|
nthing KeepAss! The UX is not the best but it seems pretty bombproof from a functionality standpoint. Have used it for years and years.Nalin posted:Why are you using the Keepass2Android keyboard? Are you on an older version of Android? Since version 8 (Oreo), Android has had an autofill service and Keepass2Android supports it. You tap the autofill button. Sometimes in some (badly made?) apps the autofill just doesn't show up, forcing me to use the keyboard. Nalin posted:Keepass2Android will say it can't find an autofill entry so you tap the "Select another entry" button, navigate to the password you want, and tell it to use that one. It will then save the app affiliation into your database. This seems to only persist in some local cache and never get uploaded back to cloud (I use Google Drive). Whenever my phone downloads an updated database, the app associations are gone. Am I doing it wrong?
|
#
?
Dec 2, 2019 21:11
|
|
|
|
| # ? May 25, 2024 11:10 |
|
|
EssOEss posted:This seems to only persist in some local cache and never get uploaded back to cloud (I use Google Drive). Whenever my phone downloads an updated database, the app associations are gone. Am I doing it wrong? Yeah. That isn't right. Does the application itself not re-upload your database on changes? Maybe it's a problem with Google Drive or the Keepass2Android integration with it? I have my database on Dropbox and making any changes on my phone causes it to save the change back to Dropbox. The app association is saved inside your password entry under the "Advanced" tab. It makes a new string field. Here's my Pokemon Go association: Field Name: KP2A_URL_1 Field Value: androidapp://com.nianticlabs.pokemongo
|
|
#
?
Dec 3, 2019 06:32
|
|
|
https://twitter.com/campuscodi/status/1202028241646690305 Wonder what that's about.
|
|
#
?
Dec 4, 2019 01:54
|
|
|
Absurd Alhazred posted:https://twitter.com/campuscodi/status/1202028241646690305 Read the bottom: The garbage hashes compiled into python that would steal GPG or SSH keys of the developer using the libraries.
|
|
#
?
Dec 4, 2019 05:21
|
|
|
[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.quote:We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. Root cause is: quote:sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2 Paul MaudDib fucked around with this message at 19:09 on Dec 5, 2019 |
|
#
?
Dec 5, 2019 19:06
|
|
|
I'm mostly interested in it given how broad it hits, since after getting a WWAN NIC, I never use any access points but my own.
|
|
#
?
Dec 5, 2019 22:01
|
|
|
Paul MaudDib posted:Root cause is: Second paragraph of the oss-sec post: quote:Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution, but this was how we discovered that the attack worked on Linux.
|
|
#
?
Dec 6, 2019 18:15
|
|
|
This was the best thing on infosec twitter in a while  
|
|
#
?
Dec 6, 2019 18:26
|
|
|
CLAM DOWN posted:This was the best thing on infosec twitter in a while Beautiful.
|
|
#
?
Dec 6, 2019 18:32
|
|
|
Since people here have been talking about Keepass, what browser integration is best for Windows? I've been using Kee for Firefox and Chrome, but now that they're rolling their own password service I want to know if there's anything better.
|
|
#
?
Dec 6, 2019 18:33
|
|
|
wolrah posted:Second paragraph of the oss-sec post: Its still trash....but I get why systemd is a thing and converted most of mine to systemd kernels now.
|
|
#
?
Dec 6, 2019 19:05
|
|
|
bbcisdabomb posted:Since people here have been talking about Keepass, what browser integration is best for Windows? I've been using Kee for Firefox and Chrome, but now that they're rolling their own password service I want to know if there's anything better. I use KeepassXC (it's a crossplatform fork, nothing dodgy) and its browser extension.
|
|
#
?
Dec 6, 2019 19:10
|
|
|
Kassad posted:I use KeepassXC (it's a crossplatform fork, nothing dodgy) and its browser extension. Yeah, I use it as well because the Linux version of base Keypass technically works but it's kinda really ugly.
|
|
#
?
Dec 6, 2019 20:15
|
|
|
https://twitter.com/ppentestlabs/status/1202906268991664128 (weeps for humanity)
|
|
#
?
Dec 6, 2019 20:46
|
|
|
Arsenic Lupin posted:https://twitter.com/ppentestlabs/status/1202906268991664128 Holy loving poo poo. This thread is gold.
|
|
#
?
Dec 6, 2019 21:01
|
|
|
Especially this. https://twitter.com/BeefOverflow/status/1202999529072521217
|
|
#
?
Dec 6, 2019 21:13
|
|
|
Yeah, I saw at least one infosec defending their password system, and I was pretty sure that it was just a sure indicator there was worse things to find...
|
|
#
?
Dec 6, 2019 21:49
|
|
|
CommieGIR posted:Yeah, I saw at least one infosec defending their password system, and I was pretty sure that it was just a sure indicator there was worse things to find...
|
|
#
?
Dec 7, 2019 15:59
|
|
|
Harik posted:Funny enough their database of emails is now incredibly valuable because if this is the kind of security they're teaching it'd be useful to cross-reference with company emails to know where to find similarly brain-dead security vulns. Alternatively, use it to find who to advertise better services to.
|
|
#
?
Dec 7, 2019 23:29
|
|
|
Double Punctuation posted:Alternatively, use it to find who to advertise better services to. What makes you think those customers are interested in better services?
|
|
#
?
Dec 7, 2019 23:35
|
|
|
To those customers, "better" is dictated by convenience, i.e. being able to get your passwords emailed back to you in plaintext.
|
|
#
?
Dec 7, 2019 23:54
|
|
|
Regarding password managers there’s a rumour Microsoft will be introducing their own one next year. I hope it’s cross platform (probably linked to OneDrive).
|
|
#
?
Dec 10, 2019 15:28
|
|
|
Interesting. If the subscription fee isn't outrageous (and expecting all the relevant features to be present), this could make for a pretty good mainstream introduction of password managers.
|
|
#
?
Dec 10, 2019 15:35
|
|
|
Microsoft would be dumb not to put out their own password manager. Put it behind their SSO and fancy things like conditional access and push MFA, integrate with their admin interfaces and logging... There are a ton of companies out there who just don't have users capable of something like 1Password and IT departments and training that don't have the time. But if Microsoft makes it significantly easier for only a little less secure, I see it taking off like wild fire.
|
|
#
?
Dec 10, 2019 16:30
|
|
|
Internet Explorer posted:I see it taking off like wild fire. And then they'll restrict it to E5
|
|
#
?
Dec 10, 2019 16:43
|
|
|
Internet Explorer posted:Microsoft would be dumb not to put out their own password manager. Put it behind their SSO and fancy things like conditional access and push MFA, integrate with their admin interfaces and logging... There are a ton of companies out there who just don't have users capable of something like 1Password and IT departments and training that don't have the time. But if Microsoft makes it significantly easier for only a little less secure, I see it taking off like wild fire. They will definitely put it behind all their premium poo poo so the majority of their customers won't be able to afford it.
|
|
#
?
Dec 10, 2019 17:10
|
|
|
It's rumored to be part of their Office 365 "Life" rebranding for consumers, so it's very likely not going to be unaffordable. Of course, depends on whether you can subscribe individually or have to take the whole Office 365 package to get it (currently $10/month).
|
|
#
?
Dec 10, 2019 17:17
|
|
|
I'd continue using 1pass for myself, but I'd definitely use something like this as an opportunity push password management on my organization.
|
|
#
?
Dec 10, 2019 18:14
|
|
|
klosterdev posted:And then they'll restrict it to E5 Sickening posted:They will definitely put it behind all their premium poo poo so the majority of their customers won't be able to afford it. E5 just seems like a no brainer for a business to me, and I am no Microsoft fanboy. They just made MFA free for all of their customers, which is a step in the right direction. We'll see. It's not like decent password managers for business/enterprise are cheap to begin with.
|
|
#
?
Dec 10, 2019 21:03
|
|
|
Internet Explorer posted:E5 just seems like a no brainer for a business to me, and I am no Microsoft fanboy. They just made MFA free for all of their customers, which is a step in the right direction. We'll see. It's not like decent password managers for business/enterprise are cheap to begin with. Mfa without those basic custom conditional access policies isnt anything more than what you were already getting with an e3.
|
|
#
?
Dec 10, 2019 21:17
|
|
|
I guess that's a way to make money. https://www.kickstarter.com/projects/bustersolutions/buster-secure-your-devices-against-online-hackers
|
|
#
?
Dec 10, 2019 23:11
|
|
|
Combat Pretzel posted:I guess that's a way to make money. Easy to profit from stickers and what looks like a sub-$1 stereo plug (with their branding, of course).
|
|
#
?
Dec 10, 2019 23:42
|
|
|
Combat Pretzel posted:I guess that's a way to make money.  Where do I sign up, my miicrophone is way too onpen
|
|
#
?
Dec 10, 2019 23:44
|
|
|
Combat Pretzel posted:I guess that's a way to make money. N A N O S U C T I O N T E C H N O L O G Y
|
|
#
?
Dec 11, 2019 04:13
|
|
|
Volmarias posted:N A N O S U C T I O N T E C H N O L O G Y How did you find VRChat's feature roadmap
|
|
#
?
Dec 11, 2019 04:22
|
|
|
quote:The stickers come in two sizes, Small (13mm) and Large (40mm). The small one fits most everyday gadgets like smartphone, tablet, laptop, smart TV etc. The larger one is designed specifically to block any hidden security cameras or to protect your professional camera against dust or water. How does it block hidden security cameras if they’re hidden? Or do you cover yourself in stickers so the hidden cameras can’t identify you?
|
|
#
?
Dec 11, 2019 08:42
|
|
|
beuges posted:How does it block hidden security cameras if they’re hidden? Or do you cover yourself in stickers so the hidden cameras can’t identify you? 
|
|
#
?
Dec 11, 2019 11:03
|
|
|
What are people's thoughts on record size limits for SPF records? A lot of documentation talks about limiting to 500 characters to stay inside the MTU so lookups don't revert to TCP mode out of concern that some systems might be UDP DNS only. But for that to be the case, wouldn't those mail systems need to be connecting over dial-up to get choked down to an MTU that small? It seems like 1400 characters is a more realistic cap given a typical 1500 mtu plus overhead for ipsec encapsulation and anything else, but the recommendations always seem to be 500. Are people just parroting a 15 year old consideration that doesn't matter any more or am I missing something?
|
|
#
?
Dec 11, 2019 20:31
|
|
|
BangersInMyKnickers posted:What are people's thoughts on record size limits for SPF records? A lot of documentation talks about limiting to 500 characters to stay inside the MTU so lookups don't revert to TCP mode out of concern that some systems might be UDP DNS only. But for that to be the case, wouldn't those mail systems need to be connecting over dial-up to get choked down to an MTU that small? It seems like 1400 characters is a more realistic cap given a typical 1500 mtu plus overhead for ipsec encapsulation and anything else, but the recommendations always seem to be 500. Are people just parroting a 15 year old consideration that doesn't matter any more or am I missing something? the only real limit is 10 lookups afaik in accordance with the rfc, i've never heard of this limitation before and it sounds really dumb
|
|
#
?
Dec 11, 2019 23:38
|
|
|
|
| # ? May 25, 2024 11:10 |
|
|
Well, its a limitation of DNS which is the underpinning. Beyond the 10 DNS lookup limit, there is also a limit on the number of items returned in a MX record (which I discovered with some goofy-rear end .mil mail domain who's mx record resolved to 12 mail gateways. Resolution of A records triggered from MX lookups are counted separately from the other 10 lookup limit), and you can only make the TXT records in strings of 255 characters which are encapsulated in quote and then stripped and concatenated by the SPF engine that is processing the record. The RFC is a bit loving nuts, but most of the really weird poo poo is due to limitations of DNS. DNS prefers UDP transport mode by default but will generally refuse to return a record that is larger than your MTU because if a fragment gets lost on re-assembly while TCP would recover without having to re-run the entire query. So most DNS clients will then revert to a TCP lookup in that scenario, but that's slower due to the extra round trips so it doesn't happen by default. From an absolute technical limit, an SPF record can be up to 64k characters long which is the maximum size of a TXT record but you still have to honor the individual string length limits. The common consensus that I see is that if your lookup has to fail back to UDP you're loving up and risking causing resolution problems for some receiving mail servers, so avoid it.
|
|
#
?
Dec 11, 2019 23:50
|
|