|
Kerning Chameleon posted:U2F is a great idea that just isn't ready for primetime outside Enterprise space. Hell, Google still "strongly recommends" putting a phone number as a backup 2FA, completely defeating the point of using non-SMS 2FA options. Asking companies to support USB/NFC dongles is apparently asking the impossible at the moment. Sure isn't. I tried to at least replace stuff that I only used at home. Battle.net uses a different vendor, Veracrypt doesn't support it really even though this seems a no brainer. Lastpass requires premium. So I guess it's a neat way to bypass my Windows 10 login password, and Origin. Yay.
|
#
?
Jul 20, 2018 04:06
|
|
|
|
| # ? May 30, 2024 11:32 |
|
|
skooma512 posted:Sure isn't. I tried to at least replace stuff that I only used at home. Battle.net uses a different vendor, Veracrypt doesn't support it really even though this seems a no brainer. Lastpass requires premium. also your keepass
|
|
#
?
Jul 20, 2018 04:08
|
|
|
Not OK, Google! https://twitter.com/mattbirman/status/1021217512241836033
|
|
#
?
Jul 24, 2018 02:09
|
|
|
Isn't that the message you get if you use the POP3 or IMAP connector Don't you have to go into your Gmail settings to explicitly allow non-Gmail app access anthonypants fucked around with this message at 02:31 on Jul 24, 2018 |
|
#
?
Jul 24, 2018 02:25
|
|
|
Yes it is, and yes you do.
|
|
#
?
Jul 24, 2018 02:33
|
|
|
Google will use every tool it can to try and force you to concentrate as close to 100% of your online presence on their services as possible.
|
|
#
?
Jul 24, 2018 03:10
|
|
|
Yahoo did the same exact thing after they went public with their half-decade old breach. Super shady.
|
|
#
?
Jul 24, 2018 03:21
|
|
|
Is there a good reason to let any important personal email account permit IMAP access other than "I'm sixty years old and I insist on using Thunderbird?"
|
|
#
?
Jul 24, 2018 16:56
|
|
|
It seems to be the best email reading protocol, OP.
|
|
#
?
Jul 24, 2018 17:20
|
|
|
Potato Salad posted:Is there a good reason to let any important personal email account permit IMAP access other than "I'm sixty years old and I insist on using Thunderbird?" Nope
|
|
#
?
Jul 24, 2018 17:44
|
|
|
Yeah, but that's besides the point. If someone wants to use the Mail app on iOS, Google should not be sending them big scary messages like that.
|
|
#
?
Jul 24, 2018 18:06
|
|
|
Internet Explorer posted:Yeah, but that's besides the point. If someone wants to use the Mail app on iOS, Google should not be sending them big scary messages like that. As the article above mentions, if you're on iOS 6, which last saw an update four years ago, you'll have to use the POP3 or IMAP connectors to connect to Gmail, you'll need to enable the "Allow less secure apps" setting, and you'll get that scary email. anthonypants fucked around with this message at 18:22 on Jul 24, 2018 |
|
#
?
Jul 24, 2018 18:20
|
|
|
Potato Salad posted:Is there a good reason to let any important personal email account permit IMAP access other than "I'm sixty years old and I insist on using Thunderbird?" I like Thunderbird because I can aggregate like 4 gmails down to one program. Is there a better alternative?
|
|
#
?
Jul 24, 2018 19:12
|
|
|
I think most mail apps allow you to have more than one account set up..
|
|
#
?
Jul 24, 2018 19:22
|
|
|
Last Chance posted:I think most mail apps allow you to have more than one account set up.. Including the Gmail web app
|
|
#
?
Jul 24, 2018 19:37
|
|
|
Huh, I could have sworn I read years ago that Mozilla was abandoning Thunderbird and leaving it to sink or swim as a community project. But they seem to have partially or fully backed off from that? It's still being actively developed, and features prominent links to Mozilla on the website  I used to be a huge devotee of TB but eventually gave into just running Outlook
|
|
#
?
Jul 24, 2018 19:42
|
|
|
Docjowles posted:Huh, I could have sworn I read years ago that Mozilla was abandoning Thunderbird and leaving it to sink or swim as a community project. But they seem to have partially or fully backed off from that? It's still being actively developed, and features prominent links to Mozilla on the website
|
|
#
?
Jul 24, 2018 19:48
|
|
|
anthonypants posted:They were super pissy about not supporting OAuth or 2FA, until Google said they were going to implement the "less secure apps" warnings people are complaining about : https://bugzilla.mozilla.org/show_bug.cgi?id=849540 FOSS is like that sometimes. The kind of people who maintain that stuff are pretty, uh... set in their ways.
|
|
#
?
Jul 24, 2018 19:49
|
|
|
https://twitter.com/misc0110/status/1022603751197163520
|
|
#
?
Jul 27, 2018 06:34
|
|
|
|
|
#
?
Jul 27, 2018 07:42
|
|
|
Hell yes my dudes, here we go
|
|
#
?
Jul 27, 2018 07:47
|
|
|
CLAM DOWN posted:Hell yes my dudes, here we go I eagerly await more useless patches that break poo poo in a frightened attempt to mitigate this.
|
|
#
?
Jul 27, 2018 16:07
|
|
|
15 bits/hour lol. I guess it can be added to a threat model like way at the bottom.
|
|
#
?
Jul 27, 2018 16:34
|
|
|
Diva Cupcake posted:15 bits/hour lol. I guess it can be added to a threat model like way at the bottom. lol I did not see that part, weren't the Israeli's pulling more through modulating fan speed and listening in? Edit: Yup, 15 bits a minute through fan extraction https://www.wired.com/wp-content/uploads/2016/06/Fansmitter-1.pdf
|
|
#
?
Jul 27, 2018 16:46
|
|
|
But fan modulated exfil assumes you have access to the data in question. 15 bits per hour remotely pulling down a private key from anywhere still lets you do a lot of damage.
|
|
#
?
Jul 27, 2018 17:52
|
|
|
FlyingCowOfDoom posted:I eagerly await more useless patches that break poo poo in a frightened attempt to mitigate this.
|
|
#
?
Jul 27, 2018 18:03
|
|
|
I can't wait for sales reps to tell me their NextGen++ firewalls now detect and stop NetSpectre attacks (but they don't actually)
|
|
#
?
Jul 27, 2018 18:19
|
|
|
Inept posted:I can't wait for sales reps to tell me their NextGen++ firewalls now detect and stop NetSpectre attacks (but they don't actually)
|
|
#
?
Jul 27, 2018 18:21
|
|
|
anthonypants posted:According to that whitepaper it's thousands of identical packets, so if you're firewall/IDS can't detect that, well, you should have microseg around your servers anyway, with web proxy between internet-granted servers and the web.
|
|
#
?
Jul 27, 2018 18:23
|
|
|
Judge Schnoopy posted:you should have microseg around your servers anyway, with web proxy between internet-granted servers and the web. new WAF/IPS feature: randomly injected latency to create excessive noise for timing attacks
|
|
#
?
Jul 27, 2018 19:34
|
|
|
BangersInMyKnickers posted:But fan modulated exfil assumes you have access to the data in question. 15 bits per hour remotely pulling down a private key from anywhere still lets you do a lot of damage. Have they even released a POC yet?
|
|
#
?
Jul 27, 2018 19:39
|
|
|
hail satan
|
|
#
?
Jul 27, 2018 19:44
|
|
|
Sheep posted:Have they even released a POC yet? I doubt they will publicly release anything, but last time something like this got pushed out in a paper it took someone about a week to figure out what they were doing and recreate it.
|
|
#
?
Jul 27, 2018 19:58
|
|
|
Sheep posted:Have they even released a POC yet? The attack depends on knowing the internals of the network stack or services you’re attacking and designing around that. You also still have to know the memory address of what you’re looking for, or you have to keep exfiltrating data until you get lucky. This is far more difficult to pull off than a local Variant 1 attack.
|
|
#
?
Jul 28, 2018 03:07
|
|
|
Double Punctuation posted:The attack depends on knowing the internals of the network stack or services you’re attacking and designing around that. You also still have to know the memory address of what you’re looking for, or you have to keep exfiltrating data until you get lucky. This is far more difficult to pull off than a local Variant 1 attack. Definitely, but it's a rad piece of research.
|
|
#
?
Jul 28, 2018 03:23
|
|
|
CLAM DOWN posted:Definitely, but it's a rad piece of research. Didn't Spectre initially assume you needed admin access to a machine, and somebody quickly developed a method to deploy via JavaScript? I secretly hope somebody finds a way to crack open netspectre in a similar 'it's way more hosed than you think' way
|
|
#
?
Jul 28, 2018 03:28
|
|
|
Judge Schnoopy posted:Didn't Spectre initially assume you needed admin access to a machine, and somebody quickly developed a method to deploy via JavaScript? It was Python and I can't remember if you needed admin or not
|
|
#
?
Jul 28, 2018 03:30
|
|
|
Double Punctuation posted:The attack depends on knowing the internals of the network stack or services you’re attacking and designing around that. You also still have to know the memory address of what you’re looking for, or you have to keep exfiltrating data until you get lucky. This is far more difficult to pull off than a local Variant 1 attack. That's what I'm getting at - it's all well and good in theory but after skimming the paper the practicality seems way, way off, so without a POC I don't see anything to be concerned about. It's a neat concept at least. BangersInMyKnickers posted:new WAF/IPS feature: randomly injected latency to create excessive noise for timing attacks Honestly this seems like it is probably the most straightforward mitigation. Sheep fucked around with this message at 04:30 on Jul 28, 2018 |
|
#
?
Jul 28, 2018 04:15
|
|
|
Judge Schnoopy posted:Didn't Spectre initially assume you needed admin access to a machine, and somebody quickly developed a method to deploy via JavaScript? If Spectre required admin access, then it wouldn’t be an exploit. Yes, Spectre is limited to the address space of wherever the vulnerable code is running, so it was initially difficult to attack different processes without finding vulnerable system calls or a way to run bytecode in the kernel. But here’s the thing: What do you think is the process most attackers will want to exfiltrate data from? And what process will be running attacker-controlled JavaScript?
|
|
#
?
Jul 28, 2018 06:07
|
|
|
|
| # ? May 30, 2024 11:32 |
|
|
Thunderbird rules. Thunderbird works. There are many like it, but this one is mine. My Thunderbird is my best friend. It is my life. I must master it as I must master my life. Without me, my Thunderbird is useless. Without my Thunderbird, I am useless.
|
|
#
?
Jul 28, 2018 06:13
|
|