|
Theris posted:What's wrong with MD5? I mean, it turns my street's name (why are you using license plate numbers instead of something easy to remember when you're stretching it into a good password anyway? We're trying to keep things simple here!) into "0904572d42fdd0ef1cd93fb1047fe2d0." That's a great password! Look how long and random it is! And without involving super complicated hard to learn software like Keepass. Just use a password manager you doofus. KeePass is free.
|
#
¿
Nov 20, 2015 19:48
|
|
|
|
| # ¿ Apr 28, 2024 14:40 |
|
|
Inspector_666 posted:It seems like when people get to brute force passwords these days it's because they were able to get the hashes via a compromised account and download the table, rather than somebody hammering a webserver or something. It's still annoyingly common unfortunately. Apple iCloud celebrity nudes thing was cause they didn't have rate limiting on the webserver for instance.
|
|
#
¿
Dec 6, 2015 21:46
|
|
|
ItBurns posted:There's no guarantee that it hasn't been backdoored and Facebook stands to gain more from doing so than it does for being 'cool' or whatever. You should probably just assume that it's not secure rather than place a ton of faith in Facebook of all people respecting your privacy. DeaconBlues posted:That sums up my hesitation/reluctance to install it. Too good to be true. You guys know It takes all of 5 minutes to decompile an iOS app and/or mitm the traffic to check claims of backdooring or logging right? Objective-C doesn't even obfuscate symbols, any idiot can do it. Like, this isn't something that you have to decide based on your personal biases against a company, you can just go check it for yourself. Theres a reason you don't hear any real security professionals saying dumb poo poo like this.
|
|
#
¿
Apr 21, 2016 22:57
|
|
|
ItBurns posted:ITT it takes an idiot 5 minutes to guarantee that a service is free of security flaws. Thousands out of work. Yes that is what I said, whatsapp is 100% secure. You don't at all lack reading comprehension and are a genius adding massively to this conversation. To the people who're actually discussing in good faith, I'm in the middle of moving so can only phone post and my phone ate my first post already, so will try to add more later. As far as decompiling the app goes, you don't need to understand the entire functionality, just ensure the implementation of axolotl is correct and matches other known versions. Easiest way is just check the symbols and function behavior against another trusted app, for instance Signal. Considering Moxie himself did the integration I'm pretty sure it's gonna be correct though. Go look him up if you're wondering why. With regard to the network, axolotl is in fact peer to peer encryption. It's not a peer to peer connection but those are different things. The Whatsapp servers do not decrypt the traffic before passing it on because that's technically impossible. Read about public/private key encryption if you're wondering how. Someones probably yelling about encryption stripping/forwarding on key change as a possible method for Facebook to eavesdrop. This is why I said look at the traffic. Mitm two devices that haven't talked over whatsapp before. Start a chat so the initial key exchange occurs. Look at the traffic. Do the public keys sent by each client match on both sides? Then there's no eavesdropping happening. That key exchange happens once between two devices. From that point on they are never sent again and it's impossible for Whatsapp to read traffic. Watching the traffic will also let you confirm WhatsApp isn't some how sending something out of band. Whatsapp is run almost completely separately from Facebook, they aren't on the same infrastructure or even the same campus (frankly they kinda hate FB and do everything in their power to remain separate). It should be pretty obvious to see if something is going to a Facebook server directly. If you're worried about them sending stuff to whatsapp servers then forwarding to FB, watch for any weird other traffic that doesn't make it to the other client. If it's encrypted it should be pretty easy to diagnose if it's message info (is it bigger when you send a bigger message?) If you're worried that maybe they save logs on the phone then send them later, jailbreak your device and browse the file system. Or leave it mitmed for a while and review the logs. If you're paranoid enough to worry they might suddenly push an update that adds something nefarious later then just do these steps again after every update. It's easier this time cause you just need to look at the differences from the previous version. I guarantee you a few thousand other people are doing the same thing. tl;dr whatsapps encryption was put in place by one of the biggest names in crypto who's a literal anarchist that lived on a condemned sailboat for a while. There's thousands of people smarter than anyone on this forum looking for Facebook to screw this up that have dug into this stuff in depth and given it a bill of health. It's illogical to think it's not safe.
|
|
#
¿
Apr 23, 2016 18:12
|
|
|
ItBurns posted:In the end it comes down to whether or not you trust facebook.  I just.. what? Did you read my post? I laid out explicitly the technical reasons it doesn't come down to trusting facebook. The entire point is the provability of the encryption. Like, you're arguing with math here. I'm seriously just confused.
|
|
#
¿
Apr 28, 2016 19:08
|
|
|
ItBurns posted:Noted. Exactly what, in your mind, would logging encrypted messages allow for? Have you actually signed up for whatsapp before? Do you understand how iOS device tokens work? Do you need me to explain why the answers to those last two questions make avoiding metadata collection on whatsapp trivial for anyone whos concerned about that? Do you actually have any knowledge about anything technical being discussed? Do you need help dragging those goal posts?
|
|
#
¿
Apr 28, 2016 20:02
|
|
|
Rowhammer is cool as hell and a lot of fun to play with if you have hardware it'll work on. It's also going to remain irrelevant for anyone in this thread that's not protecting nation state level secrets as long as most people still have terrible passwords and use SMS for 2fa.
|
|
#
¿
Sep 3, 2016 03:21
|
|
|
FeloniousDrunk posted:Kind of afraid I'm being set up for a huge embarrassment. But hey, I just did this, so how much worse could it be. I shall attempt to be there. I will be likely trying to lurk, unnoticed. It's probably hard to believe but security nerds are generally a lot nicer in real life than online.
|
|
#
¿
Sep 7, 2016 05:29
|
|
|
FeloniousDrunk posted:Sweet. I'll be the long haired old guy just trying to fit in, you know the type. Turns out Felonious is secretly  everyone in this thread just immediately super owned.
|
|
#
¿
Sep 8, 2016 06:10
|
|
|
DuckConference posted:Two-factor feels like a really marginal increase in security in many cases. An attacker sophisticated enough to get my password in spite of good password hygiene is probably sophisticated enough to phone in to customer service to turn off 2-factor, or to just port my phone number. The weakest points of the system are mostly outside of our control. And this is why you don't work in infosec (I hope).
|
|
#
¿
Dec 5, 2016 16:22
|
|
|
Furism posted:Passwords are terrible but they are the least we can do. I mean, door keys are terrible too but there's not much choice there. Passwords wouldn't be half as bad if most websites set up a proper 2FA. It still wouldn't be perfect but much better. Looking into it (and ignoring that, like OSI said, Gibson is an idiot that should be ignored) it seems like SQRL would be a replacement for the SMS based portion of a good multi-factor authentication system, not for passwords. Pub/priv key based signing is a "thing you have" auth check, passwords are a "thing you know" auth check. Yes, the key is protected by a password as well, but verifying the password isn't done by the system being authenticated against so it shouldn't be considered an auth mechanism.
|
|
#
¿
Feb 28, 2017 19:22
|
|
|
|
| # ¿ Apr 28, 2024 14:40 |
|
|
apropos man posted:Either way it's convenience gone mad and it cannot be as safe as using a decent password manager. Lol. You don't know what you're talking about. Smart lock is unequivocally a good idea and most likely more secure than a password manager.
|
|
#
¿
May 3, 2017 15:59
|
|