|
advisory from the NSA https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
|
# ? Jan 14, 2020 19:41 |
|
|
# ? May 30, 2024 06:56 |
|
Malloc Voidstar posted:advisory from the NSA https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF you go two page snipes with this xpost, I'm impressed
|
# ? Jan 14, 2020 19:50 |
|
Lain Iwakura posted:I honestly am more interested in how this will change the Xbox homebrew scene. If this gets figured out and someone makes a spoofed MS cert that the xbox implicitly trusts for execution, then yeah its basically jackpot and you're busting the whole thing wide open. That's assuming you have a pre-patch system obviously
|
# ? Jan 14, 2020 20:22 |
|
BangersInMyKnickers posted:If this gets figured out and someone makes a spoofed MS cert that the xbox implicitly trusts for execution, then yeah its basically jackpot and you're busting the whole thing wide open. That's assuming you have a pre-patch system obviously Someone offered me an Xbox One today since I quipped about this on Twitter before it all dropped. I'll try and avoid updating it.
|
# ? Jan 14, 2020 21:18 |
|
I've got Windows 10 Education version, and running "check for updates" didn't pull anything up. Nothing has asked for a restart in a while. How do i get the patch for the big Windows signing bug?
|
# ? Jan 15, 2020 22:20 |
|
Dumb Lowtax posted:I've got Windows 10 Education version, and running "check for updates" didn't pull anything up. Nothing has asked for a restart in a while. How do i get the patch for the big Windows signing bug? What exact version do you have? You can check in Settings -> System -> About. Are updates normally managed by your organization?
|
# ? Jan 15, 2020 22:29 |
|
astral posted:What exact version do you have? You can check in Settings -> System -> About. It's a home computer. Never been a part of a bigger system. Have those just not gotten the patch yet? Win 10 Education, Version 1909, build 18363.535
|
# ? Jan 15, 2020 22:32 |
|
They have. Do you have any update deferment set? (Advanced options in Windows Update)
|
# ? Jan 15, 2020 22:33 |
|
Thanks, those settings needed tweaking.
|
# ? Jan 15, 2020 22:37 |
|
Lambert posted:They have. Do you have any update deferment set? (Advanced options in Windows Update) Oh man so that's why I haven't been able to download the security update. Thanks so much it explains everything.
|
# ? Jan 15, 2020 23:04 |
|
Defer feature updates all you want (until current version's EOL), but don't defer security updates more than a day or two.
|
# ? Jan 15, 2020 23:39 |
|
If anyone at any point in the future wipes and reinstalls a windows system using an old file, or else reverts to an old image they had from prior to this update, hoping to let windows update take care of the catching up ---- is that no longer reliable? Is it now just as unsafe as leaving the machine unpatched all that time and then trying to patch it too late? Is every new install using an old windows installer unsafe forever now? Happy Thread fucked around with this message at 10:08 on Jan 16, 2020 |
# ? Jan 16, 2020 10:02 |
|
Dumb Lowtax posted:If anyone at any point in the future wipes and reinstalls a windows system using an old file, or else reverts to an old image they had from prior to this update, hoping to let windows update take care of the catching up ---- is that no longer reliable? Is it now just as unsafe as leaving the machine unpatched all that time and then trying to patch it too late? Depends on whether you expect to be Mitm'd or not.
|
# ? Jan 16, 2020 12:52 |
|
Windows Update pins to some RSA key, so is not forgeable using this ECC functionality, supposedly.
|
# ? Jan 16, 2020 18:23 |
|
The Windows 10 cumulative patch including the -0601 fix is failing to install in my and many other workstation fleets lmao lol
|
# ? Jan 17, 2020 22:32 |
|
I called it Monday with some of my team: "lol watch the patch fail" to my knowledge, there is no standalone patch just for the issue gulag the entire ms testing team's management Potato Salad fucked around with this message at 22:43 on Jan 17, 2020 |
# ? Jan 17, 2020 22:33 |
|
Potato Salad posted:The Windows 10 cumulative patch including the -0601 fix is failing to install in my and many other workstation fleets lmao apparently it needs like 10-15gb free space and is failing on server vm's all over the place here
|
# ? Jan 17, 2020 22:46 |
|
Monday I get to make a Windows patching infrastructure so that will be awful
|
# ? Jan 18, 2020 00:26 |
|
While this thread is mainly for enterprise use (probably), it's also the best place I can think of to ask this question: if I wanted to do a ground-up revamp of password and account management (including resetting everything), with an eye towards both privacy and keeping my accounts secure, where would I start? I use all the basic stuff online beyond SA - Facebook, banking (major national bank you've heard of), investments, insurance, etc. I reuse passwords because up until now, I've been lazy and it hasn't been a problem with one exception (blessing in disguise, really) I'd like to get rid of problematic programs (goodbye, Chrome!) My social media exposure is minimal (I have a Facebook, LinkedIn, etc. but they are mostly dormant) There's no good way to ask the question, I guess, but if I need to start resetting everything, where do I start? Is there a decent guide out there? I'd prefer some sort of a password manager and implement truly difficult to crack passwords - but I'm also clearly not going to remember them, so I'll need some storage/retrieval method. Is a Yubikey a good idea, and worth paying for? Is there a better solution? Sorry for rambling, just trying to figure this out. There have been 7 attempts so far in the last 12 hours to get into my Google and Facebook accounts, I'd like to feel a bit more secure.
|
# ? Jan 18, 2020 01:32 |
|
The Iron Rose posted:Monday I get to make a Windows patching infrastructure so that will be awful If you're starting out and will be patching recent versions of windows it's not that bad. (If you have to go back and historically support windows 7 you're absolutely in the suck) They've gotten it down to ~2 major patches per version of windows 10\Server2016\Server19 so all you need to do is figure out whos going to be your guinea pigs for your first wave. Then remind helpdesk to be aware of these computers for unusual behavior after patch tuesdays. Then remind them again. Then again. Then turn off updating!
|
# ? Jan 18, 2020 01:54 |
|
Go pay for 1password or lastpass and have it remember all your poo poo. Give it a unique password. Go ahead and change your bank account and email passwords to unique good passwords. Do normal poo poo with your password manager, letting it remember your normal lovely re-used passwords. In two weeks, run a security check up (both programs have this) and rotate the worst offenders. Keep doing this until you're not using terrible reused passwords any more. Then you can worry about min-maxing with yubikeys etc, but get your password situation fixed instead of worrying about comparatively less important improvements. When you have done this, you can reconsider your choice of password manager and all that, but right now you have more pressing security-related issues.
|
# ? Jan 18, 2020 02:33 |
|
Friends don't let friends use lastpass.
|
# ? Jan 18, 2020 03:05 |
|
Lastpass is worse than 1password. It's so much better than not using a password manager that people should just use the one they like. It doesn't really matter that much comparatively speaking.
|
# ? Jan 18, 2020 03:06 |
|
Lastpass is endorsed by taviso
|
# ? Jan 18, 2020 03:07 |
|
Lastpass is way better than 1password. 1password still doesn't have real form-field editing. I can get Lastpass to fill reliably all the time, no t so with 1password. Also, 1password used to store all metadata in unencrypted format for a long time, so they've got a pretty checkered security record. And now they're owned by some weird VC fund.
|
# ? Jan 18, 2020 03:22 |
|
1password is better. The metadata being unencrypted hasn't been an issue since 2015. That's it. LastPass is owned by LogMeIn LastPass has had a number of vulnerabilities as recent as last year. Preferences are subjective but don't spout bs.
|
# ? Jan 18, 2020 03:44 |
|
Pretty sure this thread recommends 1Pass and KeePass and that's it. Oh, and Apple's own built-in password manager.
|
# ? Jan 18, 2020 03:45 |
|
Bitwarden is free, easy to use, and does not (yet) have a history of repeated security fuckups.
|
# ? Jan 18, 2020 03:47 |
|
CLAM DOWN posted:1password is better. The metadata being unencrypted hasn't been an issue since 2015. That's it. LastPass is owned by LogMeIn LastPass has had a number of vulnerabilities as recent as last year. Preferences are subjective but don't spout bs. 1password had a vulnerability as recent as last year. Seems like a strange talking point. Please stop spouting bs. Lambert fucked around with this message at 03:50 on Jan 18, 2020 |
# ? Jan 18, 2020 03:47 |
|
Let's not re-litigate the password manager wars. It just gives people that don't know much about the field analysis paralysis. The message should be use a password manager, yes that one is fine, just use a password manager
|
# ? Jan 18, 2020 03:49 |
|
Lambert posted:1password had a vulnerability as recent as last year. Seems like a strange talking point. Please stop spouting bs. Lastpass and a number of other password managers were subject to the same vulnerability.
|
# ? Jan 18, 2020 03:49 |
|
Achmed Jones posted:Let's not re-litigate the password manager wars. It just gives people that don't know much about the field analysis paralysis. The message should be use a password manager, yes that one is fine, just use a password manager Well, just don’t use the one built in to your web browser. Except may Firefox that might be good now.
|
# ? Jan 18, 2020 03:50 |
|
Lambert posted:1password had a vulnerability as recent as last year. Seems like a strange talking point. Please stop spouting bs. Why are you not recognizing LastPass' history and issues? Do you work for them or something?
|
# ? Jan 18, 2020 03:53 |
|
You can always tell when password mangers come up because the thread goes from 1 post every 2 days to 14 an hour.
|
# ? Jan 18, 2020 03:54 |
|
A history of not sweeping vulnerabilities under the rug, fixing them swiftly and doing responsible disclosure? Ah no, better go with the worse product that was horribly unsafe for years. But I guess they had an excuse, because not encrypting metadata was faster. Unlike Lastpass, which always encrypted everything. So slow!
|
# ? Jan 18, 2020 03:55 |
|
Lambert posted:A history of not sweeping vulnerabilities under the rug, fixing them swiftly and doing responsible disclosure? Ah no, better go with the worse product that was horribly unsafe for years and didn't tell people about it. You’re being disingenuous and misrepresenting both 1Password and lastpass
|
# ? Jan 18, 2020 03:57 |
|
LastPass is a million times better than not using a password manager at all and even an imperfect solution makes end users massively more safe. That being said I've heard good things about Dashlane which has a free edition. Having the free version is so important to get people to use one and as much as I love 1password its (extremely inexpensive) subscription cost turns people off. Fortunately it's trivial to switch password managers so I just get people to change a year in when they've bought into the concept.
|
# ? Jan 18, 2020 03:59 |
|
Lambert posted:A history of not sweeping vulnerabilities under the rug, fixing them swiftly and doing responsible disclosure? Ah no, better go with the worse product that was horribly unsafe for years. But I guess they had an excuse, because not encrypting metadata was faster. Unlike Lastpass, which always encrypted everything. So slow! You need a get a grip.
|
# ? Jan 18, 2020 04:09 |
|
I'm a cranky 1passsword user. Time for Microsoft to finally release their product, so I can switch to a good one.
|
# ? Jan 18, 2020 04:11 |
|
|
# ? May 30, 2024 06:56 |
|
Go away troll
|
# ? Jan 18, 2020 04:25 |