|
SlowBloke posted:FIDO2 logon for windows is available only for Azure AD joined or Hybrid AD joined machines, personal accounts are not natively supported. MacOS and iOS will call FIDO2 keys only on OOBE if you enable the new advanced security option but just for enroll, not day to day usage. You can tinker with PAM to use a fidokey to log on with linux. This is quite informative, thanks. So effectively I should be fine with a Security key which just does fido2. I do have a pair of yubikey 4’s which I could potentially use if I ever need the virtual smart card at some point.
|
#
?
Feb 1, 2023 15:38
|
|
|
|
| # ? May 30, 2024 15:08 |
|
|
SlowBloke posted:EIDAS relies on known trust anchors based on conventional certs, fido will never get accepted in any LoA scheme since it would cut current CA providers out. I'm expecting eID ficep nodes to become an auth high anchor well before whitelabel fido keys become the norm. Being Norwegian I don't know about the intra-EU drama, but as I said, we use a commercial FIDO2 notified LoA High from Buypass.no. They claimed to be the first to get there in january 22, I'd have thought there'd be more by now. Anyway, it is doable, at least when it's one of the current CAs like BuyPass that branch out.  Google translated press release from last year here: https://www-buypass-no.translate.goog/nyheter/fido2-pa-hoyeste-sikkerhetsniva?_x_tr_sl=no&_x_tr_tl=en&_x_tr_hl=no&_x_tr_pto=wapp
|
|
#
?
Feb 1, 2023 16:02
|
|
|
beuges posted:This is quite informative, thanks. So effectively I should be fine with a Security key which just does fido2. I do have a pair of yubikey 4’s which I could potentially use if I ever need the virtual smart card at some point. I suggest you get a NFC variant so you could also use it with your smartphone. Caconym posted:Being Norwegian I don't know about the intra-EU drama, but as I said, we use a commercial FIDO2 notified LoA High from Buypass.no. I want to add some info on that stuff since I'm the idiot in my public sector office that handles legalese to human translations. The service that you guys purchased is an IDP, which has a very specific iter for eidas certification and will never succeed for say azure ad or microsoft consumer. Most states relies on an eID-backed or legacy custom implementations(Italy uses SPID for instance) handled by the local government. How you authenticate is irrelevant to the eidas specs, your idp could send you MFA over pigeons and, as long as the core certification authority service logic follows their set of requirements, nobody in Bruxelles side wouldn't flinch. Public sector-wise, as long as your service isn't public facing, azure ad native solutions are compliant and a lot stronger than the baseline eidas(the baseline for digital signature is a checkbox good christ). SlowBloke fucked around with this message at 16:25 on Feb 1, 2023 |
|
#
?
Feb 1, 2023 16:04
|
|
|
Double posting
|
|
#
?
Feb 1, 2023 16:22
|
|
|
Strange question but we’ve got a user here who was phished by someone pretending to be a friend of his from high school asking for personal information. This user is a great worker and a kind dude. He is also relatively profoundly autistic and is a very naturally trusting person. Anyone have any simple to understand resources on the dangers of sharing information online? Like a YouTube video or something similar. My usual resources for this are aimed at a much more technologically savvy user with a higher effective literacy ability, so I’m at a bit of a loss
|
|
#
?
Feb 1, 2023 17:20
|
|
|
I can't suggest anything specifically but I would guess autism charities would be the best source of material tailored to that requirement
|
|
#
?
Feb 1, 2023 17:23
|
|
|
Have a look at organisations that are focused towards children and old people (eg in the UK NSPCC, Sage, or Age Concern). They almost certainly have online safety material aimed at people who aren't l33t. Scamming old people is a huge industry.
|
|
#
?
Feb 1, 2023 17:49
|
|
|
App13 posted:Strange question but we’ve got a user here who was phished by someone pretending to be a friend of his from high school asking for personal information. my company uses a video series called "Restricted Intelligence" that is targeted towards less technologically savvy users. It's engaging and relatively funny. otherwise, I really like the suggestion of contacting an autism charity (don't do autism speaks pls)
|
|
#
?
Feb 1, 2023 18:06
|
|
|
I had a quick look and found this which seems to have loads of relevant links at least https://www.preventingexploitationtoolkit.org.uk/home/what-is-exploitation/what-is-vulnerability/autism-spectrum-conditions/
|
|
#
?
Feb 1, 2023 18:10
|
|
|
Famethrowa posted:my company uses a video series called "Restricted Intelligence" that is targeted towards less technologically savvy users. It's engaging and relatively funny. This is absolutely perfect. Thank you
|
|
#
?
Feb 1, 2023 18:24
|
|
|
Sorry I’m not caught up, but what’s the big push to get off LastPass? I’ve already reset my master password and have ~90 passwords left to reset or sunset. The browser extension is a bit janky but I find that’s often the site’s fault. How bad is the export / import to 1Password in the case LastPass is fundamentally busted / incompetent?
|
|
#
?
Feb 1, 2023 19:29
|
|
|
Shumagorath posted:Sorry I’m not caught up, but what’s the big push to get off LastPass? I’ve already reset my master password and have ~90 passwords left to reset or sunset. The browser extension is a bit janky but I find that’s often the site’s fault. https://infosec.exchange/@epixoip/109585049354200263
|
|
#
?
Feb 1, 2023 19:37
|
|
|
Do you want to explain your thought process here? Like, are you looking forward to doing this all over again the next time their complete incompetence leads to them being compromised?
|
|
#
?
Feb 1, 2023 19:38
|
|
|
Shumagorath posted:Sorry I’m not caught up, but what’s the big push to get off LastPass? I’ve already reset my master password and have ~90 passwords left to reset or sunset. The browser extension is a bit janky but I find that’s often the site’s fault. The company and all its infrastructure is beyond the benefit of the doubt at this point. They are a security company who failed at basic security. While using any company's product is a risk, you are choosing the most publicly owned password manager in existence. Seems like a bad play.
|
|
#
?
Feb 1, 2023 19:51
|
|
|
Shumagorath posted:Sorry I’m not caught up, but what’s the big push to get off LastPass? I’ve already reset my master password and have ~90 passwords left to reset or sunset. The browser extension is a bit janky but I find that’s often the site’s fault. the export/import is very simple. Changing all the passwords that were in your lastpass (which you should now consider compromised) is the time-consuming part.
|
|
#
?
Feb 1, 2023 20:15
|
|
|
Shumagorath posted:in the case LastPass is fundamentally busted / incompetent? you say this like it's hypothetical when it is at this point a well-established fact
|
|
#
?
Feb 1, 2023 20:51
|
|
|
at this point no one should be using lastpass
|
|
#
?
Feb 1, 2023 21:31
|
|
|
If you do business with Lastpass, ask for their latest SOC2 report 
|
|
#
?
Feb 1, 2023 21:43
|
|
|
Buff Hardback posted:at this point no one should be using lastpass
|
|
#
?
Feb 1, 2023 22:05
|
|
|
Buff Hardback posted:at this point no one should be using lastpass Yeah they've blown their goodwill like Okta did during their breach.
|
|
#
?
Feb 1, 2023 22:24
|
|
|
gently caress that’s so much worse than I knew. Moving to 1Password this weekend; thanks!
|
|
#
?
Feb 2, 2023 00:43
|
|
|
What would you recommend as a secure notes app? In the past I have used LastPass and it's secure notes feature but I am looking to switch. I heard Bitwarden or 1password is recommended. I just want something simple that I can use on my phone and on my browser. Just open the app -> fingerprint scan -> add a note with a title and text.
|
|
#
?
Feb 2, 2023 10:45
|
|
|
Busy Bee posted:What would you recommend as a secure notes app? In the past I have used LastPass and it's secure notes feature but I am looking to switch. In 1password on Android this is basically the flow (for me): open app -> fingerprint -> click + button -> click "Secure note". Haven't used bitwarden so don't know.
|
|
#
?
Feb 2, 2023 11:01
|
|
|
Andohz posted:In 1password on Android this is basically the flow (for me): open app -> fingerprint -> click + button -> click "Secure note". Are you able to export an encrypted file of your notes?
|
|
#
?
Feb 2, 2023 11:12
|
|
|
Busy Bee posted:Are you able to export an encrypted file of your notes? Nope. I'm not on the latest version though but I can't find anything about being able to export secure notes specifically to any encrypted file format.
|
|
#
?
Feb 2, 2023 11:40
|
|
|
Is anyone familiar with Standard Notes? https://standardnotes.com/ Seems like a better option for what I am trying to accomplish as I do not need a service to save login information.
|
|
#
?
Feb 3, 2023 09:15
|
|
|
Busy Bee posted:Is anyone familiar with Standard Notes? https://standardnotes.com/ If you want to store logins without cloud service then you want KeePass, it's the standard recommendation.
|
|
#
?
Feb 3, 2023 09:26
|
|
|
Saukkis posted:If you want to store logins without cloud service then you want KeePass, it's the standard recommendation. He literally said he doesn't care about login data Busy Bee posted:Seems like a better option for what I am trying to accomplish as I do not need a service to save login information.
|
|
#
?
Feb 3, 2023 09:30
|
|
|
I use standard notes and it works okay but the site is pretty janky and it feels like a low rent operation. The task view has been broken for months now (the first task in each note is misaligned and overlaps the top edge of the window making only the bottom few pixels of the text visible). I bought some kind of Black Friday 5 year deal awhile back and I'm planning to run out the clock on it but I will be looking for alternatives when it expires. That said, I have no reason to believe there's anything wrong with the encryption or anything, it's just kind of unpolished.
|
|
#
?
Feb 3, 2023 16:17
|
|
|
Saukkis posted:If you want to store logins without cloud service then you want KeePass, it's the standard recommendation. more like keep rear end
|
|
#
?
Feb 3, 2023 16:43
|
|
|
I too like to keep rear end.
|
|
#
?
Feb 3, 2023 19:15
|
|
|
BlankSystemDaemon posted:I too like to keep rear end. Consider it kept.
|
|
#
?
Feb 3, 2023 20:28
|
|
|
1Password's secret management might be better than LastPass but holy poo poo is their app worse. Sync issues between the desktop app and extension, broken import from LastPass with opaque error message, pre-submission saving, and not actually saving and filling generated passwords all within my first hour. It's not just a per-site thing either. 100% of the sites I've updated today have had the old password persist in the extension when I logged out and tried logging back in to test. e: Ok it looks like the extension and desktop app integration is just complete trash. Extension-only for now. e2: I figured it out. If you add 2FA, all of your sessions stay live but none of them have a valid credential, so updates fail silently or with non-specific errors. Great design. Shumagorath fucked around with this message at 18:36 on Feb 4, 2023 |
|
#
?
Feb 4, 2023 18:05
|
|
|
yeah it's bad. for some reason i thought they fixed it, but more likely i just deleted one or the other
|
|
#
?
Feb 4, 2023 19:10
|
|
|
I left the extension-to-app integration disabled* and it's working decently well, but save-before-update is a great way to unrecoverably gently caress people out of account access until the history is populated. TBF LastPass also did that with an old ADP login for a company I haven't worked at in ten years, but that's half ADP's fault for still having garbage special character limits. *I'm unclear what this even does, since I've been using the app to launch and fill while the extension handles changes. I think this might be my old workflow of LastPass having full vault access in the extension interfering with my thinking, and I can see why that's a bad idea. 1Password's web vault isn't great, but their local app also has some very Mac-centric quirks (UI patterns based on light switches so you click what you don't want to get what you want, and error messages for idiots). Shumagorath fucked around with this message at 19:19 on Feb 4, 2023 |
|
#
?
Feb 4, 2023 19:15
|
|
|
I've never had any problems with 1Password or using its excel sheet import.
|
|
#
?
Feb 4, 2023 20:12
|
|
|
same but I also don't use the browser extension
|
|
#
?
Feb 4, 2023 20:34
|
|
|
Everything worked using the CSV / copy-paste import, but obviously having my vault on the clipboard is a harrowing experience I wanted to avoid. Trying to directly import from LastPass returned an error in the Windows app that I'm inclined to blame on LastPass attempting to slow the exodus from their service, but support requests explaining how to work around it weren't forthcoming.
|
|
#
?
Feb 4, 2023 20:38
|
|
|
Shumagorath posted:I left the extension-to-app integration disabled* and it's working decently well, but save-before-update is a great way to unrecoverably gently caress people out of account access until the history is populated.
|
|
#
?
Feb 4, 2023 22:16
|
|
|
|
| # ? May 30, 2024 15:08 |
|
|
This is only kinda on topic for the thread I think, but this seems to be the best place to ask since it's gotta break security in some way. I'm only doing this cuz I'm curious how it works, but it bugs me I cant figure out what it's doing. There's some, as far as I can tell, spam/scam stuff that gets posted in comments on social media. What it does is, someone will post a comment like "breaking ahhh terrible news new video!" and make it look like a link to youtube. It's not a link to youtube though, it's a link to, for example (probably dont actually go here) wee .so/0veyx which in that example redirects to another page like 2b609efa7 .kreuzung .eu.org/7832b6 Then, that 2nd page redirects to an actual youtube video but it's something stupid and weird like some indian dude just recording his feet or an ash tray or whatever. Obviously it's gotta be doing something, somethings gotta happen at that middle page, but I don't know how to check because that redirects to the youtube video. How can I find out what it's doing? What's the point of it all? I went and looked through it with burp suite but I don't see anything obviously sketchy other than the redirects. BrainDance fucked around with this message at 05:57 on Feb 5, 2023 |
|
#
?
Feb 5, 2023 05:28
|
|
