Laptop/PC security setup

Fed up talking videogames? Why?
User avatar
Jenuall
Member
Joined in 2008

PostRe: Laptop/PC security setup
by Jenuall » Sun Apr 22, 2018 7:57 pm

I would avoid reliance on biometrics like the plague.

Anyone who believes that biometrics is some kind of silver bullet for digital security is either misguided or doesn't have your best interests at heart.

ImageImage
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: Laptop/PC security setup
by Errkal » Sun Apr 22, 2018 7:59 pm

Biometrics are great for companies, but online it means a a nice mapping of online activity to a person. I'm sure that will end very very well.

User avatar
Earfolds
Member
Joined in 2008
AKA: Evil Ted
Contact:

PostRe: Laptop/PC security setup
by Earfolds » Sun Apr 22, 2018 8:05 pm

Biometrics aren't stored or shared remotely, they're only used to generate a one-time use key, which is generated locally.

It's definitely worth reading the spec for WebAuthn. If it doesn't assuage your issues with biometrics, it will at least help you understand how it works a bit better.

Image
User avatar
OrangeRKN
SONM Sec.
SONM Sec.
Joined in 2015
Location: Reading, UK
Contact:

PostRe: Laptop/PC security setup
by OrangeRKN » Sun Apr 22, 2018 8:40 pm

Earfolds wrote:
OrangeRakoon wrote:Being able to change your credentials in the event that they become compromised should be an obvious requirement for any good method of authentication.


If your identity has been stolen, I don't think your ability to log into Facebook is going to be at the top of your agenda.


I'm not sure what your reply is here? Do you not think that being able to change compromised credentials is a useful property? If my credentials have been stolen, changing them where possible is surely going to be a priority...?

Earfolds wrote:
OrangeRakoon wrote:I don't disagree with you - my point was that I would never want to use biometric data as the sole method of authentication. I wouldn't say I slipped up!


Why are you making this point?


Because it's a choice presented to many people right now. You can configure your phone to unlock via password or via fingerprint, for example. And because the entire thing we're arguing is the relative merits of password and biometric authentication.

Earfolds wrote:
OrangeRakoon wrote:The argument here is more that if I am targeted specifically, I'd much rather just tell the scary bad people my password and lose all my money than tell the scary bad people my password, lose all my money and lose a finger.


If this is what you really imagine when you think of cyber attackers, you haven't been keeping up.


I'm certainly not going to get strawmanned into defending physical/violent coercion as the most likely attack vector. It doesn't make it less of a valid situation though. If we were to go down the line of reasoning of when this might be most applicable, I would guess it would be mobile phone muggings. It's not a ludicrously far-fetched and contrived scenario. Neither is it the number one concern for account security.

Earfolds wrote:
OrangeRakoon wrote:Are passwords unfit for purpose? No, provided you use them right.


I'm just glad the rest of the industry disagrees with you.

I really think it's a good idea if you read the spec behind WebAuthn before continuing this argument.


I work in the IT security industry, in privileged access management. Passwords are secure and fit for purpose when managed correctly.

What the industry agrees on is not that passwords are unfit for purpose, it's that people in general are bad at creating, using and managing passwords. There is a clear distinction.

Lots of the industry wants to move away from passwords because getting people to use passwords effectively is very difficult, not because passwords are inherently insecure.

User avatar
Karl
Seyana!
Seyana!
Joined in 2008
Contact:

PostRe: Laptop/PC security setup
by Karl » Sun Apr 22, 2018 8:48 pm

My understanding is that on registration WebAuthn allows your phone to set up cert-auth with a service and then lock that cert using your fingerprint, and on authentication the phone will ask you to unlock the appropriate cert with your fingerprint and then send a cert-signed notice to the service saying you are authenticated. Hopefully websites would also ask for a PIN: then an attacker would have to know your PIN, possess your phone, and spoof your fingerprint to log in as you.

This seems like a sensible enough solution for logging in to services which are intrinsically linked to me as a person, like a banking account or a Facebook.

I would worry about having a tokenised link between my identity as a real-life human and my "Extreme Tentacle Hentai" account or my "Secret Radical Political Views" blog. I think once you've swapped keys with a potentially embarrassing website you lose some of the plausible deniability which ordinarily protects you from e.g. blackmail, surveillance, and so on. Even if it's a bit obscure, it's hard evidence that you have an account there.

User avatar
Earfolds
Member
Joined in 2008
AKA: Evil Ted
Contact:

PostRe: Laptop/PC security setup
by Earfolds » Sun Apr 22, 2018 8:56 pm

OrangeRakoon wrote:Lots of the industry wants to move away from passwords because getting people to use passwords effectively is very difficult, not because passwords are inherently insecure.


That's the thing, though. We both agree that the way people use passwords is insecure. You say that passwords are fine if you use them effectively, but using them effectively is prohibitively difficult, not least because sufficiently complex passwords are so difficult to remember, and would have to change so often so as to make memorisation a useless exercise. This isn't the fault of the user, it's simply an inevitability as computers get more powerful, and cyber-attackers get more capable. You can already guess an 8-character password in around 30 seconds on a GPU. This is a problem that is only going to get worse so long as passwords remain a factor in authentication.

We both agree that having multiple factors in your identity authentication is imperative.

We both agree that account security is important.

We even both agree that a single biometric authentication method isn't sufficiently secure enough to prove your identity.

The one thing we don't seem to agree on is whether it's important to read the spec behind WebAuthn before going on a tirade about how much worse than passwords it is.

Image
User avatar
OrangeRKN
SONM Sec.
SONM Sec.
Joined in 2015
Location: Reading, UK
Contact:

PostRe: Laptop/PC security setup
by OrangeRKN » Sun Apr 22, 2018 9:50 pm

Earfolds wrote:The one thing we don't seem to agree on is whether it's important to read the spec behind WebAuthn before going on a tirade about how much worse than passwords it is.


I haven't said a single thing about WebAuthn or compared it to passwords ;)

Earfolds wrote:You can already guess an 8-character password in around 30 seconds on a GPU


If you're allowed to make login attempts as quickly as you like. If a website is letting attackers brute force passwords like that then that's a pretty major failing on their part.

User avatar
Green Gecko
Director
Joined in 2008
Location: Sussex
Contact:

PostRe: Laptop/PC security setup
by Green Gecko » Mon Apr 23, 2018 3:46 pm

Earfolds wrote:If you're advocating for the continued use of passwords, you either don't know anything about data security, or you have an ulterior motive.

By all means continue to use a password as one of several factors in your authentication, but don't try to kid yourself; your password is the weakest point in your account security.

I apologise for being so curt with you last time. Hopefully I've made myself clear here.

Just a note as it looks like you don't want to be patronising or curt, but you've tried not to be curt and done it there in that first sentence. It's not helpful to your cause trying to increase people's understanding of security by discrediting them absolutely like that.

And it's a bit unbecoming of a productive debate.

Support GRcade | t: @GRcade | FB: GRcadeUK | YT: GRcadeVideo | Twitch: GRcadeUK
Image
Image
User avatar
Mafro
Moderator
Joined in 2008
AKA: DAT MAF
Contact:

PostRe: Laptop/PC security setup
by Mafro » Mon Apr 23, 2018 4:14 pm

Touch ID on my Mac, no antivirus and uBlock for Safari.

HSH28 wrote:Assmung you ever get one that is.

Blog | Twitter
User avatar
Jenuall
Member
Joined in 2008

PostRe: Laptop/PC security setup
by Jenuall » Mon Apr 23, 2018 4:22 pm

I haven't had a proper chance to read up on Webauthn but a quick scan seems to indicate that authentication is a step handled by my local device, and that the agent to achieve this can be chosen by the user to take various kinds of credentials e.g. password, fingerprints, security tokens etc.

That's fine, so long as I can choose the authentication agent and select one which is reputable and requires 2FA then it doesn't sound too bad. Username + password + time limited token will do for me. Biometrics can certainly take the "username" part of that equation, just not the other parts! :lol:

ImageImage
User avatar
Green Gecko
Director
Joined in 2008
Location: Sussex
Contact:

PostRe: Laptop/PC security setup
by Green Gecko » Mon Apr 23, 2018 5:44 pm

Errkal wrote:
Green Gecko wrote:It's relatively easy to combine a cipher with long, memorable and unique phrases to create a password that is both strong and memorable.

Obviously password managers are easier. The trouble they are putting all your eggs in one basket. If that memory is read or someone does something as simple as watch or record you, they have access to everything if they can also obtain the database (that part should actually be more difficult).

2 factor is very good.


The managers are encrypted unless you use a gooseberry fool one, and for many like lastpass the password is never seen, you don't show the password and copy and paste it, they auto fill your password fairless using a browser plugin that doesn't use your clipboard so recording or viewing does nothing.

If you are using a manager where you have to show the password then copy and paste it or type it in while you see it your manager is gooseberry fool and should be gotten rid of.

I always use 2FA where available and have that enabled on my lastpass to boost security of that as well as everything else.

Good point, I'm not sure if clipboard is encrypted or not.. But then your system would have to be compromised for that to matter.

Yes you can copy and paste blind with shortcuts.

The main issue with online methods is that merely being online it is a vector and they may not be available.

I do like that it is portable and shareable without any online requirements. So for example it's a good way to archive and back up passwords to for example hand them over to a client or supervisor in a safe encrypted format rather than sharing passwords in plain text in an email.... You can put a database on a usb stick and it's unreadable, it doesn't even matter if someone loses it.

Support GRcade | t: @GRcade | FB: GRcadeUK | YT: GRcadeVideo | Twitch: GRcadeUK
Image
Image
User avatar
Errkal
Social Sec.
Joined in 2011
Location: Hastings
Contact:

PostRe: Laptop/PC security setup
by Errkal » Mon Apr 23, 2018 5:56 pm

Green Gecko wrote:
Errkal wrote:
Green Gecko wrote:It's relatively easy to combine a cipher with long, memorable and unique phrases to create a password that is both strong and memorable.

Obviously password managers are easier. The trouble they are putting all your eggs in one basket. If that memory is read or someone does something as simple as watch or record you, they have access to everything if they can also obtain the database (that part should actually be more difficult).

2 factor is very good.


The managers are encrypted unless you use a gooseberry fool one, and for many like lastpass the password is never seen, you don't show the password and copy and paste it, they auto fill your password fairless using a browser plugin that doesn't use your clipboard so recording or viewing does nothing.

If you are using a manager where you have to show the password then copy and paste it or type it in while you see it your manager is gooseberry fool and should be gotten rid of.

I always use 2FA where available and have that enabled on my lastpass to boost security of that as well as everything else.

Good point, I'm not sure if clipboard is encrypted or not.. But then your system would have to be compromised for that to matter.

Yes you can copy and paste blind with shortcuts.

The main issue with online methods is that merely being online it is a vector and they may not be available.

I do like that it is portable and shareable without any online requirements. So for example it's a good way to archive and back up passwords to for example hand them over to a client or supervisor in a safe encrypted format rather than sharing passwords in plain text in an email.... You can put a database on a usb stick and it's unreadable, it doesn't even matter if someone loses it.


For something like that it is handy assuming the person in the other end isn't a plank.

Personally I don't like that for keepass you have to sync a file about it risks corruption and they you are properly shafted.

I'm fine with cloud as the company can't access my shiz as it is encrypted and has 2fa to double up protection.

It's all personal preference of course, as long as you are using something to ensure all passwords are unique then it's all good.

User avatar
Green Gecko
Director
Joined in 2008
Location: Sussex
Contact:

PostRe: Laptop/PC security setup
by Green Gecko » Mon Apr 23, 2018 6:01 pm

Yes I ended up literally gifting a last pass pro subscription to a client because after years of toing and froing I was finally done with answering questions about it, such advanced subjects as "what's the password for the passwords"? Or they had just lost the database.

Corruption is possible but with Dropbox or some other form of redundancy you can just revert to previous version, also you can't write to the file while it is open on another system.

It fits in quite well to existing networking solutions with portability in mind, no browser extensions or browser compatibility etc so an interesting solution. And it's open source and free.

I just can't be bothered setting something else up again, and I generally like file ownership however possible. For example with Dropbox yes a lot of my stuff is stored there but I can revoke it at any time and I always have local copies as well.

I guess the only thing I gave up was local email storage because webmail just got so good with gmail coming in. It was always shite before especially if you have barebones webmail for your own domain etc. I've considered going back to something like iMail or Thunderbird though because there is just so much gooseberry fool stored by a third party, email attachment etc it's literally gigabytes and gigabytes of data on everything and it's locked behind whatever they implement. A whole heap of people have no understanding of just what a target that is.

Before I only used private hosting and local email client.

Support GRcade | t: @GRcade | FB: GRcadeUK | YT: GRcadeVideo | Twitch: GRcadeUK
Image
Image
User avatar
Earfolds
Member
Joined in 2008
AKA: Evil Ted
Contact:

PostRe: Laptop/PC security setup
by Earfolds » Mon Apr 23, 2018 8:12 pm

OrangeRakoon wrote:If you're allowed to make login attempts as quickly as you like. If a website is letting attackers brute force passwords like that then that's a pretty major failing on their part.

Circumvented by grabbing the database. Adobe's one was a pretty funny example, and one which really brought home how bad passwords can be.

Image

Return to “Stuff”

Who is online

Users browsing this forum: Rightey and 105 guests