Security Fuckup Megathread - v15.1 - Stop!!! I Kill You Researcher - The Something Awful Forums

Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v15.1 - Stop!!! I Kill You Researcher

in a well actually: Jan 26, 2011; dude, you gotta end it on the rhyme

Chris Knight posted:

would you like to make sec gently caress
researcher

# ? Mar 20, 2018 00:10

Adbot: ADBOT LOVES YOU

# ? Jun 8, 2024 01:49

Kazinsal: Dec 13, 2011

Chris Knight posted:

would you like to make sec gently caress
researcher

# ? Mar 20, 2018 00:24

in a well actually: Jan 26, 2011; dude, you gotta end it on the rhyme

Alex out at fb, security split to product and infra lol

# ? Mar 20, 2018 00:26

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

that�s how it was split until about 18 months ago, ish (I was on the infra side)

if it�s really split the way you say, I wonder where a few groups will end up!

# ? Mar 20, 2018 00:36

flakeloaf: Feb 26, 2003; Still better than android clock

Chris Knight posted:

would you like to make sec gently caress
researcher

# ? Mar 20, 2018 00:57

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

PCjr sidecar posted:

Alex out at fb, security split to product and infra lol

Alex says he�s still at FB. who will prevail?

# ? Mar 20, 2018 01:13

FamDav: Mar 29, 2008

Subjunctive posted:

Alex says he�s still at FB. who will prevail?

i guess we'll see in august given nytimes said that's when he would be leaving

# ? Mar 20, 2018 01:24

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

yeah, he hasn�t replied to my message yet. busy day I guess

# ? Mar 20, 2018 01:39

Computer Serf: May 14, 2005; Buglord

vOv posted:

https://twitter.com/0x736A/status/974298906329862149

new thread title?

http://eab.abime.net/showpost.php?p=51185&postcount=1

Only registered members can see post attachments!

# ? Mar 20, 2018 01:42

Chris Knight: Jun 5, 2002; me @ ur posts; Fun Shoe

rip stamos

https://twitter.com/bcrypt/status/975867714475515904

# ? Mar 20, 2018 02:14

Raere: Dec 13, 2007

Found something worse than Keepass

https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/

quote:

"I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."

"Anybody who ever designed a login function on a website will likely see the red flag here," Palant says.

The flag Palant is referring to is the fact that the SHA-1 function has an iteration count of 1, meaning it's applied just once, while industry practices regard 10,000 as a solid minimum for this value, while applications like LastPass use values of 100,000.

...

A Mozilla bug tracker entry by Justin Dolske from nine years ago reported the same issue, soon after the master password feature's launch.

Dolske also pointed to the low iteration count of 1 as the master password's main problem. But despite the report, Mozilla did not take any official action for years.

# ? Mar 20, 2018 02:36

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Raere posted:

Found something worse than Keepass

https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/

lol at the guy in the mozilla bugtracker who is confused about why he can't reopen the bug

# ? Mar 20, 2018 02:46

Chris Knight: Jun 5, 2002; me @ ur posts; Fun Shoe

9 years jfc

# ? Mar 20, 2018 02:54

apseudonym: Feb 25, 2011

Raere posted:

Found something worse than Keepass

https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/

That is no where near as bad as Keepass you still have to do a second preimage attack

# ? Mar 20, 2018 03:02

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

Computer Serf posted:

8 year old me found this message irl while extracting the music from that game (mad professor mariarti) but never mentioned it to anyone at the time. So it feels slightly weird to see it become a meme and do the rounds online decades later thanks to TCRF and people on twitter who likely never played it or heard the music that contained that message or possibly were even born when it happened

# ? Mar 20, 2018 03:03

Shame Boy: Mar 2, 2010

apseudonym posted:

That is no where near as bad as Keepass you still have to do a second preimage attack

wait what is the thing wrong with keepass that everyone suddenly knows about but me :ohdear:

:ohdear:

# ? Mar 20, 2018 03:04

Lutha Mahtin: Oct 10, 2010; Your brokebrain sin is absolved...go and shitpost no more!

Subjunctive posted:

that�s how it was split until about 18 months ago, ish (I was on the infra side)

if it�s really split the way you say, I wonder where a few groups will end up!

https://www.nytimes.com/2018/03/19/technology/facebook-alex-stamos.html

this article says there are only 3 people left in his group. i wonder if he will stick it out for the full time he'd promised

# ? Mar 20, 2018 03:07

apseudonym: Feb 25, 2011

ate all the Oreos posted:

wait what is the thing wrong with keepass that everyone suddenly knows about but me

Was it keepass that was bad? I can't keep password manager terribleness straight in my head

# ? Mar 20, 2018 03:40

haveblue: Aug 15, 2005; Toilet Rascal

Chris Knight posted:

would you like to make sec gently caress
researcher

# ? Mar 20, 2018 03:40

Achmed Jones: Oct 16, 2004

I think something happened with keeper recently but can�t remember. and lastpass of course has bad things happen p regularly. I�m guessing they got jumbled in somebody�s head somewhere and keepass was the result (which afaik is fine)

# ? Mar 20, 2018 03:43

neutral milf hotel: Oct 9, 2001; by Fluffdaddy

Chris Knight posted:

would you like to make sec gently caress
researcher

:aaa:

# ? Mar 20, 2018 04:05

Mo_Steel: Mar 7, 2008; Let's Clock Into The Sunset Together; Fun Shoe

apseudonym posted:

Was it keepass that was bad? I can't keep password manager terribleness straight in my head

pretty sure that was lastpass or 1pass

# ? Mar 20, 2018 04:29

Farmer Crack-Ass: Jan 2, 2001; this is me posting irl

jesus guys don't freak me out about keepass here

# ? Mar 20, 2018 04:36

redleader: Aug 18, 2005; Engage according to operational parameters

Farmer Crack-rear end posted:

jesus guys don't freak me out about keepass here

# ? Mar 20, 2018 05:18

apseudonym: Feb 25, 2011

Mo_Steel posted:

pretty sure that was lastpass or 1pass

my bad

# ? Mar 20, 2018 05:53

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

https://twitter.com/Viss/status/975879337516806144

# ? Mar 20, 2018 06:17

Shame Boy: Mar 2, 2010

as far as i know:

- keepass is One Of The Good Ones, though it's a bit clunky and you have to janitor your own files
- 1password is also One Of The Good Ones, has an actual design team so is nice to use but costs money
- Lastpass is a garbage fire
- Windows / OSX built in trust stores are Fine if you're into that sort of thing
- Everything else is worse than lastpass

did I get that right?

# ? Mar 20, 2018 06:25

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

ate all the Oreos posted:

as far as i know:

- keepass is One Of The Good Ones, though it's a bit clunky and you have to janitor your own files
- 1password is also One Of The Good Ones, has an actual design team so is nice to use but costs money
- Lastpass is a garbage fire
- Windows / OSX built in trust stores are Fine if you're into that sort of thing
- Everything else is worse than lastpass

did I get that right?

if you're a 1password user on windows and you need a local password vault your options are either the v4 client, last updated september of last year, or the v7 alpha client, which is seeing new releases almost weekly.

# ? Mar 20, 2018 06:39

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

ate all the Oreos posted:

as far as i know:

- keepass is One Of The Good Ones, though it's a bit clunky and you have to janitor your own files
- 1password is also One Of The Good Ones, has an actual design team so is nice to use but costs money
- Lastpass is a garbage fire
- Windows / OSX built in trust stores are Fine if you're into that sort of thing
- Everything else is worse than lastpass

did I get that right?

You skipped 'password protected excel file' which is marginally better than all of these

# ? Mar 20, 2018 06:48

Kazinsal: Dec 13, 2011

Optimus_Rhyme posted:

You skipped 'password protected excel file' which is marginally better than all of these

the mind boggles that this is actually relatively sound advice.

the horror.

the horror.

# ? Mar 20, 2018 06:55

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

and writing them down in a notebook is even better

# ? Mar 20, 2018 07:22

VikingofRock: Aug 24, 2008

What is the yospinion on keybase? My teaching assistant union is looking for a way to centralize our online discussions, and I suggested Slack, but a couple of the more tech-minded people in the union think we should use keybase instead since its end-to-end encrypted.

# ? Mar 20, 2018 07:27

EssOEss: Oct 23, 2006; 128-bit approved

VikingofRock posted:

My teaching assistant union

This does not sound like the sort of usage that requires an end-to-end encrypted security model. If you are not afraid of Slack Inc. misusing your secret communications, go with the popular nonfancypants option and use Slack like everyone in the world does.

# ? Mar 20, 2018 07:39

VikingofRock: Aug 24, 2008

EssOEss posted:

This does not sound like the sort of usage that requires an end-to-end encrypted security model. If you are not afraid of Slack Inc. misusing your secret communications, go with the popular nonfancypants option and use Slack like everyone in the world does.

Yeah that's sort of what I was thinking. I feel like if our threat model is "the university administration, bad actors within the union, and maybe the campus police if we are planning a strike or something", then end-to-end encryption doesn't really do much to help against the threats we would face. But if our threat model is "the full force of the US government, or another state actor who wishes to keep tabs on their activist-y graduate students abroad", then we are screwed anyways because we aren't really trained to have very good cybersecurity practices and also anyone can join the union with basically no scrutiny so a state actor could probably just get an informant on the inside.

But I am not a security expert, so what do I know? I'm mostly worried that Keybase will be less user-friendly than Slack due to its nature, and so people just won't use it and we'll be stuck chaotically sending each other text messages and having huge noisy email chains for our organizing.

# ? Mar 20, 2018 07:50

Wiggly Wayne DDS: Sep 11, 2010

yeah it's a good thing intel agencies don't have a history with unions

# ? Mar 20, 2018 08:12

Wheany: Mar 17, 2006; Spinya^{ha^{ha^haha}ha}ha_{ha_{ha_haha}ha}ha!; Doctor Rope

ate all the Oreos posted:

wait what is the thing wrong with keepass that everyone suddenly knows about but me

the only recent flaw in keepass that i'm aware of is that by default its iteration count is pretty low. but you can change both the algorithm and the iteration count

# ? Mar 20, 2018 08:39

Pile Of Garbage: May 28, 2007

ate all the Oreos posted:

as far as i know:

- keepass is One Of The Good Ones, though it's a bit clunky and you have to janitor your own files
- 1password is also One Of The Good Ones, has an actual design team so is nice to use but costs money
- Lastpass is a garbage fire
- Windows / OSX built in trust stores are Fine if you're into that sort of thing
- Everything else is worse than lastpass

did I get that right?

what about password safe? it doesn't get mentioned much because honestly it has little in the way of features compared to keepass but i use it because i'm a simpleton and apparently it's not terrible?

# ? Mar 20, 2018 11:19

Partycat: Oct 25, 2004

VikingofRock posted:

What is the yospinion on keybase? My teaching assistant union is looking for a way to centralize our online discussions, and I suggested Slack, but a couple of the more tech-minded people in the union think we should use keybase instead since its end-to-end encrypted.

to the best of my knowledge so is Cisco spark. if you are a paying customer you can setup a key store where you hold all your keys as well.

# ? Mar 20, 2018 11:48

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

What is the yospinion on the Chrome password store?

# ? Mar 20, 2018 17:41

Adbot: ADBOT LOVES YOU

# ? Jun 8, 2024 01:49

flakeloaf: Feb 26, 2003; Still better than android clock

browser-based password stores are bad and should not be used

# ? Mar 20, 2018 17:46

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v15.1 - Stop!!! I Kill You Researcher

Powered by: vBulletin Version 2.2.9 (SABB-v2.24.06)
Copyright ©2000, 2001, Jelsoft Enterprises Limited.
Copyright ©2024, Jeffrey of YOSPOS