|
KillHour posted:As with nearly every episode of Black Mirror I've ever seen, it ruins any interesting morality questions by having an incredibly stupid and contrived premise. Torturing a digital copy of someone fails at any sane goal of criminal justice. It neither rehabilitates the offender, nor punishes the version of them that could theoretically commit another crime because they still exist in the real world and the version being punished does not. DS9 did it better. O'Brien gets 20 years for some minor offense he committed without realizing it, does the time in a couple hours through some brain technobabble but doesn't realize that it was fake until he's out.
|
#
?
Feb 12, 2023 15:37
|
|
|
|
| # ? May 29, 2024 15:22 |
|
|
KillHour posted:fails at any sane goal of criminal justice.
|
|
#
?
Feb 12, 2023 15:44
|
|
|
more falafel please posted:DS9 did it better. O'Brien gets 20 years for some minor offense he committed without realizing it, does the time in a couple hours through some brain technobabble but doesn't realize that it was fake until he's out. See demolition man as a way to not do this
|
|
#
?
Feb 12, 2023 15:45
|
|
|
Rescue Toaster posted:I'm planning on picking up a domain to use for email to get some important accounts off of gmail (in terms of password reset/etc...), and also probably so some local devices have a unique domain name and I can do internal certs that are actually trusted. I'm late to this discussion, but there's an angle to this matter I didn't notice anyone addressing. At the end of the day, the scenario you are worried about is one where you would simultaneously lose the access to your Gmail and another independent service that uses the email address for resets. This seems unlikely. I can assume there are numerous reasons why one can lose access to Gmail, but that should be a non-issue for the other services. Just log in to the services and change their email addresses used for resets. This of course assumes the service allows changing the email address without first sending a verification email to the old address. But that would be pretty stupid design to require and you probably should test any services that are important to you for this. Another issue is that to my understanding email addresses are generally frowned upon and considered untrustworthy, just not as bad as SMS. If a service is so important to you that you are trying to protect against Gmail problems, then that seems like a sign you should disable email password resets completely and come up with alternate recovery methods. Although this may not be that easy as I experienced recently myself. I started the AppleTV app on my TV after a long time and it wanted to update. After the update it wanted a reactivation and did it over web on my laptop. After logging in the website I heard a faint bling in the distance and I had to go searching for the ancient iPad I never use. Then I tried to figure out an alternative 2FA option. Turns out the options are a phone number, Apple device or two FIDO security keys. I found it nice they pointed out you need two keys, but wouldn't you also need two Apple devices for the same reason. The keys would be best option, but they had some limitations like not working with iCloud for Windows and require a recent iOS. It wouldn't work with my iPad, which I think could be an issue.
|
|
#
?
Feb 12, 2023 20:45
|
|
|
SwissArmyDruid posted:I want to thank Kazinsal for not passing off my concerns as being unfounded paranoia. Twitter and discords have been blowing up today about Marot, the developer of GShade rewriting part of their code to include malware because someone didn't use his precious baby in exactly the way that he, god-emperor of his petty fiefdom, had decreed. Catching up on this thread, I'd like to mention that the code that does this insane poo poo wasn't in the version of GShade that I had run through IDA, but after the release of the malware-tastic version, that old version indeed refused to activate shaders until I downloaded the new one. Needless to say, I'm not running GShade for FFXIV anymore 
|
|
#
?
Feb 13, 2023 02:57
|
|
|
What's the correct way to keep a password from hanging around in memory in python? You can't just reassign your variable to a different string, since that just creates a new immutable string in memory and and points to it, leaving the password string in memory until garbage collection happens to pick it up.
|
|
#
?
Feb 14, 2023 15:24
|
|
|
Why not just rely on process memory protection? If you need to, you can spawn a new process to authenticate and then kill it when it's done. You don't need to reinvent the wheel here, the OS can handle that for you.
|
|
#
?
Feb 14, 2023 15:55
|
|
|
Comedy option: Use ctypes to clobber the string in memory as a sort of roundabout implementation of bzero(). Nothing is truly immutable when you have pointers! 
|
|
#
?
Feb 14, 2023 18:46
|
|
|
Or just force a full garbage collection cycle with gc.collect()? Would that not work? But yeah: Mustache Ride posted:Why not just rely on process memory protection? If you need to, you can spawn a new process to authenticate and then kill it when it's done. You don't need to reinvent the wheel here, the OS can handle that for you. (Or possibly "I would like to defend myself from security pedants who will make CVEs for theoretical exploits where the attacker has full local control, but feels that simply capturing the master password entry is too easy.")
|
|
#
?
Feb 14, 2023 19:13
|
|
|
They also have to find the password in memory and know it’s the password. If you no longer reference it from whatever.password then any string in the GC heap could be the password. you could generate a bunch of chaff strings to complicate the search if you wanted, I guess.
|
|
#
?
Feb 14, 2023 19:20
|
|
|
Subjunctive posted:They also have to find the password in memory and know it’s the password. If you no longer reference it from whatever.password then any string in the GC heap could be the password. you could generate a bunch of chaff strings to complicate the search if you wanted, I guess. What, you've never just ran strings on a memdump and used it as a wordlist for hashcat?
|
|
#
?
Feb 14, 2023 19:58
|
|
|
bcrypt is implemented in rust for python now. I'm not entirely sure that memory safety is too much of a concern anymore, provided you're building and calling bcrypt right
|
|
#
?
Feb 14, 2023 20:44
|
|
|
KillHour posted:As with nearly every episode of Black Mirror I've ever seen, it ruins any interesting morality questions by having an incredibly stupid and contrived premise. Torturing a digital copy of someone fails at any sane goal of criminal justice. It neither rehabilitates the offender, nor punishes the version of them that could theoretically commit another crime because they still exist in the real world and the version being punished does not.
|
|
#
?
Feb 14, 2023 20:49
|
|
|
spankmeister posted:What, you've never just ran strings on a memdump and used it as a wordlist for hashcat? Seems like a lot of work when I can just send an email with a payload called “2023 Layoffs.ppt”.
|
|
#
?
Feb 14, 2023 23:14
|
|
|
Might be helpful: https://pypi.org/project/python-secrets/
|
|
#
?
Feb 14, 2023 23:52
|
|
|
CommieGIR posted:Might be helpful: https://pypi.org/project/python-secrets/ And yet: quote:Secrets are stored in unencrypted form in the environments directories. Permissions are set to limit access, but this is not an “encrypt data at rest” solution like Vault by Hashicorp. So now you don’t even need to land a ptrace on the process, you can just grab them out of the files once you’re running as the user.
|
|
#
?
Feb 14, 2023 23:55
|
|
|
Subjunctive posted:And yet: I mean, long and short if an attacker has that level of access: They are getting the passwords unless you build a full application that salts+hashes the passwords and only does a comparison when passwords are entered. Its still far better than just embedding plaintext passwords in your app.
|
|
#
?
Feb 15, 2023 00:03
|
|
|
Sure, I agree that it’s a weird threat model, but the question was explicitly about how to handle secrets that might otherwise persist in the process’s memory where someone could read them.
|
|
#
?
Feb 15, 2023 00:04
|
|
|
Subjunctive posted:Sure, I agree that it’s a weird threat model, but the question was explicitly about how to handle secrets that might otherwise persist in the process’s memory where someone could read them. Yeah, and its a really hard usecase to answer for, I'd say hash with bcrypt and read the hash from memory, that or hashlib or something like that. But even then: If an attacker has level of access to read memory, there's a good chance they can read the hashing process or discover where to look for unhashed passwords in plaintext. If they have your system, its compromised. Better to assume a compromised system's contents are all compromised as well.
|
|
#
?
Feb 15, 2023 00:07
|
|
|
I interpreted the question as being about "the user types in their password to authenticate something - how do I clean that up so that an attacker that comes along later can't find it in memory?". Yes, an attacker that has compromised the system at the moment the user is typing in their password can access it regardless of what you do - but the same thing isn't necessarily true of someone that gains access after the fact. Similar concerns apply to password vaults - if the system is compromised while the vault is locked, and the user doesn't provide the decryption key to the compromised system, then the attacker shouldn't be able to get access to the contents of the vault. And this should still be true even if the vault was unlocked (and then relocked) some time before the attacker gained access.
|
|
#
?
Feb 15, 2023 00:27
|
|
|
Do you mean that it’s something other than luck when the attacker got access relative to the password input? I guess “after” does extend for a longer time (though in this case only until the next GC; does python let you force one?)
|
|
#
?
Feb 15, 2023 00:40
|
|
|
I haven't heard of a garbage collector that zeroes out memory instead of just marking it as free to use for other allocations.
|
|
#
?
Feb 15, 2023 00:52
|
|
|
Ah, fair, you’d need the heap to be reused too.
|
|
#
?
Feb 15, 2023 00:54
|
|
|
Jabor posted:I interpreted the question as being about "the user types in their password to authenticate something - how do I clean that up so that an attacker that comes along later can't find it in memory?". Yes, an attacker that has compromised the system at the moment the user is typing in their password can access it regardless of what you do - but the same thing isn't necessarily true of someone that gains access after the fact. Exactly, which is why most applications that take passwords only do a compare to the salted+hashed password rather than the plaintext. You might get a brief glimpse during submission but otherwise all you will see is the hash most likely.
|
|
#
?
Feb 15, 2023 01:16
|
|
|
Subjunctive posted:Seems like a lot of work when I can just send an email with a payload called “2023 Layoffs.ppt”. big oof
|
|
#
?
Feb 15, 2023 01:32
|
|
|
God I would so do that if I could ever get it green-lit (so never).
|
|
#
?
Feb 15, 2023 02:45
|
|
|
Elon doesn’t want to pay his Twilio bill for MFA https://help.twitter.com/en/managing-your-account/two-factor-authentication
|
|
#
?
Feb 18, 2023 10:24
|
|
|
Subjunctive posted:Seems like a lot of work when I can just send an email with a payload called “2023 Layoffs.ppt”.
|
|
#
?
Feb 18, 2023 11:00
|
|
|
Thanks Ants posted:Elon doesn’t want to pay his Twilio bill for MFA He indirectly made twitter more safe by making SMS disabled for most of the users.
|
|
#
?
Feb 18, 2023 12:04
|
|
|
Possibly, unless their response is to just turn MFA off. Marketing SMS MFA as a premium feature is not messaging that aligns with "it's garbage and you shouldn't use it", and I look forward to lots of accounts becoming unrecoverable when users lose access to their phone with the OTP seed.
|
|
#
?
Feb 18, 2023 13:24
|
|
|
Thanks Ants posted:Possibly, unless their response is to just turn MFA off. Marketing SMS MFA as a premium feature is not messaging that aligns with "it's garbage and you shouldn't use it", and I look forward to lots of accounts becoming unrecoverable when users lose access to their phone with the OTP seed. TOTP and U2F is still working perfectly, on mobile the SMS disable sequence will automatically enroll you in TOTP or U2F rather than disabling MFA.
|
|
#
?
Feb 18, 2023 14:30
|
|
|
Subjunctive posted:Seems like a lot of work when I can just send an email with a payload called “2023 Layoffs.ppt”.
|
|
#
?
Feb 18, 2023 16:19
|
|
|
When do you suppose a single bank or medical system will learn that non-SMS MFA exists?
|
|
#
?
Feb 18, 2023 18:00
|
|
|
Rescue Toaster posted:When do you suppose a single bank or medical system will learn that non-SMS MFA exists? most banks offer otp for business accounts ime Have you actually tried getting a normal person to set up non sms mfa? It just doesn't happen voluntarily
|
|
#
?
Feb 18, 2023 18:19
|
|
|
Rescue Toaster posted:When do you suppose a single bank or medical system will learn that non-SMS MFA exists? When a share prices loses 50% from a data breach.
|
|
#
?
Feb 18, 2023 18:20
|
|
|
As much as SMS 2FA sucks, it offloads that second factor to another corporation with a process. A bank and a few other entities do enough KYC to reset a token in person, but the rest would require your average first-line employee to do way more vetting that the phone company is already (supposed to be) doing.
Shumagorath fucked around with this message at 03:45 on Jan 24, 2024 |
|
#
?
Feb 18, 2023 18:30
|
|
|
Xero still don't offer loving SAML despite being a business SaaS provider. You can sign in with a Google account though. There was a decade old feature request for SSO and the Xero team interpreted this as though people were wanting them to be an IdP that other apps can auth against.
|
|
#
?
Feb 18, 2023 18:43
|
|
|
Thanks Ants posted:Xero still don't offer loving SAML despite being a business SaaS provider. You can sign in with a Google account though. There was a decade old feature request for SSO and the Xero team interpreted this as though people were wanting them to be an IdP that other apps can auth against. https://sso.tax
|
|
#
?
Feb 18, 2023 18:47
|
|
|
I am of the opinion that for most services first party auth shouldn't exist or should be the premium tier sso through apple/google/microsoft should be the default
|
|
#
?
Feb 18, 2023 18:48
|
|
|
|
| # ? May 29, 2024 15:22 |
|
|
Definitely for all non-consumer apps. Don't roll your own authentication.
|
|
#
?
Feb 18, 2023 18:51
|
|