more.
|
|
#
?
Oct 11, 2017 17:49
|
|
|
Furism posted:I'm an rear end in a top hat, I know this, but I can't help correcting people who say SSL when they mean TLS. I even have a few slides in my training content just for that. While I agree with the general principle but people say telnet instead of ssh all the time. And whats wrong with tls1.1 at the moment? Theres an enormous number of IoT radio modules that only support 1.1 and will probably not ever get upgraded in the field.
|
|
#
?
Oct 11, 2017 18:02
|
|
|
Furism posted:I'm an rear end in a top hat, I know this, but I can't help correcting people who say SSL when they mean TLS. I even have a few slides in my training content just for that. I don't agree with that. Using either SSL or TLS you get a secure socket communication. The protocols are different yes, but the outcome is the same. The underlying protocol is only relevant to those that know the differences between the two, their flaws and strengths. SSH vs telnet for the average person is the same: secure vs insecure communication. How actually that is done ... pretty much irrelevant. Plus, even wikipedia agrees that in normal conversation people do refer to them as SSL: quote:Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network.
|
|
#
?
Oct 11, 2017 18:10
|
|
|
The crux of the matter is really that SSL rolls off the tongue far more easily than TLS. The latter is just uncomfortable to voice. Therefore, TLS shall be known as SSL until the end of days.
|
|
#
?
Oct 11, 2017 18:17
|
|
|
CLAM DOWN posted:https://googleprojectzero.blogspot.ca/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html hobbesmaster posted:Theres an enormous number of IoT radio modules that only support 1.1 and will probably not ever get upgraded in the field.
|
|
#
?
Oct 11, 2017 18:19
|
|
|
hobbesmaster posted:And whats wrong with tls1.1 at the moment? Theres an enormous number of IoT radio modules that only support 1.1 and will probably not ever get upgraded in the field.
|
|
#
?
Oct 11, 2017 18:23
|
|
|
I have a lot of confidence that there will be some real regulatory help and/or legal consequences for poo poo IoT security. hahahahhahaha
|
|
#
?
Oct 11, 2017 18:25
|
|
|
D. Ebdrup posted:Endless Septemper keeps on giving: A critical vulnerability has been identified in TPM 1.2 and 2.0. Microsoft's article says they'll put an event in the log if you're vulnerable. However, I don't think it works if you have generic drivers installed, because the WMI key never gets created, so the PowerShell script they run fails silently. Since Infineon doesn't give out drivers to end users, chances are good if you bought your computer before Windows 10 was a thing, you're running generic drivers and are probably vulnerable, even if it doesn't say you are. If you want to keep using BitLocker and don't mind entering a password or using a USB drive every time you start your system, do this:
|
|
#
?
Oct 11, 2017 19:58
|
|
|
CLAM DOWN posted:https://googleprojectzero.blogspot.ca/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html This owns. D. Ebdrup posted:Endless Septemper keeps on giving: A critical vulnerability has been identified in TPM 1.2 and 2.0. 
|
|
#
?
Oct 11, 2017 20:14
|
|
|
Internet Explorer posted:I'm just going to stop reading this thread. You guys give me anxiety / make me drink more. An rather accurate depiction of me going through this thread over the past month: https://www.youtube.com/watch?v=dZxVGBRq0oc
|
|
#
?
Oct 11, 2017 21:59
|
|
|
anthonypants posted:What's wrong with using admin/admin as a username/password? There's an enormous number of IoT devices that use hardcoded root credentials and will probably never get upgraded in the field. So theres no difference between using admin/admin as credentials and negotiating a tls1.1 session with TLS_RSA_WITH_AES_256_CBC_SHA?
|
|
#
?
Oct 11, 2017 22:13
|
|
|
SSL is SSL. TLS is TLS. If you're running into trouble keeping those separate in infosec, yer bad
|
|
#
?
Oct 11, 2017 22:46
|
|
|
|
| # ? May 22, 2024 05:11 |
|
|
So if nothing is secure anymore and the only thing separating you from being compromised is being targeted by a sufficiently determined entity, is security through obscurity "in" again? 
|
|
#
?
Oct 12, 2017 00:00
|
|
