|
I like LastPass with two-factor authentication. $12 a year is great, I looked at 1Password but it seemed very expensive for the amount of licenses I'd need to buy.
|
#
¿
Dec 20, 2015 23:22
|
|
|
|
| # ¿ May 6, 2024 19:34 |
|
|
In all honesty my main use for a password manager is to easily track unique, complex passwords for each online account I use. I'm happy to make the trade off that someone stealing one of my devices and managing to log into it might not get asked for a second factor of authentication.
|
|
#
¿
Dec 20, 2015 23:58
|
|
|
Presumably this sort of approach only works if the company is Facebook/Google/Apple-sized and then when going up against the government on the issue of end-to-end encryption it can be painted as "the government wants to take Facebook away from us", which is likely to get more people to take notice than "the government wants to shut down this open-source messaging company".
|
|
#
¿
Apr 17, 2016 19:57
|
|
|
We run AV because one client requires the "has antivirus" box ticked if you want to do business with them, and lying about it was probably a step too far.
|
|
#
¿
May 2, 2016 11:29
|
|
|
ChubbyThePhat posted:Would just like to throw out that the red text for him is fantastic. 
|
|
#
¿
May 2, 2016 17:19
|
|
|
Subjunctive posted:The worst thing that Tavis has found is not a set of specific vulnerabilities. Rather, it's the iron-clad evidence of industry-wide, structural disregard for the security impact of these products on the end user. I watched his video where he presented the Sophail paper (https://www.youtube.com/watch?v=h_JjNJ45PCM) and there's just the overwhelming impression that anything that wasn't developed a decade prior and just left to rot while all the real work happened in the marketing department, was just done to the barest minimum standard of being 'done' so that whoever was responsible for it could go home.
|
|
#
¿
May 2, 2016 18:09
|
|
|
If we have to talk in analogies, I think the point being made is not to put a poorly made lock on your front door that throws your windows open without you realising.
|
|
#
¿
May 3, 2016 13:53
|
|
|
A KnowBe4 subscription and management buy-in on the idea of training staff being part of a solution
|
|
#
¿
May 4, 2016 09:50
|
|
|
That does sound off-putting but the fake phishing emails and reporting on who is clicking them is useful information to have.
|
|
#
¿
May 4, 2016 10:18
|
|
|
MrMoo posted:I would guess many email and web security gateways are affected, from Barracuda through to Untangle. There's no doubt quite a few appliances that have expired service subscriptions running affected versions of their scan engine.
|
|
#
¿
May 17, 2016 17:10
|
|
|
Surely 'compliance' and 'policy' should be in there somewhere
|
|
#
¿
Jun 7, 2016 20:46
|
|
|
He works for Google's 'Project Zero' and as far as I know he decided to look at AV products out of personal interest. And it seems to always have big payoffs so why stop.
|
|
#
¿
Jun 30, 2016 23:28
|
|
|
Leave it on, make sure Windows Update is set to install rather than endlessly prompt, don't run as an admin.
|
|
#
¿
Jul 1, 2016 01:10
|
|
|
The Infosec Thread: Everything's probably hosed, good luck
|
|
#
¿
Jul 27, 2016 23:18
|
|
|
I think the point is that LastPass manage to keep making these sorts of mistakes that people go "lol what the gently caress is that about" when they are disclosed, so who knows how secure the actual service is. I'm kind of surprised Google haven't gotten onboard with a password manager (I know Chrome syncs passwords but it's more comparable to iCloud Keychain than LastPass/1Password etc), it's the sort of project that would fit their whole culture. Although only for a year or two before they got bored with it.
|
|
#
¿
Jul 28, 2016 00:33
|
|
|
You can always MITM your iPhone traffic and see what the app is doing if you require some confirmation that your passwords aren't being sent to some botnet in China.
|
|
#
¿
Jul 28, 2016 07:46
|
|
|
Looks like they've addressed that by requiring user input to pair - also the device you are connecting to needs to accept the pairing so I can't see how it's less secure than doing Bluetooth outside the browser - it's up to you to decide if that is already a garbage fire or not. I'm not saying that there's isn't room for filling the implementation with horrific bugs but it looks like there's at least a recognition that people might have security concerns over websites accessing physical devices. I think the use case for this is things like universal remotes where people can update the programming and the device templates without having to use native applications and gently caress around with the million different ways that different Bluetooth drivers present the pairing options.
|
|
#
¿
Aug 11, 2016 13:31
|
|
|
You'd hope that each website requesting to pair with the device would be identified separately and any interaction would require confirmation on the device itself but lol I think we know which way that sort of discussion would go.
|
|
#
¿
Aug 11, 2016 16:33
|
|
|
|
|
#
¿
Aug 19, 2016 10:17
|
|
|
Don't forget their internet is poo poo. But the rest of it is nice.
|
|
#
¿
Aug 26, 2016 12:46
|
|
|
Cowboy Mark posted:A vendor pitched this 1million bit encryption thingy to us: https://beta.companieshouse.gov.uk/company/08045866 Let's start there And seriously, what vendor decided that is something to try and pitch to their customers? Thanks Ants fucked around with this message at 21:52 on Sep 7, 2016 |
|
#
¿
Sep 7, 2016 21:40
|
|
|
For hardware tokens you have the Yubikey range as well
|
|
#
¿
Sep 25, 2016 21:52
|
|
|
Ah, the "have cake and eat it" approach to discussions
|
|
#
¿
Sep 27, 2016 19:39
|
|
|
I'm intrigued how these devices are ending up accessible to the outside world in the first place, since they all talk to the control servers over outbound connections, and I've not seen an ISP-supplied home router that doesn't block inbound connections by default. Has someone decided that UPnP is a great thing to use to punch holes in firewalls because nobody can be bothered to deal with NAT in their applications?
|
|
#
¿
Oct 23, 2016 14:23
|
|
|
VPNs are tough 
|
|
#
¿
Oct 23, 2016 18:38
|
|
|
Basic home internet connections should have the firewall part hosted by the ISP, and the box that goes in the home is just a bunch of dumb interfaces. No inbound rules allowed, but the ISP has simple apps available that let you establish VPN connectivity to your private subnet(s). Edit: This is more pipe-dream spitballing, but there's no real need for most home users to be able to break their routers in the way that following random guides on the Internet will let them do. The issue is doing this in a secure and reliable way at the ISP end which isn't really compatible with a low margin product. Thanks Ants fucked around with this message at 22:37 on Oct 23, 2016 |
|
#
¿
Oct 23, 2016 22:32
|
|
|
Is that little Apache server on the network with the rest of your stuff?
|
|
#
¿
Oct 27, 2016 20:24
|
|
|
"Hi please check over these pentest results for your customer" *100 page PDF of port scans including public IP addresses that are nothing to do with this company, just happen to be on the same ISP. No executive summary, no conclusions drawn.*
|
|
#
¿
Nov 8, 2016 12:59
|
|
|
cheese-cube posted:KeepAss, literally.
|
|
#
¿
Nov 15, 2016 08:57
|
|
|
sarehu posted:The length doesn't help 
|
|
#
¿
Feb 27, 2017 22:52
|
|
|
On the subject of auth - is there a consensus of opinion on rolling your own user database / auth system vs. using things like Azure AD B2C, Firebase etc.?
|
|
#
¿
Mar 9, 2017 19:32
|
|
|
I can be both bad and only look worse than the competition due to the focus on it. Being poorly written isn't really a thing that is only true because people are trying to find problems with it. As in, applying the same level of focus to all password managers might reveal them all to be complete poo poo, it isn't going to suddenly make LastPass secure.
|
|
#
¿
Mar 21, 2017 10:18
|
|
|
Have LogMeIn done nothing in terms of auditing code since the acquisition? It doesn't seem to be taking Tavis a ton of effort to highlight the clownlike qualities on display.
|
|
#
¿
Mar 21, 2017 23:39
|
|
|
Oh, it wasn't sarcasm
|
|
#
¿
Mar 28, 2017 23:02
|
|
|
There's a lot of IoT that is just some dumb board being told what to do by AWS Lambda functions, which are great for learning but yes, the product needs to have some logic in there as well. If you have a thermostat that you can control via your phone then when you're at home the control path for that device shouldn't be to use the app to change something on a web service and then wait for the thermostat to retrieve it.
|
|
#
¿
Apr 7, 2017 22:00
|
|
|
Are these things accessible because they use UPnP or are people port forwarding?
|
|
#
¿
Apr 7, 2017 22:10
|
|
|
I'll be surprised if that was written by someone with English as a first language
|
|
#
¿
Apr 8, 2017 20:20
|
|
|
Pikavangelist posted:https://arstechnica.com/security/2016/04/nation-wide-radio-station-hack-airs-hours-of-vulgar-furry-sex-ramblings/ lmao
|
|
#
¿
Apr 9, 2017 16:37
|
|
|
Yeah I was trying to make a furry-based pun that rhymed with Max Headroom but utterly failed
|
|
#
¿
Apr 9, 2017 20:29
|
|
|
|
| # ¿ May 6, 2024 19:34 |
|
|
Aren't they the people that won't let anybody publicly review their product?
|
|
#
¿
Apr 10, 2017 00:43
|
|