|
tangy yet delightful posted:Thanks I'll did into myQ a little more to see what functionality and data policy stuff it has. And for the lock I'll look in the morning and if it has the rekey feature I'll probably replace it within 6 months if the bank account holds up. If you are high profile for one reason or another and actually have legitimate reason to believe you might be targeted it's a different matter, but personally I wouldn't be rushing out to replace the locks. Here's a video showing the more destructive exploit. This one breaks the rekey feature entirely and sometimes breaks the whole lock, but it looks untouched from the outside. Video timestamped to the actual opening, intro explains a bit about the locks: https://www.youtube.com/watch?v=sR-h64WwfW8&t=111s AFAIK this one can be done with a normal screwdriver if you know what you're doing, the tool just makes it easier. There's another one I'm aware of that's a lot more complicated but is non-destructive, done right no one would ever know the lock had been opened. The Fool posted:While those are valid concerns for most random websites, Troy Hunt has been around for a while and has a proven track record. That said, that's exactly why HIBP has a password checking API. You SHA1 hash the password and submit to the API just the first five characters of the hash. It then returns any hashes in the database matching that prefix. Comparing the returned list to the full password hash is left as an exercise for the reader. Or just download the entire database from the links provided on the same page. The details about the how and why are listed here, which is also linked from the search page.
|
# ? Nov 18, 2019 20:49 |
|
|
# ? May 27, 2024 08:57 |
|
Well yeah changing that tiny script would be noticeable right away to half the InfoSec community, but I'm not so sure about changes to any other remote js resources the page loads, which can see that textbox too and would be like trying to find a malicious line in a haystack. Not sure how big the total page source with resources is though compared to normal bloated websites, because phoneposting
|
# ? Nov 18, 2019 20:58 |
|
Dumb Lowtax posted:Well yeah changing that tiny script would be noticeable right away to half the InfoSec community, but I'm not so sure about changes to any other remote js resources the page loads, which can see that textbox too and would be like trying to find a malicious line in a haystack. Not sure how big the total page source with resources is though compared to normal bloated websites, because phoneposting I feel like having Google Analytics and Azure Application Insights running on that page is already pushing it -- not necessarily from a security point-of-view (though they do have full DOM-access, obviously), but for privacy reasons. If you want metrics, at least use something like Matomo/Piwik or Snowplow, where you control the data...
|
# ? Nov 18, 2019 23:56 |
|
Dumb Lowtax posted:Well yeah changing that tiny script would be noticeable right away to half the InfoSec community, but I'm not so sure about changes to any other remote js resources the page loads, which can see that textbox too and would be like trying to find a malicious line in a haystack. Not sure how big the total page source with resources is though compared to normal bloated websites, because phoneposting How often do most people in infosec look at that script? It'd probably go unnoticed for months,
|
# ? Nov 19, 2019 01:39 |
|
apseudonym posted:How often do most people in infosec look at that script? It'd probably go unnoticed for months, I can almost guarantee that there is at least one person that is doing hashes of the the site as a canary. It doesn’t require a person to actually look at it
|
# ? Nov 19, 2019 01:43 |
|
If you're technically inclined enough to hash your password (and be sure you've hashed it correctly, and aren't just going to get a false negative because you did it wrong), then you can handle using the API. The site needs to Just Work for people that aren't very technically inclined.
|
# ? Nov 19, 2019 02:03 |
|
wolrah posted:Eh, while you're right about this site, if there were ever any changes and some questionable script appeared half of infosec Twitter would know it in a second, it's still a bad habit. I wouldn't be entering any passwords I care about in to a web form that wasn't the site that password is for. This is it to me. I won't use the password checking part of the site just because its so ingrained not to type passwords not in use, even tho I do trust the site. I also wouldn't recommend anyone else do so because anyone who has to ask doesn't reflexively discriminate between HIBP.com and HIBP.com.ru and so are likely to type the password into less legit password checking sites. I seem to remember some site a while back that said "Check to see if your password has been hacked" and straight mocked you and said it has now when you typed something in, which is the correct approach
|
# ? Nov 19, 2019 05:50 |
|
There's also the likelihood that even if the InfoSec community frequently vets the script and checksums all the code running on that page, they'll still necessarily miss how when any of them request the site from their own IP they get the normal page, but when Jamal the Journalist requests the same page using his known browser config from his known IP address in the Turkish Embassy his browser gets sent code that skips the SHA hash in favor of a mailto form to tips@houseofsaud.com
Happy Thread fucked around with this message at 10:12 on Nov 19, 2019 |
# ? Nov 19, 2019 10:05 |
|
Alright alright I get it you don't trust the site. PM me your password and I'll check it for you
|
# ? Nov 19, 2019 11:50 |
|
Dumb Lowtax posted:There's also the likelihood that even if the InfoSec community frequently vets the script and checksums all the code running on that page, they'll still necessarily miss how when any of them request the site from their own IP they get the normal page, but when Jamal the Journalist requests the same page using his known browser config from his known IP address in the Turkish Embassy his browser gets sent code that skips the SHA hash in favor of a mailto form to tips@houseofsaud.com That might be why Troy Hunt wrote this in the blog post about that very site: quote:It goes without saying (although I say it anyway on that page), but don't enter a password you currently use into any third-party service like this! I don't explicitly log them and I'm a trustworthy guy but yeah, don't. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it's not one they should be using any more. I honestly forgot how this discussion started but personally I'd never use that page for a current password but the API should be fine to use since you're not giving it anything useful.
|
# ? Nov 19, 2019 14:19 |
|
If you don't trust Troy Hunt's site then that's on you. He's proven that it's ok.
|
# ? Nov 19, 2019 17:42 |
|
as long as your 100% sure all browser extensions you have enabled havent been compromised either
|
# ? Nov 19, 2019 18:13 |
|
Last Chance posted:as long as your 100% sure all browser extensions you have enabled havent been compromised either A compromised browser extensions with permissions wide-ranging enough can simply read all your passwords directly as you enter them, it wouldn't need to depend on the user visiting Troy Hunt's website.
|
# ? Nov 19, 2019 18:17 |
|
Lambert posted:A compromised browser extensions with permissions wide-ranging enough can simply read all your passwords directly as you enter them, it wouldn't need to depend on the user visiting Troy Hunt's website.
|
# ? Nov 19, 2019 20:43 |
|
wolrah posted:I'll release an extension that only runs on Troy Hunt's site and not only alerts you if it changes but makes sure your passwords are super duper extra secure by submitting them to my check system encrypted with a million loops of modern unicode safe ROT8000. Find a way to work "blockchain" into it and you're looking at a cool three million in VC funding.
|
# ? Nov 19, 2019 20:47 |
|
CLAM DOWN posted:If you don't trust Troy Hunt's site then that's on you. He's proven that it's ok. I trust him but it turns out years of conditioning worked and I now have an aversion to typing in my passwords on third party sites that promise they aren't saving them... and all my passwords are randomly generated strings of characters so I'm assuming I'm not the target audience.
|
# ? Nov 20, 2019 13:37 |
|
Yea, anyone who would need to trust Troy wouldn't know why he's trustworthy and really shouldn't
|
# ? Nov 20, 2019 14:59 |
|
Combat Pretzel posted:What plugin do you use for filling in password fields on web pages? KeeForm? https://addons.mozilla.org/en-US/firefox/addon/keefox/ https://chrome.google.com/webstore/detail/kee-password-manager/mmhlniccooihdimnnjhamobppdhaolme Requires the use of a plugin for KeePass: https://github.com/kee-org/keepassrpc/releases/latest Full instructions: https://forum.kee.pm/t/installing-kee-with-keepassrpc-for-keepass-password-safe-instructions/23 You can ignore the "paid" aspects of the stuff you see. All they are doing is selling their own web-based password hosting service built on top of KeePass. The plugin integrates with the KeePass 2 client and is open source and entirely free.
|
# ? Nov 20, 2019 17:02 |
|
Filling my keyboard's storage with 32-character random strings hidden behind leader key sequences and then just using a mnemonic device to keep in mind which sequences go where certainly is paying dividends for me these days.
|
# ? Nov 20, 2019 17:15 |
|
https://twitter.com/lazygamereviews/status/1197198709504827394
|
# ? Nov 20, 2019 18:29 |
|
I use FTPes to connect to my server. Is there an actual reason to switch?
|
# ? Nov 20, 2019 18:45 |
|
Lambert posted:I use FTPes to connect to my server. Is there an actual reason to switch? There are probably a few servers that support FTPS (FTP over TLS) and not SFTP, and that's just fine as long as they're using a valid cert, but plain old FTP should be retired at this point.
|
# ? Nov 20, 2019 19:04 |
|
That's why I use FTPes, that's TLS encrypted FTP. So I guess I'm fine, then?
|
# ? Nov 20, 2019 19:21 |
wolrah posted:FTP is an unencrypted plaintext protocol, so if you've ever connected over an untrusted network the network operator could have easily snagged your credentials. On open WiFi anyone else in the area could too.
|
|
# ? Nov 20, 2019 19:40 |
|
Why would you use FTPES over SFTP? I'm not very familiar with the former. It doesn't appear to be supported by any browser or major application.
|
# ? Nov 20, 2019 19:45 |
|
Lambert posted:That's why I use FTPes, that's TLS encrypted FTP. So I guess I'm fine, then? Yes, if you're using a proper cert on it and your client is set to require that everything validates it's just fine. The explicit form can be downgraded though if a client is set up too permissively, so make sure that's not the case. I'm not really sure why they chose to standardize on that rather than the implicit version which would have no such weakness. D. Ebdrup posted:OpenSSH is ported to Windows, so any server can support SFTP since it uses SSH. I'd almost always default to SFTP though given the choice. The only exception would be if I was hosting something like an old school anonymous FTP where I expected people to be downloading entire directory structures rather than just individual files. SFTP doesn't have an anonymous mode and web server generated folder indexes don't offer a convenient way to download recursively, so since it's 2019 and running plaintext protocols over the open internet is generally a bad idea FTPS would seem like the right answer.
|
# ? Nov 20, 2019 20:18 |
|
wolrah posted:I'd almost always default to SFTP though given the choice. The only exception would be if I was hosting something like an old school anonymous FTP where I expected people to be downloading entire directory structures rather than just individual files. SFTP doesn't have an anonymous mode and web server generated folder indexes don't offer a convenient way to download recursively, so since it's 2019 and running plaintext protocols over the open internet is generally a bad idea FTPS would seem like the right answer. This is really helpful. Thanks.
|
# ? Nov 20, 2019 20:34 |
|
CLAM DOWN posted:Why would you use FTPES over SFTP? I'm not very familiar with the former. It doesn't appear to be supported by any browser or major application. Weird-rear end federal sites with presumably ancient devs
|
# ? Nov 21, 2019 02:56 |
|
CLAM DOWN posted:Why would you use FTPES over SFTP? I'm not very familiar with the former. It doesn't appear to be supported by any browser or major application. It's supported by pretty much any FTP application. I use WinSCP. Also, thanks for the clarifications!
|
# ? Nov 21, 2019 03:08 |
|
Lambert posted:It's supported by pretty much any FTP application. I use WinSCP. I've literally never used FTPES and honestly only heard of it like once before. Really weird to read this here.
|
# ? Nov 21, 2019 03:10 |
|
WinSCP does SFTP. Because the scp part (as in "SSH copy file") is SFTP (as in SSH file transfer protocol). If FTPES was a recent choice, it's certainly an interesting one.
|
# ? Nov 21, 2019 04:25 |
|
FTP is such a nightmare when firewalls get involved that any form of encrypted FTP is probably more insecure than SFTP purely by nature of the administration overhead.
|
# ? Nov 21, 2019 08:21 |
|
Combat Pretzel posted:WinSCP does SFTP. Because the scp part (as in "SSH copy file") is SFTP (as in SSH file transfer protocol). It can do both, FTPes and SFTP. WinSCP also supports a couple of other protocols, pretty handy tool overall.
|
# ? Nov 21, 2019 09:44 |
|
Lambert posted:It can do both, FTPes and SFTP. WinSCP also supports a couple of other protocols, pretty handy tool overall. Pretty much any file transfer client supports all these, but no one should be using anything but SFTP. Because you don't really need to set up SFTP, its already there when you launch sshd
|
# ? Nov 22, 2019 03:56 |
|
The question could be approached from the opposite direction, what benefit does FTPes provide. I would consider SFTP with OpenSSH as the gold standard for secure file transfer. It's probably one of the most widely used options after HTTPS, and you don't have to build a buggy web app, just set a few config options. OpenSSH is probably used in some way by majority of the organisations in the world, much of it critically important. It's also open source, so I have a hard time thinking about a software that would receive more scrutiny. On the other hand there are multitude of FTP servers, but nowadays they are all niche products with small userbase. And FTPES as newer feature was developed well after FTP was in wide use. Couple years ago I had to setup an FTP server for a lovely temperature logging IoT which only supported plain FTP. I found it a chore trying to decide what FTP server I would trust the most and how to configure it correctly. SFTP would have been a much preferable option. Something also that caught my eye on the wiki article. quote:In explicit mode (also known as FTPES), an FTPS client must "explicitly request" security from an FTPS server and then step up to a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue in insecure mode or refuse the connection. So the connection may be secure, or it may be not. Why even have that option.
|
# ? Nov 22, 2019 21:04 |
|
Saukkis posted:The question could be approached from the opposite direction, what benefit does FTPes provide. If you have a situation for which an anonymous FTP makes sense, but you want to wrap it in TLS for the same reasons we do it for everything else these days, FTPS/FTPes seems like the obvious choice. quote:So the connection may be secure, or it may be not. Why even have that option. Now why the explicit mode was the one that finally ended up getting standardized instead of implicit mode that runs on port 990 and is always encrypted I have no idea.
|
# ? Nov 23, 2019 00:00 |
|
FTP just needs to die, SFTP has largely replaced it. The worst part is so many printers and even many switches/routers use FTP for firmware upgrade.
|
# ? Nov 23, 2019 01:53 |
|
CommieGIR posted:FTP just needs to die, SFTP has largely replaced it. Not TFTP? Full FTP is ridiculous for just that use case, especially for switches/routers.
|
# ? Nov 23, 2019 02:44 |
|
Yet another huge data breach... https://www.wired.com/story/billion-records-exposed-online/
|
# ? Nov 23, 2019 13:29 |
|
|
# ? May 27, 2024 08:57 |
|
At this point, is there anybody over the age of 6 whose personal data has not been leaked?
|
# ? Nov 23, 2019 14:26 |