|
It would be super cool if in Windows 10 there was any way whatsoever to see if a particular update had been installed. All the update history lists in 10 are completely useless and don't show any security updates. Trying to help my parents understand if they have the right patch yet is driving me crazy, since *I* can't even tell if my PC is patched. EDIT: Thanks CALM DOWN, apparently my PC just is not getting any updates at all anymore. Nothing since 12/17 anyway. Pretty sweet. Rescue Toaster fucked around with this message at 02:29 on Jan 5, 2018 |
#
¿
Jan 5, 2018 02:26
|
|
|
|
| # ¿ May 14, 2024 08:02 |
|
|
I've been trying to settle on a password manager and I seriously can't be the only one that finds it sketchy as all hell that most (all?) the ones with online accounts or cloud storage use your supposedly zero-knowledge master password as your login to the web page for account setup and cloud sync. 1password and bitwarden for sure do, I haven't looked at all of them. Am I missing something or does this seem ridiculous? Just entering the master password in a web browser page ever seems like anathema to me. That said other than using keepass and my own server it doesn't seem like there's any options.
|
|
#
¿
Jul 5, 2021 18:35
|
|
|
Rufus Ping posted:Because you have to trust that the master password you enter is only being used for client side decryption of logins using js and isn't secretly being divulged. Yeah maybe I'm over-valuing the 'stability' of an application vs a web page. At least with an application you would have to update it to get a new version. Once modified though, even if you firewall it, it could of course send your password back to their servers, but you could prevent it from sending it somewhere else. In any scenario, if the company that sells you the password manager starts acting maliciously, you're pretty screwed. I feel like making people repeatedly enter their password into a regular webpage javascript you're opening up more avenues for a third party, though. Rescue Toaster fucked around with this message at 18:49 on Jul 5, 2021 |
|
#
¿
Jul 5, 2021 18:47
|
|
|
Arivia posted:why in all dear god would you use your master password for a password manager in multiple places I mean every single cloud-based password manager service uses your master password as both your vault key and as the login to the website. No possible downsides to that, right?
|
|
#
¿
Dec 30, 2021 00:27
|
|
|
I guess I'm not even differentiating about native clients vs browser plugins vs javascript 'client'. Doesn't change the fact that to login to the 1password or lastpass or bitwarden website your regular old login is your master password. KeePass is the only thing I can think of that lets you use a server/account completely divorced from your master vault password. I think 1password takes the cake for dumbest poo poo ever "Your Secret Key was created on your own device. We have no record of your Secret Key and can’t recover it." "Your Secret Key and your 1Password account password both protect your data. They’re combined to create the full encryption key that encrypts everything you store in 1Password." ...and then just to login to the website for any dumb reason please type both your master password and secret key into these text boxes in your browser! No person or browser has ever been tricked with a fake website ever before, so there's no risk of you losing both at the same time, thankfully! I'm well aware I seem to be the only person on earth that thinks this is stupid I guess. Rescue Toaster fucked around with this message at 00:53 on Jan 1, 2022 |
|
#
¿
Jan 1, 2022 00:50
|
|
|
Ynglaur posted:The threat profile you just described is the same for Office 365, Google, and any other service you log into that doesn't run on hardware you control that passes over a network you also don't control. Given the choice I would never enter my master password in a regular old hosted webpage in a web browser. I would never use a 'web vault', I'd stick to standalone apps and/or a browser plugin if necessary. I get what you're saying about threat profile. Would you trust google or office 365 enough to put every single password to every single service you use in a google doc, if all the encrypting & decrypting was done right in the browser in javascript on a regular webpage (not even in a special browser plugin, just a hosted page)? Because right now that's basically what you're forced to do with all the big password manager sites, that's the level of trust you place in them. I would trust them to hold onto an encrypted file for me, and that's it. That's what I want out of a cloud password manager service.
|
|
#
¿
Jan 1, 2022 03:31
|
|
|
Rufus Ping posted:The only thing I'm aware of that necessitates logging into their website is if you need to update your billing details - at which point, sure, they could pwn you with some backdoored JS that siphons off your secret key and master password instead of doing everything in the browser. But your complaint appears to be about something more than this one edge case? No this is my primary complaint. The login information to the website/cloud service for billing and syncing has nothing to do with the actual vault password. They should not be conflated, period. My brain is screaming at me that this is bad design and it makes it hard to trust or feel comfortable with the rest of the ecosystem. I'll be the first to admit I have a hard time sometimes separating 'this is a practical threat' vs 'this is just unnecessary attack surface'. A supply side attack is always possible with the clients, that's basically unavoidable. But opening up a weird world of JS or domain fuckery or sketchy SSL cert issuers or other BS going on in a browser and so on just so you don't have a separate login password seems so unnecessary. I agree with Ynglaur that MFA helps a lot as they'd have to combine some theft of the credentials with stealing a client device that has the vault since they shouldn't be able to get both from the service without a MFA token. This assumes they won't just reset/bypass the MFA if you contact support and complain though. 1password for sure has a 'lost mfa' recovery process through support that you cannot opt out of or disable. Rescue Toaster fucked around with this message at 05:12 on Jan 1, 2022 |
|
#
¿
Jan 1, 2022 05:09
|
|
|
Rufus Ping posted:fortunately the 1password browser extension fills properly on their own website, entirely eliminating phishing as a vector I don't think it's a GIGANTIC flaw, I just think it's a wholly unnecessary flaw. It's not even like it's really 'one password'. It's a master password and a secret key. God forbid it was a master password and a separate cloud/account password, right? When I see something that seems dumb/flawed in a security product without reasonable justification that's going to raise the hairs on the back of my neck. I do plan to try out some method of syncing keepass first but it's entirely possible I'll just end up using 1password or bitwarden anyway, and be extra careful to mitigate that specific issue as much as seems practical.
|
|
#
¿
Jan 2, 2022 01:10
|
|
|
Arivia posted:Same. Normally I just shrug this poo poo off but now people will be going after 1Password vaults specifically because they could have crypto poo poo in them. Increases the visibility as an attack target in a whole host of ways. gently caress, not sure what to move to. Self-hosted bitwarden? KeepassXC & some plain old cloud storage provider?
|
|
#
¿
Feb 24, 2022 00:22
|
|
|
Raine posted:https://www.hertzbleed.com/ For anyone curious how the gently caress this could be working the short version of this is: A) The power a CPU consumes does depend on the overall number of 0's and 1's in the data being worked on. This is because static ram (ie registers, ie flip-flops) consume different amounts of power depending on their state. This isn't shocking but... B) Some crypto algorithms can result in a large difference in the number of 0's or 1's in the data as they decrypt something either successfully or unsuccessfully, in a way that can reveal info about the key. "In our attack, we show that, when provided with a specially-crafted input, SIKE’s decapsulation algorithm produces anomalous 0 values that depend on single bits of the key. Worse so, these values cause the algorithm to get stuck and operate on intermediate values that are also 0 for the remainder of the decapsulation. When this happens, the processor consumes less power and runs at a higher frequency than usual, and therefore decapsulation takes a shorter wall time." Obviously this instance with SIKE is fairly egregious it seems, but any time there's been existing power side channel attacks this could be translated to a frequency/timing attack with presumably varying degrees of difficulty. EDIT: Seems like it's going to be tough to allow userspace applications to routinely request cpu throttling to be temporarily disabled to execute some algorithm in a constant-wall-time context. Even if you could do something like request the kernel to schedule a certain function in a context that only returns after a constant wall time, you could use some other query channel to determine the current CPU speed most likely. The paper even suggested they could get data from AES-NI instructions implying the extra power draw of the AES engine in the core was affecting the overall throttling of the CPU. Rescue Toaster fucked around with this message at 16:14 on Jun 20, 2022 |
|
#
¿
Jun 20, 2022 14:45
|
|
|
Has anyone ever heard of any storage (NVMe, SATA, eMMC, USB drive or SD card) that provides a seriously strong guaranteed read-only mode? Basically I want some kind of bootable device that can make strong guarantees of being immutable. I can always setup linux to mount the filesystems all read-only but that's just a quick escalation & remount away from a permanent exploit. In this scenario an escalation isn't the end of the world as long as it's not persistent. I mean go ahead and assume spinning optical is not an option for this, due to size and performance. The best idea I could come up with so far was some kind of microcontroller that can monitor the SD card data lines for write commands and disconnect the sd or reset the cpu before the entire write command goes through. Seems like there could be a lot of commands/patterns to worry about though. Another option would be some microcontroller that is a USB device and can present an attached SD card as a block device, so it's easier to snoop on the write commands. There are definitely source code examples floating around that do this, but would likely be much slower than the dedicated SD controller on the host.
|
|
#
¿
Aug 14, 2022 01:37
|
|
|
Thanks! I really just need something like a write protect switch, but a real one. I knew the little switch on SD cards was bs, but it looks like some of these USB or special SD card options could work.
|
|
#
¿
Aug 14, 2022 04:19
|
|
|
I was looking at flash chips at one point to in terms of write protecting BIOS on motherboards with a physical switch, and unfortunately a lot of them aren't as simple as just a write protect line. There's a control register that itself is protected by the write protect IO, but you have to write a write protect bit to that control register first, and then assert the line, and it will be blocked after that point. So you'd still need a microcontroller in between the motherboard and BIOS chip to manipulate it before boot. Also quite a few models of the large (32MB+) 8 pin NAND flash ics that are used for BIOS in particular just don't even bother to hook up the write protect lines, the chip will just have a no connect in that position. USB seems like a crapshoot since it's just whatever firmware is on the controller IC, whether it actually internally obeys the write protect switch or not, and whether the firmware can be easily reset/reloaded at runtime... but that's getting much farther down the rabbit hole than the scenarios I'm trying to deal with. Although these days who knows what all is freely available in the various exploit toolkits out there.
|
|
#
¿
Aug 14, 2022 17:38
|
|
|
BlankSystemDaemon posted:Sorry, I guess I didn't explain it well enough - if any file fails a checksum on either open() or exec(), it fails with EIO. I swear I saw something on phoronix about something like veriexec for linux but I can't figure out what to search for, or I'm remembering it wrong.
|
|
#
¿
Aug 15, 2022 14:44
|
|
|
FAQ kind of fixates on the wrong thing (intentionally?). If you use a password manager, you should be prepared and semi-comfortable with the idea that someday somebody will get their hands on your encrypted vault. The real risk here with someone getting into their development environment is sneaking something nasty into the software/webpage/browser plugin that then gets pushed to you via auto updates or via the web interface.
|
|
#
¿
Aug 25, 2022 21:02
|
|
|
Wiggly Wayne DDS posted:or the vault not actually being tied to the master password as they led the users to believe and them having a way into it anyway Oh definitely, I don't consider lastpass trustworthy anyway. Frankly I don't have a lot of confidence in any of the cloud-based password managers that use your master password as the login to the website (all of the big ones). Though I seem to be in the minority about that. This exact scenario is the kind of thing where, oh somebody got into the build environment and maybe snuck something tiny into the webpage js for a couple months... there go all your master passwords.
|
|
#
¿
Aug 25, 2022 22:55
|
|
|
That's not a term I've heard either. I'm assuming he was referring to the 2FA devices where the key is generated inside the device (like some PIV modes and U2F, where you essentially cannot clone or create duplicates, just enroll multiple devices) as opposed to older OTP modes where you could put the same shared secret in multiple devices or authenticator apps and thus have copies.
|
|
#
¿
Aug 27, 2022 16:25
|
|
|
smax posted:This is true, though the UDM (and the rest of the Dream line?) don’t allow you to use an outside controller. It’s all built in, and must be set up through the cloud. Once that’s done I think you can turn off cloud access to manage it locally, but I haven’t done that myself. I hate things that say basically "Don't worry you only have to feed your unencrypted wifi password through the cloud ONCE and then you can uninstall this sketchy as poo poo app from your phone." Oh great, thanks.
|
|
#
¿
Sep 1, 2022 16:44
|
|
|
Ynglaur posted:How do you get firmware updates for your devices? Unless you're supporting a relatively niche set if requirements, you're going to have to touch someone else's network or application at some point. Just because it uses" the cloud" for setup doesn't make it automatically bad. I do understand, though, how it makes it bad for some workloads. Oh the main example I ran into recently was an internet-connected cat litter box, which I could have proxied/firewalled to only talk to one server. BUT of course it has to be 'provisioned' using an app, since there's no way to put the wifi password into it, so you have to install their app, re-type the wifi password into the app itself so it can send it over to the device via god knows what bluetooth protocol, etc..etc... I don't know what the right answer to all these things is, but it feels like a lot of IoT provisioning/setup stuff is often closing the barn door after the cow has escaped, no matter how much effort you are willing to put in to secure/restrict stuff, there's always that one 'well gently caress, I guess I hope nobody's listening' step, if you know what I mean. EDIT: I know, IoT litter box, but it's actually pretty drat amazing, functionally. Also for keeping track of cats that have some health problems. The only downside relevant to this thread would be it using a dynamic AWS domain to connect to, so it's difficult to restrict it with a simple firewall setup. Rescue Toaster fucked around with this message at 17:26 on Sep 1, 2022 |
|
#
¿
Sep 1, 2022 17:02
|
|
|
You guys are missing the real strategy, not resetting on a successful login. My former employer would lock the account on the third failed attempt, spread over any length of time. Even months. And many of us worked second shift so I lost count of how many times I had to call them at 11pm while the production line was stopped waiting for me to get my password reset after a single typo. They were convinced this was absolutely necessary for some kind of federal regulation that they could not clearly explain.
|
|
#
¿
Sep 23, 2022 06:13
|
|
|
I'm planning on picking up a domain to use for email to get some important accounts off of gmail (in terms of password reset/etc...), and also probably so some local devices have a unique domain name and I can do internal certs that are actually trusted. Is there any significance to the registrar that controls the TLD? I don't mean namecheap/cloudflare/godaddy/whoever, but in terms of the various newer cheap TLDs. For example .stream says "Global Registry Services Ltd" and then lists a backend of GoDaddy. I suppose from both a 'How likely is this to get hijacked by some guy working at a company I've never heard with HQ in Gibraltar or the Cayman Islands' and then also the ones that offer private registration info like namecheap, but then if the actual registrar for your TLD is in the UAE or whatever. Not that I'm planning on using the domain for anything that would get anybody in particular upset, afaik. Better to just stick with .com/.net even if I can't get a nice short name?
|
|
#
¿
Jan 12, 2023 03:37
|
|
|
Sickening posted:I don't think hosting your own email is a better move than using gmail fyi. Everything about that sounds worse than just using gmails security features. The list of why its bad is so long its not worth typing. I mean I'm not talking about running my own server, just pointing at an existing service like proton or something that does email using a domain you own. Have you really not heard of any of the cases of people losing access to a Google account and then getting absolute radio silence forever? And not even losing as in stolen, but as in account locked for unspecified reasons. If you're not a paying corporate gsuite customer you're just hosed. I don't think it's that crazy to want to have at least one domain and thus email address that I actually own and could move where I want.
|
|
#
¿
Jan 12, 2023 05:22
|
|
|
Mantle posted:? You can have a domain and continue to have your email hosted by Google. And you can change your email host at any time. They can never lock you from changing hosts. Yeah you guys are way too fixated on the email/Gmail part. I would certainly consider still using gmails email service as long as it was my domain that I owned. The only reason I mentioned it at all was as one example of a reason I wanted a domain other than everything I have being free @gmail.com addresses. I was mainly curious about if there were things to consider with the various TLD options when it came to domains. In addition to the front-facing registrars there are all these mysterious companies/groups incorporated in random countries that technically own all these newer TLDs. So I just wondered about hypothetical security concerns about them going forward long term. If there's any reason to think some might be less stable than the old main ones.
|
|
#
¿
Jan 12, 2023 06:54
|
|
|
Yeah I'm convinced there's good enough reason to stick with something as standard as possible for email. I'm still curious about this sort of stuff: Boris Galerkin posted:- the company running your .whatever goes bankrupt or changes policy and hold you hostage Or there's been some lawsuits around (mis)use of country codes assigned to places subject to colonialism like the .io domain. And I wonder about what courts have jurisdiction if some troll company wants to convince a judge that your domain is covered by their trademark, that sort of poo poo. If it's a 2-letter TLD of some country but operated by a registrar incorporated in some law/tax haven country? Who the gently caress knows. From a security perspective you can end up in a situation where retaining ownership and constant control of the domain is fairly drat important.
|
|
#
¿
Jan 12, 2023 17:27
|
|
|
When do you suppose a single bank or medical system will learn that non-SMS MFA exists?
|
|
#
¿
Feb 18, 2023 18:00
|
|
|
Anyone know what the gently caress is going on with Firefox's message about websites requesting 'extended information' about authenticators when registering them? It warns you that it can 'anonymize' the information, but that the relying party may reject it. And... that's it. No actual information about what information is requested. Tracing through the source code of firefox it seems to be talking about requests for direct attestation. Which, according to yubico https://developers.yubico.com/WebAuthn/Concepts/Securing_WebAuthn_with_Attestation.html is not really a major privacy concern unless you literally don't want them to know what model authenticator you're using. It shouldn't, afaik, contain any uniquely (as in per-individual-physical-authenticator) information. Spending a couple hours searching for more information on this I'm more convinced than ever what the entire 2FA world is still a complete loving poo poo show. Outside of an enterprise this poo poo is borderline unusable. The web browsers are the worst offenders. They give you absolutely zero loving information on what is happening, what is being requested, etc... Is this just a second factor? U2F or Webauthn? Is this a password-less account the site is trying to setup? Is it the kind where you have an unlimited number, or a limited number of certs actually on the authenticator? Who the gently caress knows?
|
|
#
¿
Mar 18, 2023 19:08
|
|
|
Thanks Ants posted:Ugh how how how, cropping can also be undone? I believe it just overwrites the head of the file and leaves junk in the tail, was sort of the impression I got. Though that would imply the files don't actually get smaller, which you'd think somebody would have noticed. Also it seems to be specific to 'Markup' for screenshots, so probably doesn't affect pictures cropped with google photos? Is the impression I got.
|
|
#
¿
Mar 18, 2023 22:04
|
|
|
Thanks Ants posted:Fortunately Samsung's history of commitment to product support will ensure that no vulnerable devices are left out there I mean google is no better. They updated the Pixel 7, and owners of the whole year-old Pixel 6 were told to sit tight. I'm kidding of course they've said nothing at all, there's no actual ETA for Pixel 6 owners for this 10/10 critical remote superuser-privileged code execution bug.
|
|
#
¿
Mar 18, 2023 22:48
|
|
|
TheFluff posted:If it's just direct attestation then yeah as Buff Hardback said there shouldn't be much to worry about; the spec allows you to identify the make and model of the authenticator but nothing more (specifically because of privacy concerns). If it's enterprise attestation though then that's a different matter, that part of the spec does allow identifying authenticators by their serial number (or similar). Barely anything supports EA yet though, and Yubikeys that support it are not sold to consumers. Interestingly, based on the Firefox source I'm pretty sure it does not differentiate between indirect, direct, or enterprise attestation in terms of the prompting. So unfortunately you have no way of knowing, as Firefox doesn't even tell you the attestation type let alone give you the option to see the attestation metadata. Yet another way the UX around 2FA is still dog poo poo.
|
|
#
¿
Mar 21, 2023 22:29
|
|
|
The Iron Rose posted:Cloudflare’s zero trust solutions, GCP’s identity aware proxy, and Azure App Proxy are all good ways to solve this depending on where you’re hosting your instance from (but also just buy 1pass family). evil_bunnY posted:Extend the VPN instead of the bitwarden instance. I do wonder if you could use any of the identity/authentication options the cloudflare reverse tunnels offer. Like if they went to open the web page first in a browser, and without even logging in to vaultwarden they did the cloudflare verification, and then could they use the app, or I wonder if it's tied to a cookie in the browser. Pretty clunky unfortunately since the bitwarden client couldn't do it for you. Also by default I think they only can do an email "2-factor".
|
|
#
¿
Mar 27, 2023 15:29
|
|
|
Yeah why wouldn't you want to stick your credit card in a knockoff android device that hasn't been patched in 4 years? Honestly I don't get it in the US, someone is absorbing the cost of all the credit card fraud. I guess the card companies are making so much loving money on transaction fees and interest they don't give a poo poo? I suppose if they cracked down, it's not like they're going to lower costs to consumers or business, it would just be more profit for VISA so I don't give a poo poo either. It does get really frustrating with the way backend processors hold account tokens (or whatever the hell) now instead of using the card number. Someone got my parent's card attached to their xbox live account, and every time visa cancels and sends them a new card, the instant it's activated the account gets re-linked to xbox live and fraudulent charges show up again. Somehow visa claims it's simply impossible for them to 'disconnect' it. They can't get a hold of anyone at xbox because they would have no idea what account it's associated with. After 3 cards they're probably just going to cancel the card for good and get a new one from a different bank.
|
|
#
¿
Mar 31, 2023 14:28
|
|
|
Kesper North posted:Red Robin deployed POS terminals on each table with cameras and microphones a little while before covid. They're custom units, they don't need to have cameras and microphones, and yet they do - which makes me inclined to think they're being used for consumer surveillance. It's so they can take your picture to prove you actually intentionally paid $10 to rent Angry Birds on your restaurant POS tablet for half an hour.
|
|
#
¿
Apr 1, 2023 15:10
|
|
|
Speaking of password cracking, bitwarden now supports Argon2id for password hashing. Though it's not very helpful on the performance tuning side. I wish the apps had a quick perf test so you could check out how it performed. Also apparently on some platforms going above 256MB size can cause out of memory problems due to limitations.
|
|
#
¿
Apr 15, 2023 15:40
|
|
|
On this topic I'm genuinely curious what to search for, I'm a C/C++ and embedded linux guy, and spent the majority of the last 8 years hardening code and trying to lock down embedded linux systems. I enjoy it and I like to think I'm good at it. But usually when searching everybody's looking for more of a vague 'security engineer' covering all kinds of other poo poo and certifications, and most strictly software engineering jobs never even mention security. The attitude on that side typically seems to be 'Well we'll hire some consultants to run some static analysis or port scanning and just fix whatever they find." Boom, secure!
|
|
#
¿
May 3, 2023 19:39
|
|
|
klosterdev posted:Gigabyte built a firmware-level backdoor into their motherboards https://arstechnica.com/security/2023/06/millions-of-pc-motherboards-were-sold-with-a-firmware-backdoor/amp/ So this thing has been around a while, the last one I recall was ASUS. The fault is really Windows insanity, of course. Basically, the BIOS advertises to windows "Hey why don't you run this binary as superuser without validating anything or prompting the user, please?" and Windows does it, with no way to disable. The idea is the motherboard mfg can provide a driver update launcher or that sort of thing. Which is what they were trying to do, but of course it's a horrible insecure piece of poo poo, as all motherboard 'updater' packages are. It's not some hypervisor rootkit bullshit or anything. It notably only affects Windows because no other OS is stupid enough to do this poo poo.
|
|
#
¿
Jun 3, 2023 19:11
|
|
|
https://ubuntu.com/tutorials/how-to-verify-ubuntu#4-retrieve-the-correct-signature-key Ok, please tell me I am crazy. Am I the only person in the world who understands that this does nothing? You look at the signature you got for your ISO, then you specifically download the exact public key that you already know was used to produce that signature, then you verify it. I don't want to know if my SHA256SUM file has a valid signature, I want to know that it was signed with the right private key. Looking at the signature to determine which key is right is the dumbest possible path you could take. There should be a big 'What is the current correct Ubuntu ISO signing key fingerprint?' FAQ. And multiple websites that maintain a list of the current signing key fingerprints for various distros, so someone could compare all those sources to make sure they all match, etc..etc.. EDIT: Manjaro does a good job, saying to pull from their gitlab or from ubuntu's keyserver but by name instead of by fingerprint. https://wiki.manjaro.org/index.php?title=How-to_verify_GPG_key_of_official_.ISO_images Arch does okay too, saying to use wkd or linking to the exact fingerprint from ubuntu's keyserver. https://archlinux.org/download/ Linux mint specifies which fingerprint exactly to get from the ubuntu keyserver: https://linuxmint-installation-guide.readthedocs.io/en/latest/verify.html Debian also specifies fingerprints: https://www.debian.org/CD/verify Qubes talks in great detail (unsurprising) about how to verify the fingerprints: https://www.qubes-os.org/security/verifying-signatures/ So maybe it's just ubuntu being horrible fuckups and encouraging terrible practices? Rescue Toaster fucked around with this message at 18:59 on Jul 6, 2023 |
|
#
¿
Jul 6, 2023 18:48
|
|
|
Nukelear v.2 posted:I would assume they are only serving valid Ubuntu signing keys from hkp://keyserver.ubuntu.com Oh, anybody can submit their key to keyserver.ubuntu.com. Hopefully, if you put "Ubuntu CD Image Automatic Signing Key" as the name it would be rejected. But I bet you could come up with something that wouldn't be automatically rejected and would trick someone stupid enough to follow ubuntu's instructions to grab whatever fingerprint was used on their malicious SHA256SUM file. I doubt this is some serious attack vector where there's malicious images floating around signed with some fake signature hoping that people smart enough to bother checking it would be dumb enough to follow ubuntu's procedure. It is worth noting there is a key named "Ubuntu CD Image Automatic Signing Key" that is not the current key. Presumably it's still owned by ubuntu and they know what it is, but it's not obvious as a third party that that's the case. But, A) I could see someone working somewhere following a procedure without realizing what's wrong with it, or even worse, something being automated following ubuntu's instructions, which could actually be a problem. B) I don't think it's indicative of good security practices at canonical if this is the procedure they came up with to verify ISOs. All those other distros did a way better job and some have far less professional resources. Rescue Toaster fucked around with this message at 21:27 on Jul 6, 2023 |
|
#
¿
Jul 6, 2023 21:23
|
|
|
Saukkis posted:We have a solution for this issue. We must learn from that recent password game and all services must implement obnoxious and random password requirements. When a service requires that your password is at least 13 characters long, must contain at least two numbers, three capitals and one small letter, the 4th character must be Y, 7th number 2, and 11th character must be # you are unlikely to be able no reuse it. Password Game Rule 36: Your password must sha512crypt hash to: $6$7RdvJBvMozALwd7P$A0aohBy8AaNypIg/0/ReYnLJwTfTTg4mYGZcjY0nYth1riBfVrHFKWNm9G37yBIMuqYcDaKl2h4VqFKO3Ni1H0
|
|
#
¿
Jul 20, 2023 23:39
|
|
|
This Zenbleed thing has been communicated like dogshit. All the linux distros push an AMD microcode update which seems promising, except I'm pretty sure it only includes a microcode update for the EPYC processors. Apparently some newer kernels will include the mitigation for other processors that don't have a microcode update. I'm assuming this is the same as the DE_CFG bit to disable the feature, but not certain. And it's not as obvious which kernels have it, and many distros don't upgrade kernels automatically, understandably. Also the site that explains the vulnerability has some misleading information. It says Zen 2 but then says Ryzen 5000's with integrated graphics... but the Ryzen 5000 APUs are Cezanne cores which are supposedly Zen 3, unless I'm missing something obvious. So my Ryzen 3600 is definitely vulnerable, but not 100% certain how to mitigate it (I'm manually setting the DE_CFG bit in a systemd script for now) and my Ryzen 5600G... should be OK?
|
|
#
¿
Jul 26, 2023 01:21
|
|
|
|
| # ¿ May 14, 2024 08:02 |
|
|
Entering your password on a phone keypad is silly. You could just type it on any convenient nearby keyboard and they could use machine learning on the sound of the key presses to determine what keys you were hitting. https://arstechnica.com/gadgets/2023/08/type-softly-researchers-can-guess-keystrokes-by-sound-with-93-accuracy/
|
|
#
¿
Feb 18, 2024 02:07
|
|