|
This backup stuff reminds me of a story from ca 2008. I was working for a managed IT service provider and one of our customers was a dentists office that had like 6 dentists working in a shared office along with about a dozen other employees. Their backups went to hard disk, and then once a week to a tape that would be stored in a bank safe in case of a complete disaster. 12 tapes were supposed to be rotated through at the bank to give then some long term recovery options. However, the office manager was a stingy gently caress, and despite the trip to the bank taking almost an hour of the office secretary's time every Friday evening, she wasn't allowed to write that up as work hours. So she ended up doing that routine for about a year, until she accidentally didn't swap the tape one week and then noticed that the backup server didn't actually check which tape was inserted. So she presumably thought "gently caress this" and changed the procedure into just swapping around the same two tapes between the drive and a desk drawer. We only found out about that three years later when one of the tapes broke from the wear and we checked the logs. The girl was obviously fired, we somehow managed to avoid any consequences since luckily we never actually needed one of the backups. Oh and the guy that blatantly violated labor laws was obviously not blamed either.
|
# ? Feb 18, 2019 12:59 |
|
|
# ? May 10, 2024 17:26 |
|
Love backup software that'll happily any tape as the one it's asked for.
|
# ? Feb 18, 2019 13:58 |
|
Kerning Chameleon posted:I guess the laws of mathematics did trump the laws of Australia in the end. For those not familiar, may I present former Australian prime minister Malcolm Turnbull. Or the full quote: https://www.theguardian.com/technology/2017/jul/14/new-law-would-force-facebook-and-google-to-give-police-access-to-encrypted-messages posted:“The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only laws that applies in Australia is the law of Australia.” Sheep fucked around with this message at 14:29 on Feb 18, 2019 |
# ? Feb 18, 2019 14:12 |
|
Sheep posted:For those not familiar, may I present former Australian prime minister Malcolm Turnbull. The law of Australia is welcome to try to extradite these nefarious hackers from mainland china, we urge them to try.
|
# ? Feb 18, 2019 21:10 |
|
Do Australian lawmakers fully understand that the Internet is not physically located in Australia? Has anyone asked?
|
# ? Feb 19, 2019 05:31 |
|
Australian lawmakers are like most of them across the planet and completely out of touch with the modern world.
|
# ? Feb 19, 2019 08:53 |
|
Cup Runneth Over posted:Do Australian lawmakers fully understand that the Internet is not physically located in Australia? Has anyone asked? None of them realise that.
|
# ? Feb 19, 2019 08:56 |
|
Sheep posted:For those not familiar, may I present former Australian prime minister Malcolm Turnbull. I can’t decide if thats worse than actually introducing law to redefine the value of pi. https://www.huffingtonpost.com/ian-squires/republicans-introduce-leg_b_837828.html
|
# ? Feb 19, 2019 09:28 |
|
Boris Galerkin posted:I can’t decide if thats worse than actually introducing law to redefine the value of pi. If only we lived in a sufficiently rational society where attempting to redefine mathematical reality through law would be an immediately fireable offense...
|
# ? Feb 19, 2019 15:44 |
|
wolrah posted:If only we lived in a sufficiently rational society where attempting to redefine mathematical reality through law would be an immediately fireable offense... If we lived in a rational society we wouldn't need transcendental numbers.
|
# ? Feb 19, 2019 15:47 |
|
Absurd Alhazred posted:If we lived in a rational society we wouldn't need transcendental numbers. God drat
|
# ? Feb 19, 2019 16:34 |
|
Absurd Alhazred posted:If we lived in a rational society we wouldn't need transcendental numbers. Well done.
|
# ? Feb 19, 2019 16:40 |
|
Major security issues found in popular password managersquote:ISE evaluated 1Password, Dashlane, KeePass and LastPass on Windows 10, and found that in some cases, the master password for the app was kept in the system memory in a plaintext readable format.
|
# ? Feb 19, 2019 23:18 |
|
|
# ? Feb 19, 2019 23:20 |
|
Here's the deets, it's a decent read: https://www.securityevaluators.com/casestudies/password-manager-hacking/ 1Password7 is....disappointing wyoak fucked around with this message at 00:17 on Feb 20, 2019 |
# ? Feb 20, 2019 00:13 |
|
wyoak posted:Here's the deets, it's a decent read: Well, poo poo. And that was one of the recommended good ones. Also, I’m using it.
|
# ? Feb 20, 2019 01:48 |
|
I'm still using 1Pass 4. Am I hosed?
|
# ? Feb 20, 2019 01:54 |
|
lol that report is useless. If they have a keylogger on your system you are hosed anyways.
|
# ? Feb 20, 2019 01:56 |
|
Surprise, elevated local access is dangerous?!?!?!?????!?
|
# ? Feb 20, 2019 02:00 |
|
The "how much can an adversary get if they gain access some time after you've used and re-locked your password manager" bit is interesting.
|
# ? Feb 20, 2019 02:01 |
|
A patient adversary with that access could replace my password manager with their own version and I'd never know the difference.
|
# ? Feb 20, 2019 02:02 |
|
quote:As the firm points out, that’s no better than storing it typed out in a document on your computer, at least when it comes to a skilled attacker. *groan*
|
# ? Feb 20, 2019 05:50 |
|
I'm really confused as to why anyone finds any if that surprising.
|
# ? Feb 20, 2019 07:19 |
|
Turns out writing articles about security does not actually require understanding scope or preexisting levels of access and their complications, as long as you can poo poo on random tools even if your “finding” is hardly of consequence.
|
# ? Feb 20, 2019 07:30 |
CLAM DOWN posted:Surprise, elevated local access is dangerous?!?!?!?????!? Dtrace works on Windows now, too - so it's even simpler than the article makes it out. Also, nobody should tell them about websites being able to access the clipboard which is used by a lot of password managers.
|
|
# ? Feb 20, 2019 11:53 |
|
D. Ebdrup posted:Also, nobody should tell them about websites being able to access the clipboard which is used by a lot of password managers. Not true, Chrome specifically asks for permission when a site wants read access to clipboard data. https://developers.google.com/web/updates/2018/03/clipboardapi Also, everybody should realize using a password manager like Lastpass or 1password caries its own set of risks, but it's probably better than reusing the same three passwords across hundreds of sites.
|
# ? Feb 20, 2019 12:19 |
Lambert posted:Not true, Chrome specifically asks for permission when a site wants read access to clipboard data. Yeah, I don't think anyone is arguing that "using a password manager, so each website has their own password" is the same as "elevated access priviledges allowing concious access by a determined attacker when the data isn't at rest"
|
|
# ? Feb 20, 2019 13:02 |
|
I mean I agree it's overhyped, but also they're not wrong. Password managers really should not keep any full keys in memory when locked. Don't think about the remote attacker who has so owned the PC that they can run memory-scanning code with no prompting. The better hypothetical is someone dumping passwords from a PC left momentarily unlocked in an office or something. Shove in USB stick, run memdump.exe, click yes on UAC, steal passwords without leaving a keylogger or trojan on the system as evidence. D. Ebdrup posted:Welp, not being a Chrome user, I of course didn't know about any of this. Though I think both browsers allow JS to see the clipboard during a paste event, which is why password managers have auto-type functions. In theory that's much harder for a bit of rogue JS to capture on a website.
|
# ? Feb 20, 2019 13:56 |
|
On browsers - have they stopped auto-completing forms where the field is hidden yet? I also feel there should be a way to prevent text entered into autocomplete fields from being sent to the server until the form is submitted.
|
# ? Feb 20, 2019 14:05 |
|
Thanks Ants posted:On browsers - have they stopped auto-completing forms where the field is hidden yet? I also feel there should be a way to prevent text entered into autocomplete fields from being sent to the server until the form is submitted. Yes. This is now even a really annoying anti-pattern where, for example, the password field only shows up after entering your username. Thanks Delta.
|
# ? Feb 20, 2019 15:28 |
Klyith posted:I mean I agree it's overhyped, but also they're not wrong. Password managers really should not keep any full keys in memory when locked. If I may, kib@, one of FreeBSDs long-time contributors (who also recently finished implementing ASLR properly), is in the process of implementing pkru(3) which is an implementation that takes advantage of Usermode Protection Keys, a new technology a vailable on Skylake Xeons Now, pkru(3) is a way for user applications to request that certain of the data they're handling (for example, personally identifiable client information) be excluded from incidental debugging.What's important here is that it cannot protect against an attacker with agency, because the keys are user-controlled and an attacker with elevated priviledges can override any of those values. LIke I said before, Windows has dtrace - and the one thing you should know about dtrace, and why it can only be run as root on FreeBSD and Solaris and as the SuperAdministrator on Windows (yes, it's really called that), is that it's the best rootkit you'll ever get. It can tell you _anything_ about the system that you want to know, all the way to ring 0 (the kernel). If you want that kind of protection, I think you need something like CHERI (a RISC-based ISA with capabilities, which I'm glad Firefox has the same clipboard protection nowdays, thanks! EDIT: Wanna learn how to gain root on macOS with CVE-2018-4193 in < 10s? Well, I've got good news for you in this PDF! BlankSystemDaemon fucked around with this message at 16:31 on Feb 20, 2019 |
|
# ? Feb 20, 2019 15:32 |
|
I'm not 100% about the Windows version, but I know that in macOS 1Password by default clears the clipboard immediately after a paste.
|
# ? Feb 20, 2019 17:58 |
|
Proteus Jones posted:I'm not 100% about the Windows version, but I know that in macOS 1Password by default clears the clipboard immediately after a paste. All those pw managers have clipboard clearing in Windows too. They even have it on Android.
|
# ? Feb 20, 2019 17:59 |
|
CLAM DOWN posted:All those pw managers have clipboard clearing in Windows too. They even have it on Android. If your password manager on Android is using the clipboard you should not use that password manager holy poo poo there are clipboard listeners clearing doesn't do a drat thing why would you be so dumb as to use the clipboard.
|
# ? Feb 20, 2019 19:20 |
|
apseudonym posted:If your password manager on Android is using the clipboard you should not use that password manager holy poo poo there are clipboard listeners clearing doesn't do a drat thing why would you be so dumb as to use the clipboard. Calm the hell down dude. The autofill API was only just added in 8.0.
|
# ? Feb 20, 2019 19:53 |
|
Lot of infosec folks exposing themselves as spreadsheet pushers ITT
|
# ? Feb 20, 2019 20:03 |
|
CLAM DOWN posted:Calm the hell down dude. The autofill API was only just added in 8.0. Then abuse accessibility like everyone else. Facebook uses clipboard listeners, you are actually sending every single password to Facebook.
|
# ? Feb 20, 2019 20:03 |
|
apseudonym posted:Then abuse accessibility like everyone else. Take your meds dude, what are you even yelling about
|
# ? Feb 20, 2019 20:26 |
|
I like how Keepass2Android installs a custom password keyboard on your phone for the pre-autofill days. It even helps for apps that don't make use of the autofill API yet.
|
# ? Feb 20, 2019 20:48 |
|
|
# ? May 10, 2024 17:26 |
|
CLAM DOWN posted:
Password managers that use the clipboard?
|
# ? Feb 20, 2019 20:48 |