Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:This! (Score 1) 126

Not going to lie, I miss keepass and its autotype function. I tried to mock something up with xdotool but never really worked right.

That is mostly what I did, though instead of a thumb drive I just used git to keep some copies around...though, on windows I just used scp because I had trouble with git-annex. I never trusted thumb drives that much. I have lost data from them and if a backup procedure is too manual, I know I wont follow it.

Then I bought a yubikey, and the more I looked at it, the more attractive the password-store model was. Worst case scenario, the only tools I really need are ssh, git, and opengpg. The only backup data, aside from my multiply-replicated repo is my restoration keyring, which can be copied to several USB sticks and is valid for potentially a decade or more. I can toss one in a bank safe deposit box (and some day I will get around to doing that!)

You CAN setup a yubikey in OTP mode with keepass via a plugin, but, OTP mode is suboptimal and could be very problematic if you have sync/backup issues.

Comment Re:This! (Score 1) 126

1. Yes but, you can have many git servers. Each repo is a full copy so central repos are basically throwaway. Lose one, make a new one, push to it.

2. The amount of available resources is amazing but, still, nobody cracks gpg encrypted files, nobody is dumb enough to try. Keeping up with the tool chain and updating keys every few years as the recomendations and capabilities change should do you fine.

generally the weak point anyone would assault a gpg based setup is either key storage or end point usage.

Nothing will stop a malware you don't know about from scraping the decrypted passwords as you decrypt them. If you store keys locally in an exportable form and type the decryption passphrase, then it can all be stolen by maleware as well.

However, if you store subkeys on hardware that can't export them, and requires a touch, so it can't be used as an oracle easily.... then the best they can do is that.

In this scheme each password has its own decryption session key, and that key is the only sensitive data that the hardware key works with. At best they get one message at a time, as you use them; and that requires that they own your endpoint in some way.

Comment Re:This! (Score 1) 126

In a twisted way it makes sense. File loss is more common a problem than actual compromise. This absolves them of needing to offer a solution.

Personally I ditched even keepass for password store because it solves this by supporting git for sync.

Its cross platform, uses gnupg in the back end, meaning no custom encryption code and a well known, trusted code base. Plus, because it is gpg based, all but a couple of special snowflake implementations natively get the benefit of hardware keys that gpg supports.

Since the gpg keys can be used as ssh keys, the whole process becomes seamless.

Comment Re:Cash (Score 1) 270

Sure they do, society often is is piss poor at determining who should be classified as a criminal. I shudder to think how terrible it would be if law were perfectly enforcable; especially since its creation remains so imperfect.

Society loses a ton when bad laws are enforced and criminality is used as a weapon to subjugate it.

Comment Re:Poor Governance (Score 1) 63

> It amazes me in this day and time that there are still rogue accounts in large enterprises

I would like to be shocked but, I got over that years ago. I actually got called to a desktop support case once that turned out to be "someone broke in". Did some random damage to equipment that didn't make sense (looked like they had a go at the floppy drive of an old laptop with a screwdriver, in a rather rude way)

Before I updated my ticket and left it up to security to deal with though.... I did think to check who the last logon was on the PC. My jaw hit the floor when I saw the name was clearly a test account. In a slight rage I typed the name of the test account in as the password and it logged me in.

Right there from the users desk I looked up the name of someone in the domain admin group and called them up to confirm.... the new production domain.... the new one that was going to banish all the shared accounts with bad passwords.... had well known test accounts with obvious names and passwords.

Comment Re:Scammers don't use real numbers (Score 1) 97

Right, I don't actually DO any of the things I was claiming, I just lie to him. Its so much easier than actually going through with it. I put him on speakerphone and go about my business while I fuck with him.

No videos, but one dude totally caught on and started singing to me before he hung up.

Comment Re:Scammers don't use real numbers (Score 1) 97

> The scammers have become wise to this. They refuse to deal with Windows 98 and Windows XP on grounds that Microsoft has announced their end of support.

So much effort anyway....its easier to not setup a VM and...get this.... Lie to them.

Its fun. Treat it like a video game. Its role playing practice. Your just rolled a new character "stupid user". Just pretend to be the dumbest user you ever tried to help, and imagine what issues they might encounter. Feel free to be "too smart for your own good".

My favorite was when one guy asked me to open a link "in chrome", I agree. 3 mins later he is asking "whats going on now?" "oh I am installing chrome" "oh so you have a web....ok" He waited another 5 minutes before checking in again.

Hint: I wasn't installing chrome

Comment Re:Old movies (Score 2) 257

I love Dr Who but I had to come to terms with the fact that it is not really science fiction so much as science fiction themed fantasy. It is well written fantasy and it plays at being science fiction but, they really just do whatever.

In fact, we are not alone, I recently found a rant that sums it up well; I still watch the show but, its a good steady fuck buddy, not really relationship material: https://www.youtube.com/watch?...

Comment Re:headline resummarized: Tor!=Panacea (Score 1) 55

> I like the idea of running tor an a separate VM from the one you do your browsing on.

It is a proxy and most of the attack vectors attack the end client, not the network itself.... the tor client needs internet access, the client behind it can only harm itself with direct acces.... so don't give it...not even dns, nothing. Just port 9050 alone and only one responding IP.

Maybe drop another interface on there and log all the non-port 9050 traffic as well :)

Comment Re:headline resummarized: Tor!=Panacea (Score 1) 55

That is not the very least. That is a whole bunch of extra work when entire distributions exist just to obviate the need for this. Take a look at tails.

It is, of course, recommended to put it on a usb stick and clean boot hardware off the stick to use it; however, there is nothing stopping you from bringing it up in a VM if you are ok with the trade offs.

Accomplishes the same thing, for less work, and with a much larger already setup base which will be identical to other users, in ways that increase the work of differentiating you from other users.

also, it is possible to jail an environment better.... What you really want on you VM is to jail it onto a network segment with no gateway where its only connection to the outside world is a tor client on a second VM.

Which i care enough to state, not enough to even setup for myself. I have a few tails sticks for the few things I really need a secure environment for....so far that means mostly for times I want to drop off the network entirely in order to work with key generation.

Slashdot Top Deals

Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun

Working...