|
Today I learned that motherboard makers, in their never-ending quest to gently caress over my new builds in stupid ways, make TPMs an optional module now. Do I lose anything by doing BitLocker with PIN-only or PIN + smallest metal-clad flash drive I can find? The theoretical attack I'm picturing is a malicious boot loader that captures the PIN and transparently feeds it into the real BitLocker, which a TPM would prevent. Can someone please remind me if you can enable the TPM later after first setting up BitLocker to be PIN-only? Does that regenerate your key / recovery key? My laptop is my only working Windows machine right now and I don't want to experiment.
|
#
¿
Jul 30, 2016 06:07
|
|
|
|
| # ¿ May 14, 2024 22:50 |
|
|
The drive I bought supports eDrive so I'm not worried about having to undo/redo the crypto as it uses key management on the flash controller. I could also use a PIN+USB scheme in the interim so it's down to a question of whether I want to use my new desktop this week. Also, my laptop is on TPM + PIN - that's 256-bit even with an 8-char random PIN, right?
|
|
#
¿
Jul 30, 2016 20:41
|
|
|
Is anyone familiar with eDrive / IEEE 1667 / Samsung Encrypted Drive? I'm trying to wrap my head around why the drives leave the factory with the capability disabled and enabling it requires you to first set it to "ready to be enabled" from Windows then secure erase then reinstall the OS from scratch, no restoring images allowed. The drive didn't come with a boot disk or anything to enable eDrive before one goes through installing their entire OS just to wipe it  What's more the Samsung secure erase bootable tool tells you to uncable your drive even if it's plugged directly into the board via M2, but it appears my Asus UEFI handles that just as well. I really don't want to go to all this work just to find out it somehow won't work after a clean install because I used the wrong manufacturer's secure erase, though at least I can restore an image if everything fails.
|
|
#
¿
Aug 5, 2016 04:11
|
|
|
ItBurns posted:Don't be obtuse. It's a relevant development and a significant reversal of their position (and a few poster's own positions) with regard to sharing identifying info with FB and by proxy advertisers and law enforcement where the (now) encrypted messages can be stored until/if an attack on the encryption is found. just buy Threema assuming you can afford 2.99
|
|
#
¿
Aug 27, 2016 01:26
|
|
|
Sorry I’m not caught up, but what’s the big push to get off LastPass? I’ve already reset my master password and have ~90 passwords left to reset or sunset. The browser extension is a bit janky but I find that’s often the site’s fault. How bad is the export / import to 1Password in the case LastPass is fundamentally busted / incompetent?
|
|
#
¿
Feb 1, 2023 19:29
|
|
|
gently caress that’s so much worse than I knew. Moving to 1Password this weekend; thanks!
|
|
#
¿
Feb 2, 2023 00:43
|
|
|
1Password's secret management might be better than LastPass but holy poo poo is their app worse. Sync issues between the desktop app and extension, broken import from LastPass with opaque error message, pre-submission saving, and not actually saving and filling generated passwords all within my first hour. It's not just a per-site thing either. 100% of the sites I've updated today have had the old password persist in the extension when I logged out and tried logging back in to test. e: Ok it looks like the extension and desktop app integration is just complete trash. Extension-only for now. e2: I figured it out. If you add 2FA, all of your sessions stay live but none of them have a valid credential, so updates fail silently or with non-specific errors. Great design. Shumagorath fucked around with this message at 18:36 on Feb 4, 2023 |
|
#
¿
Feb 4, 2023 18:05
|
|
|
I left the extension-to-app integration disabled* and it's working decently well, but save-before-update is a great way to unrecoverably gently caress people out of account access until the history is populated. TBF LastPass also did that with an old ADP login for a company I haven't worked at in ten years, but that's half ADP's fault for still having garbage special character limits. *I'm unclear what this even does, since I've been using the app to launch and fill while the extension handles changes. I think this might be my old workflow of LastPass having full vault access in the extension interfering with my thinking, and I can see why that's a bad idea. 1Password's web vault isn't great, but their local app also has some very Mac-centric quirks (UI patterns based on light switches so you click what you don't want to get what you want, and error messages for idiots). Shumagorath fucked around with this message at 19:19 on Feb 4, 2023 |
|
#
¿
Feb 4, 2023 19:15
|
|
|
Everything worked using the CSV / copy-paste import, but obviously having my vault on the clipboard is a harrowing experience I wanted to avoid. Trying to directly import from LastPass returned an error in the Windows app that I'm inclined to blame on LastPass attempting to slow the exodus from their service, but support requests explaining how to work around it weren't forthcoming.
|
|
#
¿
Feb 4, 2023 20:38
|
|
|
KillHour posted:As with nearly every episode of Black Mirror I've ever seen, it ruins any interesting morality questions by having an incredibly stupid and contrived premise. Torturing a digital copy of someone fails at any sane goal of criminal justice. It neither rehabilitates the offender, nor punishes the version of them that could theoretically commit another crime because they still exist in the real world and the version being punished does not.
|
|
#
¿
Feb 14, 2023 20:49
|
|
|
Subjunctive posted:Seems like a lot of work when I can just send an email with a payload called “2023 Layoffs.ppt”.
|
|
#
¿
Feb 18, 2023 16:19
|
|
|
As much as SMS 2FA sucks, it offloads that second factor to another corporation with a process. A bank and a few other entities do enough KYC to reset a token in person, but the rest would require your average first-line employee to do way more vetting that the phone company is already (supposed to be) doing.
Shumagorath fucked around with this message at 03:45 on Jan 24, 2024 |
|
#
¿
Feb 18, 2023 18:30
|
|
|
Has Microsoft said anything about re-implementing the functionality Google is dropping? If not I’ll be 100% Firefox overnight.
|
|
#
¿
Feb 19, 2023 20:57
|
|
|
I kept forgetting about that manifest change but it's going to gently caress over almost ten years of my browsing model - Edge with uBlock for stuff I trust, Firefox with uMatrix for stuff I don't.
|
|
#
¿
Feb 21, 2023 01:20
|
|
|
I can’t believe how much the DoJ has weakened since the 90’s / 00’s such that Alphabet isn’t getting busted up for controlling the #1 browser, ad business, search, and video site. It’s just so utterly poisonous; all four of those products are demonstrably worse for it, and the synergy between two of them is actively pushing society off a cliff only slightly less energetically than Facebook.
|
|
#
¿
Feb 21, 2023 05:07
|
|
|
I switched to 1Password and it’s a definite improvement in every regard except when it saves passwords (pre-submission).
|
|
#
¿
Feb 28, 2023 04:45
|
|
|
Having just moved my dad out of Apple keychain into 1Password: Do not use Apple keychain unless you want to be forever chained to iCarumba, The Worst Cloud. Exporting was entirely by hand and took me ~30min for 40 passwords.
|
|
#
¿
Feb 28, 2023 05:01
|
|
|
I just got a LastPass breach incident update to the security notice e-mail of the account I closed a week ago. gg guys
|
|
#
¿
Mar 1, 2023 23:45
|
|
|
I never like leaving accounts to rot. Taking out the digital trash is satisfying and my password migration was a great opportunity to have my various e-mail aliases in that many fewer places. I definitely agree with you that LastPass was the king of recognizing password creation and changes, but wow if they weren’t terrible at the rest. Just shutter the vault business and get into malicious javascript (but I repeat myself….) Come to think of it I kinda wish I’d gone full Proton and aliased everything instead of having however many buckets my current provider allows.
|
|
#
¿
Mar 4, 2023 05:54
|
|
|
Fuzzy recollection here, but can't anyone on the domain dump out NTLM hashes or does it require local / domain admin? I found this but it's a bit dated: https://0xdedinfosec.github.io/pages/windows-decryption/ ... and then the main weakness being that you can hashcat your way through NTLM with a toaster?
|
|
#
¿
Mar 15, 2023 18:15
|
|
|
ring ring ring ring ring ring ring THE RANSOM PHONE
|
|
#
¿
Mar 16, 2023 02:43
|
|
|
Some require e-mail correspondence, some have deletion mechanisms on the site proper, and others are broken relics acquired or expired. Being in Canada I also had a fourth category of “service is geo-blocked and I’m not installing a VPN just to terminate that”.
|
|
#
¿
Mar 18, 2023 00:35
|
|
|
Oh yeah don’t forget ticket websites that often flag carrier NAT as “bot that hasn’t paid us” and prevents you from even logging in. This includes Ticketmaster, where calling the sales office will get you further than engineering.
|
|
#
¿
Mar 18, 2023 21:17
|
|
|
Rescue Toaster posted:I believe it just overwrites the head of the file and leaves junk in the tail, was sort of the impression I got. Though that would imply the files don't actually get smaller, which you'd think somebody would have noticed.
|
|
#
¿
Mar 19, 2023 00:26
|
|
|
Jabor posted:It's more likely that this is a jpeg image with an embedded thumbnail, and whatever tool cropped the original image didn't update the thumbnail. So you could recover a low-resolution version of the original, but not the original picture itself.
|
|
#
¿
Mar 19, 2023 02:10
|
|
|
I’m currently doing that with 1Password, and… horses, water, etc 
|
|
#
¿
Mar 25, 2023 15:48
|
|
|
Thanks Ants posted:Will it work through the Cloudflare reverse proxy thing?
|
|
#
¿
Mar 25, 2023 16:31
|
|
|
rafikki posted:I’m not seeing them permanently at each table much, but it’s becoming very common around me to have them bring a wireless terminal to the table for processing.
|
|
#
¿
Mar 31, 2023 18:48
|
|
|
Ars had that writeup of AI-generated password candidates today and it mentions RockYou being (obviously) outmoded. What publicly-accessible password corpus is the gold standard today? Surely red teams aren’t expected to go darknet shopping…?
|
|
#
¿
Apr 13, 2023 21:43
|
|
|
spankmeister posted:Link the article please. https://arstechnica.com/information-technology/2023/04/the-passgan-ai-password-cracker-what-it-is-and-why-its-mostly-hype/ The point of the article is to poo poo on PassGAN hucksterism, but the comment about there being much better lists in addition to good masks / rules was what interested me. I also didn’t know Markov models were in play now; it’s been a while.
|
|
#
¿
Apr 14, 2023 00:18
|
|
|
Sickening posted:RIP 1password, it was a good run.
|
|
#
¿
Apr 28, 2023 02:24
|
|
|
Sickening posted:Check down detector nerds. Jfc 
|
|
#
¿
Apr 28, 2023 02:32
|
|
|
Klyith posted:he's the CISO for a loving collections company, everyone nod and tell him he's correct!
|
|
#
¿
Apr 29, 2023 02:22
|
|
|
spankmeister posted:Lmao imagine if you got some sick browser 0day and you blow it on the defcon wifi for laughs, instead of selling it for a couple hundred thou
|
|
#
¿
Apr 29, 2023 22:27
|
|
|
gently caress that sucks. I need to go back and finally finish Art of Deception. We need better IDS / endpoint monitoring for the pancreas; poo poo is scary. Klyith posted:(Apologies to the rest of the thread that is tired of passwords.) Shumagorath fucked around with this message at 14:35 on Jul 20, 2023 |
|
#
¿
Jul 20, 2023 14:32
|
|
|
Moving from LastPass to 1Password was a fun lesson in the impermanence of lovely web service middlemen and video services that got packed in with my Blurays.
|
|
#
¿
Jul 20, 2023 23:39
|
|
|
1Password for passwords and 2FA backup codes, Microsoft Authenticator for the actual 2F.
|
|
#
¿
Feb 14, 2024 02:32
|
|
|
If you store the 1Password account secret somewhere safe (and don’t write your passphrase on it) then I don’t think anyone’s getting into your 1Password vault without borderline tailored malware.
|
|
#
¿
Feb 14, 2024 02:38
|
|
|
I don’t need to split my vault and 2FA, but I already have, and MS Auth lets me do one-touch 2FA for the stuff I use most. If I ever switch phone operating systems again (iOS will only let you export to iCloud / Worst Cloud whereas Android backs up to OneDrive) then I’ll consider going all-in on 1Password.
|
|
#
¿
Feb 14, 2024 02:47
|
|
|
|
| # ¿ May 14, 2024 22:50 |
|
|
Internet Explorer posted:My only MFA not in 1Password is my MFA to get into 1Password. There are still 2-3 accounts where I never put the whole mechanism into any vaults; just memorizing an adequate password and still using 2FA. My ability to completely recover everything from memory died with the family copper landline, so now I like to have services that can support each other and one key for each lives in my head or on-body.
|
|
#
¿
Feb 14, 2024 02:58
|
|