|
Alereon posted:KeePass requires your own db management solution and 1password requires you to purchase a separate license for every platform, both of which are dealbreakers for most normal people. If you are a nerd and a local db works for you then not trusting anyone else with your data is obviously safest. I have no idea what you're talking about with KeePass. I've used KeePass2 for years now, and I've never set up a database. It asks you how many PBKDF2 (I think) rounds you want to use but also provides a helpful "optimize for 1 second" button. I just throw it in a Dropbox after that. Nowadays it can even helpfully merge changes if its been modified elsewhere since it was opened. I use it on Linux with Wine, there's freeware Android implementations, etc. SeaFile is probably better than Dropbox from a security standpoint. Paul MaudDib fucked around with this message at 20:58 on Dec 21, 2015 |
# ¿ Dec 21, 2015 20:55 |
|
|
# ¿ May 5, 2024 06:24 |
|
Alereon posted:KeePass is worthless for average users because it requires you to roll your own db storage and synchronization solution. Saying "just use dropbox" is great for autists who want to live independently, but it's absolutely not a solution that Just Works in the way Lastpass does. You are straight up making up crap here to the extent that I doubt you have actually used Dropbox. The storage format is a file that sits on a disk, and you can apply any synchronization mechanism to that file that you want. You can put it in Dropbox, Google Drive, you can periodically email itself to you, whatever. Syncing the file is the only real problem that exists with multi-device Dropbox and it's trivially easy to drop in one of the idiot-proof turnkey solutions that exist for that very simple, very well-known problem. Keepass even recently added a feature that will auto-merge the files if you happen to have out-of-sync states happen. It's super easy. quote:Your post describes some very vague and not-at-all-compelling reasons why people should be cautious about trusting their data to Lastpass. And yes, any security professional (or someone who plays one on the Internet) is perfectly capable of setting up their own cloud-based db synch solution, but those security professionals aren't asking for advice on how to manage their passwords. Someone who asks security professionals what password management solution to use should be directed to Lastpass. You seem to think you have to engineer some high-performance ACID database cluster and it's loving hilarious. I've been using Dropbox to sync a Keepass file across multiple devices for years and I haven't engineered jack poo poo. Here's the secret engineering method: you create a Dropbox account and create a Keepass file in it. You put some passwords in it, and hit Save, and Dropbox blasts it across all your devices. Even my dad can figure it out. Like, my technologically-impaired grad advisor totally had a Dropbox and used it to sync projects with multiple different people. You vastly underestimate the market penetration of Dropbox. Everyone uses it and everyone knows it. quote:You're a smart guy, you know all this, so I don't get why you won't accept that LastPass offers the best balance between security and usability for most people. Let's be real, features like trusted devices and offline access to a cached db that seem like anathema to you and Wiggly Wayne are incredibly valuable to users. So why not use Chrome Sync and just store your passwords in the clear (sync'd across all your devices) then? Why would you even need a password manager if you don't care about storing them securely? At that point you can probably just search for "generate random characters" and use that as a password too. I mean it's not like some website is ever going to connect that xxXBlaseIt420Xxx@gmail.com is the right account for that password. Or just like, smash random buttons. Yeah, sure, that's on the low end of the security that's possible with a password manager. But the Chrome Sync + wildly punch keyboard solution is definitely better than just sharing passwords between websites. Paul MaudDib fucked around with this message at 16:52 on Dec 22, 2015 |
# ¿ Dec 22, 2015 00:51 |
|
On the other hand having security software automatically install itself from across the internet is also a thing that gives people heartburn. It's one thing in the context of a secure package-management system like APT. That infrastructure doesn't exist on Windows, the infrastructure used by the majority of the KeePass userbase. It would be better if it did auto-install updates but it's kind of a defensible decision based on the backlash it would cause.
|
# ¿ Dec 22, 2015 01:33 |
|
Jeesis posted:Wow you nerds get uppity about password managers. Show your skill by using a known exploit to download data from an AWS bucket and then brag about it on your blog.
|
# ¿ Dec 25, 2015 04:59 |
|
Hey y'all, there's a publically-released OpenSSH exploit that can leak memory or private keys to a compromised/malicious server (but not MITM). Add the line UseRoaming = No to the top (i.e. applies to all hosts, do not cat it on the end if you have host-specific config) of your /etc/ssh/ssh_config files immediately and consider rotating SSH keys afterward particularly if you're not using keyphrases for your private key. http://undeadly.org/cgi?action=article&sid=20160114142733 Paul MaudDib fucked around with this message at 02:54 on Jan 15, 2016 |
# ¿ Jan 15, 2016 02:46 |
|
Dex posted:i encrypt my end, and you encrypt your end, back and forth forever I've been thinking about the "back and forth". When can we meet? I would like to share my private key with you.
|
# ¿ Mar 29, 2016 03:06 |
|
dpbjinc posted:The Internet is going to be hell whenever they get hacked. The model LetsEncrypt is pushing hard is that you set up a cronjob or something that pulls a new certificate every week. I think the main goal is for them to be able to push stronger certificates on a reasonable timeframe if a new vulnerability comes out. But it also means that they could just as easily rotate their root certificate and push out new certificates to everyone if they were compromised, as soon as they could get their new root cert pushed into Windows/Linux/Firefox/Chrome/Java. Paul MaudDib fucked around with this message at 02:48 on Apr 8, 2016 |
# ¿ Apr 7, 2016 13:29 |
|
oaok posted:What are some things that I should study to start learning sec related things? Also resources that would help a beginner/novice looking to get into the field of infosec. Books? Courses? Videos? I'm very interested in netsec and infosec but I don't know where to begin. I was looking at maybe bash/shell, different file encryption, scripts and things like that, but I feel I need some fundamental training on the whole lot of information for these subjects. Security is a really broad field. A deep understanding will probably require you to learn pentesting in parallel with coding/administration - you set up something, then break into it, make it stronger, etc. There are a bunch of different categories that are pretty much unrelated - learning how to store passwords securely in a database doesn't really help you with portscanning and so on. I'd start with looking at some of the stuff you can do with metasploit and nmap, probably. Stay out of trouble.
|
# ¿ Apr 21, 2016 18:47 |
|
Boris Galerkin posted:Is let's encrypt actually worth taking the x minutes to set up? I remember ready somewhere that all having a cert from them says is "this guy has a cert from us" but doesn't actually mean/do much else. Could be wrong though. What's your question? It's a SSL certificate, not Extended Validation, and does no more or less than any other SSL certificate.
|
# ¿ Apr 22, 2016 19:26 |
|
OSI bean dip posted:Curious: how do you think the NSA has tampered with them? ECSDA relies on a curve as a pseudorandom number generator, basically. Both parties pick a point on the curve and share the outputs. By design, it's easy to reverse one point if you know the other, but it's computationally difficult to reverse both points. That is, assuming the curve is truly random. There was a method known (patented) at the time where if instead of picking the curve randomly you generate it yourself from some factors, then you can trivially reverse any message on that curve. When the NIST were putting out the draft standard for ECDSA, the NSA arbitrarily stepped in and said "use this curve", with no explanation. It could potentially be a kleptographic attack, where unless someone knew those factors it would be impossible to break. Sometimes in the past the NSA has strengthened the NIST algorithms. For example, they used advanced knowledge of differential cryptanalysis to strengthen the S-boxes in the DES encryption algorithm, without revealing what they had done until 20 years down the road when someone else figured out the technique. One thing that's come out recently is that not all curves are created equal. Some are much easier computationally than others, so it's possible it's something like that. Or it could be both. http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/2/ What's more, they also bribed at least one large crypto provider in the business world to use ECDSA with this curve as the default... http://mobile.reuters.com/article/idUSBRE9BJ1C220131220 Paul MaudDib fucked around with this message at 06:23 on Apr 25, 2016 |
# ¿ Apr 25, 2016 06:08 |
|
OSI bean dip posted:You are missing the point of why AV is complete crap. Just because you see it as a layer of security does not mean the layer is effective. How are you defining effectiveness? Top-tier antivirus software (Kaspersky, BitDefender, etc) consistently picks off 99.9%+ of known threats, 95%+ of unknown threats via heuristics, and 98%+ of malicious sites. That's pretty effective in my book. http://www.av-comparatives.org/wp-content/uploads/2016/04/avc_fdt_201603_en.pdf http://www.av-comparatives.org/wp-content/uploads/2015/07/avc_beh_201503_en.pdf http://www.av-comparatives.org/wp-content/uploads/2016/04/avc_factsheet2016_03.pdf
|
# ¿ May 1, 2016 01:50 |
|
Dex posted:lol The test methodology is: pick a freeze date for the AV definitions, collect new/unknown virus samples, then test them against the old AV definitions to see if the heuristics picked them up. What's your specific complaint with that approach? edit: Dex posted:why don't they just catch the other 5% of unknown threats, can't be that hard Well, BitDefender is at 99% heuristic effectiveness. No software is perfect - including filtering web/email at the pipe - but that's not a reasonable standard of effectiveness. Paul MaudDib fucked around with this message at 01:58 on May 1, 2016 |
# ¿ May 1, 2016 01:53 |
|
OSI bean dip posted:Tell me why AV cannot catch most ransomware even with up-to-date definitions Way to beg the question. In the real world,
and that's the AV-related causes of why viruses spread. I would also throw in users that disable UAC or let any random application ecalate to admin (especially dubious stuff like keygens), which may allow additional ways for malware to escape AV detection or kills. Not that antiviruses are perfect - because they're not, nothing is 100% - but if you don't undercut them by doing the above, they are pretty effective. Some are more effective than others though - Kaspersky, BitDefender, ESET, and F-Prot regularly top the pack in detection rates, others have lower detection rates. Ransomware isn't really any different than a standard virus, which also spread quite prodigously. The difference is that an average virus doesn't make your computer unusable until you send 50 bitcoins to Russia. Regular viruses want to stay undetected so they can keep using your machine in their botnet, spamming ads for ch34p v1agra, etc. If every single infected momputer out there suddenly flashed an alert message, we would notice them a lot more. Paul MaudDib fucked around with this message at 03:11 on May 1, 2016 |
# ¿ May 1, 2016 03:01 |
|
OSI bean dip posted:As someone who used to work for an antivirus company, you absolutely have no idea. Well, signatures look for unique bit-patterns in a file or in memory. For a trivial example, the classic "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" string. Heuristics work by looking for patterns of characteristics and behavior of a process that might be suspicious. For example, a process that isn't signed by a trusted key, was recently installed, is running elevated, and has been a foreground window for less than a second might be a virus. Then there's sandboxing, where you set up what looks like a real kernel but actually is a stub run by the AV program, to see whether an executable or process tries touching a file or system resource that it shouldn't. Paul MaudDib fucked around with this message at 05:44 on May 1, 2016 |
# ¿ May 1, 2016 05:31 |
|
OSI bean dip posted:So far you're not nailing how anti-virus works. Have you ever seen a signature? Or even better, write me a YARA rule that will detect 99.9% of ransomware. One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. OSI bean dip posted:https://blog.kaspersky.com/equation-hdd-malware/ OK, I'll keep that in mind if I piss off the NSA (but seriously - if they're giving you 1-on-1 attention you're hosed, they're getting in one way or another). Do you not drive with seatbelts because someone might t-bone you at 80 miles per hour and in that case you'd die anyway? Antivirus picks most of the low-hanging fruit - yeah the NSA is getting in regardless, but you don't have to make it easy for the first script-kiddie who gets a chance at you. You're an idiot if you think the NSA has anything to do with average consumer security. No wonder you're "formerly employed" by an antivirus company. Paul MaudDib fucked around with this message at 06:52 on May 1, 2016 |
# ¿ May 1, 2016 06:42 |
|
Good Dumplings posted:Guessing 4 posts before he makes a "kill yourself" post. Why? It's just YOSPOS having some drunken weekend anal leakage. You've got OSI Bean Dip, the Internet Antivirus Expert who once interned at Symantec or something, who just keeps asking someone to explain antivirus to him and who thinks the NSA is going after grandma's cat pictures (the explanation he gave in the thread he linked for why antivirus sucked, after I got past all the "under construction" paragraphs), and a bunch of white noise posters. It would almost be funny if they weren't giving such bad advice. Sure, anyone who posts in this forum can probably avoid clicking any obvious malware links or opening a suspicious attachment. But that's not good advice for a business or for your aunt who loves those FWD: FWD: FWD: emails. Mustache Ride posted:Jesus tapdancing christ, why is everyone so loving angry in these threads? So angry. One of these idiots actually started stalking my posts to yell at me in other forums. Saturday night on Something Awful Dot Com, y'all
|
# ¿ May 1, 2016 21:31 |
|
Adix posted:don't whitewash my noise sorry, brown noise
|
# ¿ May 1, 2016 21:39 |
|
apseudonym posted:The YOSPOS crowd here has you far out paced when it comes to security credentials, have you done any work in security? If they have professional experience, why don't they do more than ask me how antivirus works? I explained it to them, and they said "nah" and asked again. I read the thread they told me to read and their explanation was that the NSA was gonna blast right through consumer antivirus and I guess their edge filtering was gonna stop the NSA in their tracks or something. lol OK
|
# ¿ May 2, 2016 06:15 |
|
endlessmonotony posted:And you haven't actually made a case where antivirus helps. Let's take your 95% figure, a number you pulled out of your arse. Aunt Stupid, opening attachments infinitely, will not be helped by antivirus. They're going to get hit by something sooner rather than later unless someone manages to hammer "don't open unknown poo poo you fuckhead" into their head, or somehow prevents them from being able to run malware, be it by disabling poo poo from running at all, handing them an iPad or installing Gentoo. Antivirus would have to be loving perfect to help Aunt Stupid - but you can't fix stupid. I'm sorry. Mmm, yes, Aunt Stupid installing gentoo. I'm sure she's gonna be A-OK with compiling kernels and portage and poo poo. Do you actually have any family members? Or at least someone you would describe as close to you? e: Furthermore, security by infinitesimal user-base is not a viable defense mechanism. Seriously, this thread - "forget antivirus, just install gentoo on grandma's computer" Paul MaudDib fucked around with this message at 06:27 on May 2, 2016 |
# ¿ May 2, 2016 06:20 |
|
online friend posted:because you obviously don't know how it actually works, and what actual detection rates in the real world for AV suites are I actually don't have plat and can't look up where he posts. Unlike the guy from this thread who stalked my posts so he could argue with me in another forum. I just could tell because he's a shitposter. Where's the explanation? Link it for me. He told me to read a thread where his explanation was that the NSA was gonna get Grandma's cat pics. There was nothing but "under construction" on the first page of the thread and that was the first explanation he gave in the thread. I'm not joking. online friend posted:have you ever heard the word "hyperbole" or are you purposely being this stupid Yeah, I'm dead serious. Have you ever known someone who wasn't a techie or is this rhetorical? My aunt is afraid to upgrade from her XP machine because Win7 is all different and poo poo
|
# ¿ May 2, 2016 06:32 |
|
Wiggly Wayne DDS posted:Do you have selective hearing, or are just wilfully dense at this point? I don't know, what would replace AV but be really expensive? That's not a viewpoint I've argued. AV is cheap, it's <$5 per box per year for a multi-license of a top-shelf AV (BitDefender/Kaspersky/ESET/F-Prot). My Kaspersky licenses consume less than 1% of a circa-2010 processor and once you get them set they don't ever waste your time, while having top-shelf signature/heuristic rates. I've done and it's caught suspect files every time. I also bought a Malwarebytes lifetime license for $20 a couple years ago and that's my second layer. It ain't expensive.
|
# ¿ May 2, 2016 06:36 |
|
Trabisnikof posted:most av is actually worse than doing nothing OK cool, 95% of everything is poo poo. So can we agree that having something in the top 5% is worth something?
|
# ¿ May 2, 2016 06:38 |
|
online friend posted:also he wasn't seriously suggesting you install gentoo for your aunt you idiot Did I misclick into YOSPOS or is this the serious forum for actual advice? The concept that re-encoding malware disrupts detection goes along with the fact that signatures detect bit-patterns in memory/files. But not everything is brand new, and you have heuristics for the stuff that is. (USER WAS PUT ON PROBATION FOR THIS POST)
|
# ¿ May 2, 2016 06:41 |
|
Oh gee 2000 copies. My computer could create at least 3000. How long does it take to generate a differently-optimized output via any random compiler? Like one optimization step? You could make LLVM dump like a million per hour. And you accuse me of posting breathless clickbait poo poo. Again, that's why we have heuristics. Paul MaudDib fucked around with this message at 06:47 on May 2, 2016 |
# ¿ May 2, 2016 06:44 |
|
online friend posted:jesus christ Probably about the time you post an actual argument that isn't "trust me" or conspiracy theories or some clickbait poo poo. And just for the record, Baxta posted:It's been alleged (but not proven) that NSA put backdoors in Dual_EC_DRBG. For latest news check out the Juniper stuff from last year. This is the only plausible vector that's actually been published. The NSA is not backdooring your AV to get ahold of your grandma's emails. Mass wiretapping and opportunistic decryption, sure, but they can get caught deploying targeted malware or MITMing exactly one time before a security researcher takes them apart.
|
# ¿ May 2, 2016 06:50 |
|
online friend posted:nobody's posting conspiracy theories? where are you getting this? This is literally a conspiracy theory about antivirus. The NSA is not targeting you personally, that is not a realistic threat vector. If they do, there is absolutely nothing you can do to defend against it, they can absolutely deploy something on the level of Equation Group or (hypothetically) BadBios and you will never know it. OSI bean dip posted:https://blog.kaspersky.com/equation-hdd-malware/ However he just made a good post with an actual explanation. Re-encoding does disrupt the signatures that AV looks for. The signatures are there for picking off the low-hanging fruit - most threats are lazy poo poo that's multiple months old and that keeps someone (not naming names but she's my GF) from picking up viruses on streaming sites. For unknown threats we have heuristics - they aren't 100% but they are the best defense against unknown threats. That's the current standard for picking off unknown threats. Shoot me whatever numbers you want from a real-world test, but it's a lot better than nothing. Between MBAM and Kaspersky we haven't had any breaches despite a lot of sketch behavior. Group protections absolutely do work - herd strategies are viable as proved by evolution. If one of us is getting hosed by a virus, find the attacker and mark it as hostile. You may be the first person on the whole internet to encounter a threat, but you're probably not, particularly if you do behave safely on the whole. There are a lot of people on the internet or any given AV platform. A couple million PCs is viable as a perspective onto the world's infection threats. I also think there's extra heuristics to be picked off here via deep learning of the virus code and behavior characteristics too. Paul MaudDib fucked around with this message at 07:07 on May 2, 2016 |
# ¿ May 2, 2016 07:02 |
|
online friend posted:why did you post this For some reason she refuses to use the Sonarr system I set up, idgi either
|
# ¿ May 2, 2016 07:09 |
|
For real though I appreciate that antivirus is a layer that can have its own vulnerabilities, but the number of critical vulnerabilities in a given antivirus package is much less than the number of vulnerabilities in software that is corralled within an AV perimeter. There's been like what, 2 escalation or escape attacks within a year? It's probably less than a half-dozen total. Versus how many exploits of software installed on client endpoints? There's what, that one Xen escape, and like one Norton escape that got posted a while back, or something? How many peripheral Windows escalation/escape exploits and poo poo have been discovered within the same timeframe? And how many exploits of random applications? Paul MaudDib fucked around with this message at 07:36 on May 2, 2016 |
# ¿ May 2, 2016 07:15 |
|
Jabor posted:My virus-repelling rock keeps my computer safe, I know it works because I've never seen a computer virus. No, I've had viruses try before and my girlfriend has as well. Hello logfiles. Jabor posted:"Heuristic" is literally just a fancy word for a slightly more complex type of signature. They have most of the same drawbacks as signatures, for example "a malicious attacker can just permute their virus a bit until it no longer gets flagged". Talking about how well something defends against "unknown threats" is utter bullshit, and the only way it could conceivably make sense is if you've gone balls-deep into the bacteriophage analogy and literally think that computer viruses are created via evolution and natural selection. Well, they can't until they break whatever characteristic the heuristic is looking for. If you just re-encode a given virus it'll still trip most of the same heuristics as the old one. Assuming they worked in the first place.
|
# ¿ May 2, 2016 07:26 |
|
apseudonym posted:I'm afraid this hasn't been true for at least 5 years, if not a whole lot longer. The problem is that if you're a security person who can write solid, correct, secure code you're in extreme demand and you're not going to stick around at an AV company getting paid trash for boring work. Not disagreeing with you directly but can you provide some comparative numbers on this? Like critical/severe vulnerabilities in client software versus the AV layers?
|
# ¿ May 2, 2016 07:40 |
|
apseudonym posted:Keep in mind that vulnerability counts are not a great metric for security (1 remote code is as good as 20), what scope are you talking? "The client software" is pretty vague, and you need to kind in mind that most malware doesn't actually need exploits to do anything on a lot of platforms where AV is common (aka Windows). Thrashing any given platform doesn't prove that it's more vulnerable than an unthrashed platform. I highly encourage you to consider the medical problem of detection rates of (eg) thyroid nodules versus actual cancerous nodules. A vulnerability is not the same thing as a virus, just the same as a benign nodule is not the same as a cancerous nodule. Not that the things he's finding aren't real, but once a professional goes looking for problems they find them. What he's doing is good, but that doesn't prove that he's finding more in AV relative to other stuff unless he actually looks at the other stuff. Also, like I said - ransomware is a type of virus that advertises the fact that you've been infected. Comparing reported rates of ransomware versus stealth/botnet viruses is not valid either for the same reason. 100% of ransomware users know they have it, <10% of botnet users (probably <1%) know they have it. Also, the fact that Windows is vulnerable is not relevant to AV vulnerabilities (unless they catch it). You were claiming that AV itself exposes extra vulnerabilities - platform vulnerabilities themselves do not count as AV vulnerabilities. Paul MaudDib fucked around with this message at 08:03 on May 2, 2016 |
# ¿ May 2, 2016 07:54 |
|
[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.quote:We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. Root cause is: quote:sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2 Paul MaudDib fucked around with this message at 19:09 on Dec 5, 2019 |
# ¿ Dec 5, 2019 19:06 |
|
activating your #1 Best Grandma digital entitlement...
|
# ¿ Dec 12, 2019 19:26 |
|
|
# ¿ May 5, 2024 06:24 |
|
22 Eargesplitten posted:Could a piece of malware hypothetically rewrite a GPU's BIOS/firmware to send screen data to the malware's owner? Having a conversation with a super-paranoid former blackhat friend and I had never heard of/thought of that before. He runs Qubes with Xen so basically 90% of what he uses is disposable/non-writing. Definitely seems more towards the Mossad than the non-Mossad end of the threat spectrum, I'm wondering if it's even possible. NVIDIA GPUs Kepler and newer and AMD GPUs Vega and newer will authenticate their VBIOS signature against a key that has not, to date, been broken (by the general public at least, and people have been trying so that they can play with it for mining/etc). Replacing the VBIOS with a malicious one is towards the Mossad end of the scale for sure. That said, GPU process isolation is probably not very good and I would work on the assumption that it's possible to leak data from one process to another (or in the case of SR-IOV from one user to another). For starters consumer GPUs only zero memory at startup, so there is the possibility that you could be handed memory that already has data from another process in it. Also, there is a decent chance that GPUs could be vulnerable to some kind of spectre-like attack since it's doubtful any attention was paid to timing attacks when designing a performance-oriented GPU architecture back in the 2010-2012 timeframe. So while firmware attacks are probably unlikely, there are probably attacks that would allow an unprivileged app to, say, grab framebuffer data from a browser or from the screen-wide framebuffer and then send that to someone. It is probably a blessing in disguise that GPU-accelerated compute has never really taken off outside niche compute-intensive applications so there isn't much sensitive data sitting in VRAM. Still pretty paranoid, and still probably implies that the Mossad is interested in you specifically as opposed to someone dropping cryptominers on everybody they can, but I think there's a pretty good chance there are significant unknown vulnerabilities in GPU architectures and firmware. Paul MaudDib fucked around with this message at 18:53 on Dec 19, 2019 |
# ¿ Dec 19, 2019 18:29 |