LastPass breach gets worse

iamonlyoneman · 2023-01-26T02:46:44+00:00

my my, the things we avoid by using local backups and memorable passphrases instead of password managers. Remote computing users are basically asking for trouble though.

Drewski · 2023-01-25T19:12:05+00:00

archive.today mirror | hacker news discussion

JasonCarswell · 2023-01-20T23:22:38+00:00

TL;DR.

Is it worth sharing the list to counter tyranny?
Can we torrent / share /propagate the list?

Brewdabier · 2023-01-16T16:12:12+00:00

It's Amazon crap, they only sell counterfeit goods.

SoCo · 2023-01-16T15:39:11+00:00

I can't say I didn't expect 80% of obscure electronics from foreign countries to be full of malware...

with an AllWinner T616 processor,

Sounds like a Raspberry Pi

To avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Avoid Chinese malware, get highly trusted US malware!

Drewski · 2023-01-10T19:55:09+00:00

archive.today mirror

SoCo · 2023-01-09T20:32:29+00:00

I guess one is left to wonder if "27 Hosted Exchange customers’ emails", means 27 email accounts....or 27 customers, some of which had thousands of email accounts.

It seems slapping a regex filter in front of an insecure public facing request processing service might be a sloppy excuse for a fix on Microsoft's part, as this simply side-stepped their fix from a couple months prior.

SoCo · 2023-01-09T17:32:13+00:00

If people start using these passphrases too much, then password crackers will just prioritize dictionary brute forcing with dictionaries based on popular passphrase generator word pools. Then, each word is as useless as a single character in a password.

Create a complex password system only you know and you can memorize, so you can have a different password for every account, which can be rotated on a regular bases, and never have to put all your security in one basket with a password manager or use a security defeating short-cut like the passphrases. If done correctly, you should be able to make paper notes, that no one else can decipher, in case your memory falters.

Drewski · 2022-12-13T21:19:32+00:00

archive.today mirror

Drewski · 2022-12-09T19:33:19+00:00

archive.today mirror

iamonlyoneman · 2022-12-03T16:33:04+00:00

how about fuck you? I was driving since before 9/11 because "security" at airports was an offensive joke back then. this is just not happening with me and i hope the cities of the nation jump on board the 'no biometrics' bandwagon even more with this news

ETA: this is really dunking on the low-information "security" employees at TSA who obviously suck at their jobs.

Drewski · 2022-12-02T06:29:31+00:00

archive.today mirror

Drewski · 2022-12-01T08:19:03+00:00

archive.today mirror

Drewski · 2022-11-12T05:18:11+00:00

archive.today mirror

SoCo · 2022-11-08T20:35:07+00:00

The same is true for Facebook, Twitter, everything centralized. The only difference with Mastodon, being federated (ie somewhat decentralized), is that you have to trust your pod/instance, but not all of Mastodon.

iamonlyoneman · 2022-10-29T21:08:17+00:00

I set up my life so i interact with people IRL and make phone calls to find out how they're doing. You should try it some time.

raven9 · 2022-10-29T19:45:36+00:00

Maybe not to you, but then are you elderly and therefore only minimally involved in society?

If you were actively part of todays modern generation you would understand that almost EVERYTHING in todays society requires a social media presence.

You would understand that most young people do not want to be excluded while all their friends and family, partners etc are all interacting on social media.

You would understand that they do not want to be left out of the loop while all their work collegues share information and discussion in their company's own social media groups.

You would understand when people meet for the first time and exchange social media links no one wants to be the loner weirdo that says they don't do that.

Therefore when the tech corporations hold their users social media accounts to ransom in demand for their phone number it is like like putting a gun to their head. It is saying you either give us your phone number or we will prevent you from participating in all of the above. You will be a pariah excluded from the rest of society. A second class citizen depersoned and deplatformed.

Drewski · 2022-10-29T19:19:23+00:00

archive.today mirror

IkeConn · 2022-10-29T18:11:22+00:00

I don't use social media platforms. Fuck them and the horse they rode in on.

iamonlyoneman · 2022-10-29T17:44:59+00:00

zero of those are mandatory to use

x0x7 · 2022-10-21T01:15:37+00:00

I'm going to need to see more than that. Two screenshots of two headlines and a small comment does not an article make.

Now you are going to just tell me I'm uninformed and don't get why it matters. That's what an article is supposed to do.

HongKongPhooey · 2022-10-07T19:18:16+00:00

The desktop app cant possibly be secure, its an Electron.js app...

https://www.rst.software/blog/5-apps-you-wouldnt-think-are-built-with-electron#:~:text=That's%20correct%20%E2%80%93%20Signal%20also%20decided,to%20Mr%20Zuckerberg's%20digital%20empire.

https://www.certik.com/resources/blog/vulnerability-electron-based-application-malicious-code-execution

Drewski · 2022-09-29T19:23:58+00:00

archive.today mirror

FuckYourMom · 2022-09-16T00:36:53+00:00

These kinds of attacks require hardware, software, and often reap bad results. Also, isn’t the internet encrypted these days? Password typing is no longer viewable to a middle man attack because of end to end encryption. Is that correct?

jet199 · 2022-09-10T09:57:47+00:00

This is why I only use the cloud to store sensitive documents I've stolen, never my own stuff.

iamonlyoneman · 2022-09-10T00:39:14+00:00

Lame title, but yeah

JasonCarswell · 2022-08-26T11:40:21+00:00

Thanks.

The funny thing about it is that I was emailed as one in that database.

You are correct. I should have found and linked articles about the breach, not pointed to it.

JasonCarswell · 2022-08-26T11:39:34+00:00

The funny thing about it is that I was emailed as one in that database.

You are correct. I should have found and linked articles about the breach, not pointed to it.

magnora7 · 2022-08-26T07:52:35+00:00

Yeah I think that was a good removal vulptex, it's a database of other people's passwords that were leaked. Articles about the database would be fine, but I see no reason to continue the propagation of stolen personal data. Thanks for removing and then deferring to me if I wanted to reinstate, good approach, much appreciated.

Vulptex · 2022-08-25T23:27:59+00:00

I'm pretty sure this is illegal so I'm going to have to remove it and let u/magnora7 review it. It could contain private information as well.

SoCo · 2022-08-22T18:37:20+00:00

Sounds like a recklessly lame vulnerability to have and only feasible to exploit because their whole design was weaksauce.

Drewski · 2022-08-22T18:25:50+00:00

archive.today mirror

SoCo · 2022-08-22T16:41:11+00:00

Usually you use rkhunter and configure it to also use unhide as part of its checks.

x0x7 · 2022-08-18T04:28:14+00:00

The real best password advice would be to put nothing on the internet you can't afford to lose or have somebody access.

I should really cancel my bank account or get one without an online access.

SoCo · 2022-08-17T21:10:03+00:00

I've advocated the formula method for years. Redditors trying to sell or promote password managers usually would just dog-pile and mass-report me when I said it.

One great feature of this, is that you can write your password down on paper or a text file too. Knowing your formula, allows you to write it down in a way that doesn't include or elude to the whole password. It's just a few letters of nonsense to anyone else. Add yearly password changing to your formula for regular rotation and you are golden.

Biggest password security failure of 2022: Using Character replacements like P@$$W0rd

Come on, its not 1990 anymore, every low quality tech college has been telling kids to do this poorly thought out trick for a decade and a half. It's easy to get around and mostly avoids adding any actual additional complexity to your password, because of it.

When you learn to crack password, the limitations become more clear. Automated tools already try silly character replacements and other cracking tools allow you to do so easily with rules and character sets. (I'm thinking of hashcat)

TheRealPanzer · 2022-08-14T04:35:10+00:00

You have to disable JavaScript to view this site.

TheRealPanzer · 2022-08-10T17:37:13+00:00

Here you go:

https://archive.ph/LuYkI

TheRealPanzer · 2022-08-10T14:33:48+00:00

His whole site is down at the moment ...

JasonCarswell · 2022-08-10T13:41:14+00:00

Not Found
The requested URL was not found on this server.
Apache/2.4.51 Server at www.dedoimedo.com Port 443

SoCo · 2022-08-02T20:43:56+00:00

Public Wi-Fi is still the biggest security risk most people will stumble upon. Having all your traffic sniffed leaves you hoping that every website you go to with an account didn't screw up....like they all seem to do over and over.

That non-https secret hashed address link doesn't do much good if some meth head with a laptop is sniffing all the Wifi traffic. On someone else's Wifi, your chances of using DoH successfully is pretty low. Why have an open Wifi, if you aren't blocking all DoH and DNS, so you can funnel all through your own DNS and collected massive sensitive user data! The opportunities on an open-Wifi are abundant for reset tricks, HTTPS downgrade attacks, MiM stuffy stuffs...

Then, devices leak more information than ever about you! They run so very many useless services you'll never use, by default! Bonjour!

You must trust the open Wifi operator 100%, because they have you by the ball bearings! They can MiM all your crap, record everything, and profile you better than a Amazon, Cloudflair, and Google tag-teaming your Mom's every online usage into a virtual profile with the Internet security breaking side-channel attack of a Cloudflair DDoS protection Recaptcha box.

You are also at the mercy of targeted attacks as well, while on that Road Warrior network. Time to spray your teeth with silver paint and get crazy!

I'd say, at least use a junk VPN or proxy, if you are to use such an insecure party line as an Open Wifi.

Drewski · 2022-07-31T19:28:36+00:00

Don't use any biometrics to secure your phone, unlike a password the 5th Amendment does not apply and you can be compelled to unlock your device.

IkeConn · 2022-07-30T19:11:51+00:00

If it's Made in China it is not secure.

HiddenFox · 2022-07-27T00:41:10+00:00

Would a BOIS flash with a new HDD at the same time work?

I would also think a hash for the UEFI code and some way to compare it so you can check for mods in the code.

After reading more of the article it seem to be very limited in use and requires a lot of investment to get it working. I doubt it is a mainstream attack or ever will be. Also the researchers believe (in one case anyway) that the motherboard itself was modified before even shipping to the customer. IMO this looks like something government would do to target specific people of interest. But hey, who knows, anything is possible.

iamonlyoneman · 2022-07-26T19:23:28+00:00

Use hardware that's airgapped and never online?

Drewski · 2022-07-26T18:31:55+00:00

This is nuts, how do you even defend against this type of attack?

raven9 · 2022-07-26T18:12:51+00:00

Exactly. I was just about to post, 'it's not a rootkit it's a feature'.

SoCo · 2022-07-26T15:34:14+00:00

Everyone could tell UEFI was a totally dumb nest for permanent root kits. It just made the already popular root-kitting of firmware convenient and standardized.

SoCo · 2022-06-22T21:03:16+00:00

The new POC showed that probably, before MEGA fixed it, that they could have, if intentionally trying to for a long enough period of time, while you had logged in several hundred times.

Then, they explained, once they have your master key, you're kind of boned in many ways.

This, using a technique, malleability of RSA, that is largely under-mentioned for websites that display user content.

MuhUkraine · 2022-06-14T17:30:08+00:00

"In memory" LOL

If that's your bar for good security, there are thousands of issues like that on your computer right now.

iDontShift · 2022-06-14T01:55:18+00:00

here they tell you they are aware and are not interested in fixing it

the reason is because they say you must trust the local user.

i say they are full of shit, as later in the very same answer they tell users they could use encryption on their entire harddrive.. and pretend as if encrypting your passwords would be a waste of time.

sox-lox · 2022-06-14T00:04:37+00:00

based Google, just move it around in memory with every release and don't fix it

yelgy · 2022-06-13T19:39:59+00:00

reported

Drewski · 2022-05-18T18:34:53+00:00

Well yeah, they wouldn't just lie to us.

AmericanMuskrat · 2022-05-18T06:05:45+00:00

Well, if the government says they won't, we can rest easy. cough

Drewski · 2022-05-18T01:31:52+00:00

archive.today mirror

magnora7 · 2022-05-14T20:33:07+00:00

IMO all cryptography is based on "this is harder to break with current technology than you have time for".

The moment the technology changes, so must cryptography change.

Drewski · 2022-05-14T18:37:24+00:00

archive.today mirror

Drewski · 2022-03-31T18:07:23+00:00

archive.today mirror

raven9 · 2022-03-26T15:38:40+00:00

If they say its N.Korea, Iran, Russia or Anonymous, it means its the NSA/CIA using back doors that were built into the worlds computer systems by microsoft and intel.

Vulptex · 2022-03-26T12:50:59+00:00

It's always North Korea

IkeConn · 2022-03-14T00:32:39+00:00

Sounds like a souped up version of Fail2Ban.

suzew · 2022-03-12T02:07:13+00:00

sounds like something a neckbeard reddit hacker would say

infocom6502 · 2021-12-09T07:11:05+00:00

direct link: https://httptoolkit.tech/blog/public-cdn-risks/

Horrux · 2021-12-05T20:00:56+00:00

WOW. Time to start running our own nodes, guys.

Node · 2021-08-25T22:09:56+00:00

But what would you do for a computer if Apple died? Afaik, your only other choices would be a Frankenstein hodgepodge of components, running an OS from the evil empire, or the tinkerers dream OS.

Both of those would be like moving from a beautiful beach town to a place like Detroit or Chicago.

raven9 · 2021-08-25T21:30:03+00:00

If the list is accurate most of them are members of the government and the CIA.

raven9 · 2021-08-25T21:27:43+00:00

Resistance is futile. The day Steve Jobs died Apple was assimilated into the corporatocracy.

raven9 · 2021-08-23T19:31:32+00:00

The security of any account login is only as strong as it's lost password options.

IkeConn · 2021-08-15T03:51:19+00:00

It was only a matter of time until they shot themselves in the foot. I would love to see this company die.

raven9 · 2021-08-11T01:31:32+00:00

Mozilla == NSA

Vulnerabilities == back doors

infocom6502 · 2021-08-10T21:25:17+00:00

nice, it's about time somebody did this! good website and a nice read.

IkeConn · 2021-08-09T04:06:51+00:00

Don't download a shitload of apps is a great start.

IkeConn · 2021-08-04T19:23:30+00:00

I purposely send encrypted files just to fuck with the NSA and other fuckers. I encrypt bullshit files and then send them to folks inside texts and emails. If you are an NSA fuck and you spent a week decrypting Granny's biscuit mix then I caught you in my trap.

infocom6502 · 2021-07-23T07:08:33+00:00

A plugin that could act like a black box to log all dynamically uploaded JS would be incredibly useful in tracking malicious JS. Has anyone thought of developing this and putting it out there?

Drewski · 2021-06-26T20:54:40+00:00

As if we needed another reason to avoid the Internet of Things.

x0x7 · 2021-06-16T14:12:20+00:00

We should really get rid of passwords. Signing a phrase is not hard to do, and is way more secure.

hennaojichan · 2021-06-15T04:55:04+00:00

I'd guess that Israel has eight ways to Sunday of getting any telephone transactions in the US."No, we're not listening. Promise."

d3rr · 2021-06-15T04:24:25+00:00

He and fellow co-founder Amandine Le Pape started working on the project in 2014, as employees of Israeli technology company Amdocs.

See also https://en.wikipedia.org/wiki/Amdocs#Controversy

MacRace · 2021-04-26T18:21:50+00:00

You post very good

Panzerfaust · 2021-04-26T18:17:43+00:00

You are welcome.

Gaydolf_Titler · 2021-04-26T17:56:29+00:00

Just wanted to tip my hat to you for all the great content you've shared, Panzerfaust. Top poster on this platform, imo.

Airbus320 · 2021-04-14T14:29:10+00:00

Feed nana

TheAmeliaMay · 2021-04-14T10:51:57+00:00

Thx!

Airbus320 · 2021-04-14T09:03:34+00:00

u/theameliamay this user a spammer

infocom6502 · 2021-04-09T07:38:21+00:00

yup the feb 2020 and oct 2020 campaigns.

i'm very skeptical it was anti-terror in nature. it's probably newspeak for a terrorism operation.

i much wonder who the targeted groups were.

jykylsin2034 · 2021-04-03T11:36:16+00:00

Nice

Panzerfaust · 2021-04-03T07:31:50+00:00

Desktop version: https://github.com/spieglt/cloaker

dissidentrhetoric · 2021-03-31T08:13:55+00:00

You can use snort on pfsense. Works well.

Panzerfaust · 2021-03-21T10:27:00+00:00

https://theevilskeleton.frama.io/2021/02/11/response-to-flatkill-org.html

Xihaon · 2021-03-18T06:38:03+00:00

But without a plausible justification your phone numbers database would grow slower.

Panzerfaust · 2021-03-11T08:32:12+00:00

https://www.twitter.com/Hetzner_Online/status/1369598862839676929

Xihaon · 2021-03-01T19:29:14+00:00

Can't justify endless income without endless updates, eh.

thoughtcriminal · 2021-02-20T02:18:16+00:00

favicons

they're going to corrupt every facet of web browsing until we're all reading the news through a text only terminal sent by email through tor. RMS was right all along.

Alan_Crowe · 2021-01-12T14:53:15+00:00

$ cat /dev/random | strings | more
<Dq*
-!BV}
%WZ+w

FediNetizen · 2020-12-25T08:19:27+00:00

I was trying to figure out what cause they would have to seize and shut down a VPN service, but then towards the bottom it mentions they also offered hosting. Now it makes more sense.

chadwickofwv · 2020-10-07T19:27:01+00:00

Wow, that product has abusive girlfriend/wife written all over it. Anyone who buys this should be investigated for sexual abuse.

x0x7 · 2020-10-07T14:38:49+00:00

Boom!

Drewski · 2020-08-31T19:44:13+00:00

Haha nah it's all good keep doing what you do.

realpanzer · 2020-08-31T19:41:31+00:00

Sorry about that.

Pick some other sub for posting.

:)

Drewski · 2020-08-31T19:37:34+00:00

Great posts here lately panzer, everything I go to share something you've already posted it ;)

Security

MODERATORS