|
Tankakern posted:another alternative is a rooted phone with backup software, but that might be against the spirit of this thread
|
# ? Apr 20, 2020 16:27 |
|
|
# ? Jun 8, 2024 04:54 |
|
I use KeepAssXC with a long password and a yubikey HMAC-SPA something or other for the database, then keep all my passwords, TOTP keys, recovery keys and stuff in it. Then I back up the encrypted database to my Google drive. I'm bad at security.
|
# ? Apr 20, 2020 16:48 |
|
what about those usb security keys? there are models that work with nfc for phones, too
|
# ? Apr 20, 2020 17:02 |
|
The 2.5.4 update of Keep rear end caused my Mac to stop reading the Yubikey. The only fix I could find was "lol Reboot your Mac"
|
# ? Apr 20, 2020 17:57 |
|
univbee posted:what about those usb security keys?
|
# ? Apr 20, 2020 18:01 |
|
mystes posted:What about them? they’re 2fa you don’t need an account for
|
# ? Apr 20, 2020 20:32 |
|
univbee posted:they’re 2fa you don’t need an account for
|
# ? Apr 20, 2020 20:37 |
|
I have a couple yubikeys and only like 3 things actually work with them, which is a shame because they’re way more convenient than digging a phone out of my pocket, opening an app, and picking the site from a menu oh and with recent openssh versions you can configure key pairs to unlock via yubikey activation, need to try that out
|
# ? Apr 20, 2020 20:59 |
|
Progressive JPEG posted:I have a couple yubikeys and only like 3 things actually work with them, which is a shame because they’re way more convenient than digging a phone out of my pocket, opening an app, and picking the site from a menu i just have my yubikey set up to hold a PGP keypair which i have SSH use as a SSH key way overcomplicated but it works
|
# ? Apr 20, 2020 21:25 |
|
univbee posted:they’re 2fa you don’t need an account for Yeah but you can't just use it for anything you want, only if it is supported. The list of accounts that support it isn't very long and it's mostly tech-ish stuff.
|
# ? Apr 20, 2020 21:35 |
|
Buff Hardback posted:i just have my yubikey set up to hold a PGP keypair which i have SSH use as a SSH key
|
# ? Apr 20, 2020 21:44 |
|
Buff Hardback posted:i just have my yubikey set up to hold a PGP keypair which i have SSH use as a SSH key same, once you get it set up once it's pretty trivial and requires very little further janitoring
|
# ? Apr 20, 2020 23:31 |
|
Shame Boy posted:same, once you get it set up once it's pretty trivial and requires very little further janitoring combine that with keybase and i'm posting at the speed of encryption
|
# ? Apr 21, 2020 06:17 |
|
univbee posted:what about those usb security keys? Buff Hardback posted:i just have my yubikey set up to hold a PGP keypair which i have SSH use as a SSH key I actually looked into this, and found that Yubico has an authenticator app that stores the seeds on the yubikey. I like this, I'll be getting one. (and then another one down the line to throw into the safe for when Things Happen.) Thanks. mystes posted:Yeah I wish stuff actually supported u2f/fido2 but it doesn't. From what I can tell, you can use the authenticator like any other TOTP authenticator as well. I'll report back when it arrives. SwissArmyDruid fucked around with this message at 11:24 on Apr 21, 2020 |
# ? Apr 21, 2020 11:20 |
|
https://decrypt.co/26033/dforce-lendfme-defi-hack-25m I will never get tired of the schadenfreude of people losing money in cryptocurrency quote:DForce, a Chinese decentralized finance protocol, today lost $25 million worth of its customers’ cryptocurrency due to a well-known exploit of an Ethereum token
|
# ? Apr 21, 2020 18:58 |
|
SwissArmyDruid posted:I actually looked into this, and found that Yubico has an authenticator app that stores the seeds on the yubikey. I like this, I'll be getting one. (and then another one down the line to throw into the safe for when Things Happen.) Thanks. I don't know how much this matters in practice (especially if you set a pin), but U2F/Fido 2 is much better in terms of stuff like this.
|
# ? Apr 21, 2020 19:12 |
|
ewiley posted:https://decrypt.co/26033/dforce-lendfme-defi-hack-25m yeah, that sounds like self-sabotage. let's create a service hoping it gets popular, then hack ourselves and steal the money so we have an excuse for actually closing shop and running away with the money
|
# ? Apr 21, 2020 21:24 |
|
mystes posted:One theoretical problem with using something like a yubikey to do TOTP is that even if the secret never leaves the device, the time presumably has to be fed to it, so a malicious program could probably use the device to generate postdated TOTP codes which eliminates some of the advantages of TOTP. You can set it to require touch if you’re really paranoid. That requires you to press the button to unlock and generate a code, so unless you can trick the person into repeatedly pressing the button, it’s not really feasible. Also if you’re worried about malicious software stealing the keys you probably have bigger issues and it’d be easier to just store the seed when it’s read in by piggy-backing the camera or something.
|
# ? Apr 21, 2020 22:03 |
|
https://twitter.com/internetofshit/status/1252639771610034176?s=19
|
# ? Apr 21, 2020 23:16 |
|
https://twitter.com/jason_koebler/status/1252930862888484864?s=21
|
# ? Apr 22, 2020 13:25 |
|
That's an interesting article, have mixed feelings about this section quote:In any case, the disclosure of these hacks is likely to reignite the debate over whether Apple is doing enough to secure the iPhone, and whether the company should make changes to iOS to allow defenders to be better at detecting and stopping attacks. Security researchers who focus on iOS have long asked Apple to allow them to look deeper into iOS code, and allow for special permissions for apps such as iVerify, that are designed to monitor hacks against the iPhone, but have limited capabilities as of today, due to Apple’s restrictions.
|
# ? Apr 22, 2020 15:17 |
|
The iOS defenders have logged on
|
# ? Apr 22, 2020 15:17 |
|
"please break your security model for us so we can peddle useless antivirus solutions"
|
# ? Apr 22, 2020 15:24 |
|
Dan's a good dude, but the industry complaints really strikes me a lot as this from 15 years ago:quote:Security software vendor Symantec Corp. accused Microsoft Corp. on Wednesday of abusing its monopoly in deciding which security products can run on its upcoming operating system. Couldn't find the other articles about Symantec et al., complaining that Microsoft was going to give them APIs!!! instead of allowing them to install rootkits going forward, but I definitely remember those as far back as when XP SP2 was upon us.
|
# ? Apr 22, 2020 15:29 |
|
https://twitter.com/Foone/status/1251395931351609347 good thread https://twitter.com/Foone/status/1251471091475681281
|
# ? Apr 22, 2020 15:47 |
|
nice! a remote access server
|
# ? Apr 22, 2020 15:54 |
|
duz posted:https://twitter.com/Foone/status/1251395931351609347 huh, i had one of those, it definitely felt like a piece of crap. i am amazed at HOW MUCH that was the case
|
# ? Apr 22, 2020 16:00 |
|
duz posted:https://twitter.com/Foone/status/1251395931351609347 i have had multiple instances of taking apart a vaguely smart product that i think couldn't possibly be anything that complex, finding serial headers or test points, connecting to them for shits and giggles and being presented with a full linux prompt i think i posted that tp-link binary i found in here a while ago, which i was able to extract because they left a (not running, thankfully) telnet server program in the home directory with a password of like "admin" that made the whole thing super easy. i bet that binary blob had a bunch of vulns in it too since it was running literally everything from a single compiled program (the web interface, pairing, GPIO, everything) but i never got too far into taking it apart before getting bored
|
# ? Apr 22, 2020 16:07 |
|
lol I have one of those it's a later model that communicates with a base station that runs the IR blasters and I think the remote itself can bluetooth directly to compatible devices the hub is on wifi so it can be updated remotely and I can also control devices with a phone app (very slowly and clumsily) wonder what fresh new kinds of jank were added to support all this
|
# ? Apr 22, 2020 16:27 |
|
haveblue posted:lol I have one of those Security is compromises and if your attack vector involves compromising your remote control you're in a different tier than the rest of us. Edit: don't listen to me jre posted:The iOS defenders have logged on Lol as if they're not everyone who posts here. Project zero finds a buck wild exploit on Android: Lol anroid Zero user interaction exploit found on iOS: Volmarias fucked around with this message at 17:41 on Apr 22, 2020 |
# ? Apr 22, 2020 17:16 |
|
Volmarias posted:Lol as if they're not everyone who posts here. You've missed the joke somewhat quote:make changes to iOS to allow defenders quote:
|
# ? Apr 22, 2020 17:19 |
|
ya it was making the rounds a few days ago, my favourite part is the tweet staring at the telnet login screen and a surprise reply giving them the credentialsVolmarias posted:Security is compromises and if your attack vector involves compromising your remote control you're in a different tier than the rest of us.
|
# ? Apr 22, 2020 17:33 |
|
jre posted:You've missed the joke somewhat Thanks for explaining it
|
# ? Apr 22, 2020 17:40 |
|
duz posted:https://twitter.com/Foone/status/1251395931351609347 extremely interesting, thank you
|
# ? Apr 22, 2020 17:45 |
|
duz posted:https://twitter.com/Foone/status/1251395931351609347 this delivered real hard
|
# ? Apr 22, 2020 17:47 |
|
trogdor strikes again!
|
# ? Apr 22, 2020 18:35 |
|
Foone is goode.
|
# ? Apr 23, 2020 01:05 |
|
not that it excuses anything but that remote is like ten years old. i had to get rid of mine from the same era (ir only, though i have no doubt it was the same thing on the inside) when my operating system updated to beyond what logitech's software worked with. having to touch their server to update my remote was and is straight bullshit.
|
# ? Apr 23, 2020 01:16 |
|
same, putting goatse on it and mailing it to the states was one of the best things i could've done with mine
|
# ? Apr 23, 2020 01:21 |
|
|
# ? Jun 8, 2024 04:54 |
|
Midjack posted:not that it excuses anything but that remote is like ten years old. they were told at the time that what they were doing was stupid, because even ten years ago it was stupid
|
# ? Apr 23, 2020 01:27 |