|
I’m currently doing that with 1Password, and… horses, water, etc 
|
#
?
Mar 25, 2023 15:48
|
|
|
|
| # ? May 29, 2024 18:41 |
|
|
Will it work through the Cloudflare reverse proxy thing?
|
|
#
?
Mar 25, 2023 15:59
|
|
|
Well I already have an SSL reverse proxy in front of it, I'm not sure if you were implying having tailscale clients on my family devices. Even in the event that the service got compromised the password databases themselves are heavily encrypted and in my head is no different than what a lot of other centralized password management solutions are doing already.
|
|
#
?
Mar 25, 2023 16:21
|
|
|
I meant this https://www.cloudflare.com/en-gb/products/tunnel/ If the application only needs to talk HTTPS then expose it to the world using Cloudflare Tunnel so it never appears on a port scan, there's no inbound connection to your server etc. Someone would need to know the URL for your instance to connect to it, and you might be able to do stuff like restrict access to your country only (this is a guess, I've not used it).
|
|
#
?
Mar 25, 2023 16:31
|
|
|
Thanks Ants posted:Will it work through the Cloudflare reverse proxy thing?
|
|
#
?
Mar 25, 2023 16:31
|
|
|
It looks like it's even semi-supported by Bitwarden https://contributing.bitwarden.com/getting-started/server/tunnel/#cloudflare-argo-tunnels
|
|
#
?
Mar 25, 2023 16:42
|
|
|
cr0y posted:Is it a terrible idea to expose a self hosted bitwarden instance to the internet? Currently mine is only available over my VPN but I am kicking around the idea of extending it to my family in a desperate effort to get them to have better password management and security in general as opposed to using the same drat password for everything. Just pay for an account somewhere. You don't want your internet going down to be the reason your parents can't get into their bank account.
|
|
#
?
Mar 25, 2023 16:47
|
|
|
I'd go for a 1password family plan tbh
|
|
#
?
Mar 25, 2023 16:49
|
|
|
Inept posted:Just pay for an account somewhere. You don't want your internet going down to be the reason your parents can't get into their bank account. Availability really isn't a concern, the clients have a local copy of the DB and just sync on write. I'll check out the cloudflare stuff, haven't made any decisions one way or the other, just kicking around ideas since I recently migrated away from 1Password.
|
|
#
?
Mar 25, 2023 17:11
|
|
|
Cloudflare’s zero trust solutions, GCP’s identity aware proxy, and Azure App Proxy are all good ways to solve this depending on where you’re hosting your instance from (but also just buy 1pass family).
|
|
#
?
Mar 25, 2023 20:10
|
|
Cat Army 
|
I bought 1pass family. It was the right move.
|
|
#
?
Mar 25, 2023 21:42
|
|
|
Inept posted:Just pay for an account somewhere. You don't want your internet going down to be the reason your parents can't get into their bank account. Or somebody on vacation if you went with a region lock.
|
|
#
?
Mar 26, 2023 01:36
|
|
|
Let me know if this is the wrong thread for this. But I recently moved off Lastpass to 1password (yes I know late), and after having my optometrist request my social security number, had a bit of a paranoid episode and ended up freezing all 3 major credit bureaus, lexis/nexis, NCTUE and ChexSystems databases. Was this a bit mad, or do you guys routinely do this sort of identity protection?
|
|
#
?
Mar 26, 2023 06:50
|
|
|
I gave up on the freezes just because I tend to churn credit cards for points, but yeah I've got fraud alerts set up everywhere as well as multiple services that alert me to credit changes (including one paid for by the government after being involved in the OPM breach  ). The fraud alerts require identify verification so places have to reach out to me first before credit is granted which means I have to make some calls or deal with banks a bit to get them shut down. It's kind of a hassle but I just had somebody last week try to open a new United Visa card through Chase in my name. It's happened to me so often that it's basically become routine.The credit freezes should prevent you from having to go through that bullshit, though.
|
|
#
?
Mar 26, 2023 13:37
|
|
|
Happiness Commando posted:I bought 1pass family. It was the right move.
|
|
#
?
Mar 26, 2023 16:14
|
|
|
poo poo I really need to get on freezing my credit. I see no downsides given how often breaches happen. thanks for the reminder.
|
|
#
?
Mar 26, 2023 20:17
|
|
|
EDIT: Wrong thread.
|
|
#
?
Mar 26, 2023 21:12
|
|
|
CLAM DOWN posted:Not that I was able to read/find! Who knows though! Cloudflare offers a service called Polish that will do exactly this, I'd be a little surprised if they haven't.
|
|
#
?
Mar 26, 2023 23:51
|
|
|
cr0y posted:Is it a terrible idea to expose a self hosted bitwarden instance to the internet? Currently mine is only available over my VPN but I am kicking around the idea of extending it to my family in a desperate effort to get them to have better password management and security in general as opposed to using the same drat password for everything.
|
|
#
?
Mar 27, 2023 08:51
|
|
|
Sirotan posted:I gave up on the freezes just because I tend to churn credit cards for points, but yeah I've got fraud alerts set up everywhere as well as multiple services that alert me to credit changes (including one paid for by the government after being involved in the OPM breach
|
|
#
?
Mar 27, 2023 10:13
|
|
|
The Iron Rose posted:Cloudflare’s zero trust solutions, GCP’s identity aware proxy, and Azure App Proxy are all good ways to solve this depending on where you’re hosting your instance from (but also just buy 1pass family). evil_bunnY posted:Extend the VPN instead of the bitwarden instance. I do wonder if you could use any of the identity/authentication options the cloudflare reverse tunnels offer. Like if they went to open the web page first in a browser, and without even logging in to vaultwarden they did the cloudflare verification, and then could they use the app, or I wonder if it's tied to a cookie in the browser. Pretty clunky unfortunately since the bitwarden client couldn't do it for you. Also by default I think they only can do an email "2-factor".
|
|
#
?
Mar 27, 2023 15:29
|
|
|
I’m teaching the Cybersecurity 101 course at a local community college this fall and I would love some input on stuff that you’d actually like to see/learn from a course like this. The curriculum at the moment focuses mainly on the CIA triad of course, and everything will sort of be presented through that lens, but in the age of ChatGPT I want to avoid just assigning a bunch of papers. Seeing as how it’s an intro course I’m thinking that it would be cool to 1. Introduce a topic, 2. Show how to use an exploit related to that topic, 3. Show how to defend against said exploit. The more hands on the better, in my mind.
|
|
#
?
Mar 27, 2023 18:20
|
|
|
Sirotan posted:I gave up on the freezes just because I tend to churn credit cards for points, but yeah I've got fraud alerts set up everywhere as well as multiple services that alert me to credit changes (including one paid for by the government after being involved in the OPM breach Yikes - I thought about doing credit point churning but it just sounded like so much more work, and from the last time I looked into it, looked like most CCs had nerfed their reward programs Famethrowa posted:poo poo I really need to get on freezing my credit. I see no downsides given how often breaches happen. thanks for the reminder. I think when I go for a new line of credit, etc., it may be more of an issue, but considering how much of a charlie foxtrot having to deal with identity fraud seems like, I'm ok with it. I just wanted to make sure there wasn't a "freezing your credit at this bureau requires a phone call on every 3rd tuesday of the 4th month betwee 2 and 4 am" to unfreeze. evil_bunnY posted:SO glad this isn't a thing here. Where exactly is this? I have friends in the EU, SEA and various asian countries who've also had issues with identity fraud. I imagine anywhere with an internet connection and online banking has this issue. Do you live in space?
|
|
#
?
Mar 27, 2023 21:23
|
|
|
adnam posted:Yikes - I thought about doing credit point churning but it just sounded like so much more work, and from the last time I looked into it, looked like most CCs had nerfed their reward programs Tbqh I have not been churning lately but there are plenty of current offers that can net you $500+ with minimal effort: https://www.doctorofcredit.com/best-current-credit-card-sign-bonuses/ The nice thing about the CC bonuses is they are not taxed as income like a bank account bonus is. Is it worth the bullshit? Eh, I guess I can put up with a lot for a little bit of free cash. YMMV
|
|
#
?
Mar 27, 2023 21:39
|
|
|
Sirotan posted:Tbqh I have not been churning lately but there are plenty of current offers that can net you $500+ with minimal effort: https://www.doctorofcredit.com/best-current-credit-card-sign-bonuses/ The nice thing about the CC bonuses is they are not taxed as income like a bank account bonus is. Is it worth the bullshit? Eh, I guess I can put up with a lot for a little bit of free cash. YMMV I did not know about the taxation. There's a lot of bs I can put up with for some extra cash.
|
|
#
?
Mar 27, 2023 22:27
|
|
|
adnam posted:Where exactly is this? I have friends in the EU, SEA and various asian countries who've also had issues with identity fraud. I imagine anywhere with an internet connection and online banking has this issue. Do you live in space?
|
|
#
?
Mar 27, 2023 22:29
|
|
|
Well well well: https://www.securityweek.com/chatgpt-data-breach-confirmed-as-security-firm-warns-of-vulnerable-component-exploitation/ quote:OpenAI said on Friday that it had taken the chatbot offline earlier in the week while it worked with the maintainers of the Redis data platform to patch a flaw that resulted in the exposure of user information.
|
|
#
?
Mar 29, 2023 12:30
|
|
|
App13 posted:I’m teaching the Cybersecurity 101 course at a local community college this fall and I would love some input on stuff that you’d actually like to see/learn from a course like this. That sounds awesome! If you're structuring it like that, it might be a good idea to introduce them more formally to threat modeling. Given a system, how do you break it? How do you keep it from being broken? I was involved with university recruiting for my team for years and the one of the main issues I saw with intern candidates/new grads was that a lot of them struggled with the "why". I'd talk to plenty who could rattle off a checklist of broad defensive controls, and plenty who thought the workshop they did on red teaming was Really Cool and just want to break things all day with their outdated yet oddly specific knowledge of exploiting MS08-067, but tying all of that together didn't always happen. Of course some of that comes with experience and context, but I don't recall any intro class really focusing on the practicality and reality rather than rote memorization of the definition of Virus and Worm. Shuu fucked around with this message at 17:20 on Mar 29, 2023 |
|
#
?
Mar 29, 2023 17:18
|
|
|
CommieGIR posted:Well well well: my company is barreling ahead on integration with chatgpts api so this is useful ammo for us to try to slow things down and get some clarity on openai's security practices. e. still feel like this is a freight train of unintended consequences we won't be able to truly mitigate. no one even knew they were building it into our product until they announced they would be rolling it out soon.
|
|
#
?
Mar 29, 2023 19:35
|
|
|
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/quote:On March 29, 2023, CrowdStrike observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp — a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. Seems good
|
|
#
?
Mar 29, 2023 21:24
|
|
|
3CX response is complete poo poo as well, I don't think they are equipped to handle what looks like someone infiltrating their build environment
|
|
#
?
Mar 29, 2023 21:36
|
|
|
evil_bunnY posted:Scandinavia. There's plenty of fraud CC theft etc, but I've never had anyone I know get an account or card opened in their name That's awesome. Wonder what structural factors lead to that being a less likely possibility.
|
|
#
?
Mar 29, 2023 22:04
|
|
|
Sir Bobert Fishbone posted:https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ Yeah one of our vendors packages this in, we're in cleanup to get it out of our environment.
|
|
#
?
Mar 29, 2023 22:38
|
|
|
adnam posted:That's awesome. Wonder what structural factors lead to that being a less likely possibility. It has been ages since I last got a credit card, but I believe the two methods to acquire one are an in-person meeting in the bank office where you will show your driver's license or another valid authentication, or you use your online banking account which has always required 2FA authentication by every bank since the turn of the millenia. I don't think it's possible to get a card by sending signed paperwork anywhere. My understanding is in US paper spam often includes pre-filled credit applications/ads. Those aren't a thing at all. My own bank may occasionally mail me ads, but any actual application would have to go another path. I don't think any other bank besides my own has sent me ads since forever.
|
|
#
?
Mar 29, 2023 23:17
|
|
|
adnam posted:That's awesome. Wonder what structural factors lead to that being a less likely possibility.
|
|
#
?
Mar 30, 2023 09:04
|
|
|
CommieGIR posted:Yeah one of our vendors packages this in, we're in cleanup to get it out of our environment. The latest Defender definitions are picking this up and removing it
|
|
#
?
Mar 30, 2023 10:44
|
|
|
adnam posted:That's awesome. Wonder what structural factors lead to that being a less likely possibility. It's mostly due to PSD, active 2010, which provide a strong set of regulations and penalties for banks which provides accounts without a proper user verification.
|
|
#
?
Mar 30, 2023 13:25
|
|
|
Also, at least in Scandinavia, there are public census databases and it's typically not possible to get sensitive things like credit cards sent anywhere other than your legal residence address. Specifically for credit cards the procedure is to send the card via regular mail and a letter with the PIN code via certified mail so you have to go to the post office and sign for it. The card is only just barely usable without the PIN here; in some cases not at all usable. I actually got into an embarrassing situation with a cab driver last time I was in the US because it turns out my bank only supports chip-and-PIN and contactless these days, but his machine did neither. Identity theft-related stuff does still happen but it's rare and pretty hard to pull off. There was a thing a couple of years ago that involved sending a fake address change form to the tax authorities as the first step IIRC, but I'm pretty sure that's been patched up. TheFluff fucked around with this message at 15:59 on Mar 30, 2023 |
|
#
?
Mar 30, 2023 15:53
|
|
|
Thanks Ants posted:The latest Defender definitions are picking this up and removing it Same with Crowdstrike, given they apparently were on the ball about this.
|
|
#
?
Mar 30, 2023 18:35
|
|
|
|
| # ? May 29, 2024 18:41 |
|
|
TheFluff posted:I actually got into an embarrassing situation with a cab driver last time I was in the US because it turns out my bank only supports chip-and-PIN and contactless these days, but his machine did neither. Does your card still have the magnetic strip on it? If so - why?
|
|
#
?
Mar 30, 2023 21:46
|
|
