Post AQtvBX7DAVOpcWEbvE by gdbassett@mastodon.social
(DIR) More posts by gdbassett@mastodon.social
(DIR) Post #AQsdj5npEKNqQN3ldw by tiago@social.skewed.de
2022-12-22T23:36:55Z
0 likes, 0 repeats
Using apps like LastPass — which require you to upload your passwords and a bunch of other info on all your online accounts — has always been the epitome of stupidity.This is why: https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
(DIR) Post #AQsdo27EMjj4RAUaNE by Randallb@sigmoid.social
2022-12-22T23:37:47Z
0 likes, 0 repeats
@tiago if you use the right ones which are publicly auditable, ie 1password, they’re better than almost anything else.
(DIR) Post #AQseExs4Frsj5kF3aq by tiago@social.skewed.de
2022-12-22T23:42:40Z
0 likes, 0 repeats
@Randallb Definitely not better than FLOSS alternatives that keep your passwords off the “cloud” where they belong.
(DIR) Post #AQsfjofibhiDUZjz7I by Randallb@sigmoid.social
2022-12-22T23:59:27Z
0 likes, 0 repeats
@tiago i mean that sounds nice in theory but not necessarily true. Auditable == open.
(DIR) Post #AQshW4PRUyWa9ghVp2 by kordinglab@neuromatch.social
2022-12-23T00:19:09Z
0 likes, 0 repeats
@tiago not using one and having a key logger steal your info is worse
(DIR) Post #AQtEjdiMqJbnu8dB3I by tiago@social.skewed.de
2022-12-23T06:31:37Z
0 likes, 0 repeats
@kordinglab No, with a keylogger they can get your master password, so you're screwed either way.Also, there's plenty of middle ground between not using a password manager and using a proprietary one that uploads all your passwords to the cloud.
(DIR) Post #AQtFeyRcRTWwhf8V0K by tiago@social.skewed.de
2022-12-23T06:41:56Z
0 likes, 0 repeats
@Randallb Sorry, “auditable” ≠ open. Not even close. And furthermore, open ≠ no bugs, which is why it's good to keep your passwords with you.There's nothing theoretical about it: Gnome and KDE both have built-in password managers, and so does Firefox.
(DIR) Post #AQtpP1fMIFE2PZG17w by Randallb@sigmoid.social
2022-12-23T13:22:26Z
0 likes, 0 repeats
@tiago sure and I guess if you look at 1pwd’s model it’s unclear how they’re any more secure than it.
(DIR) Post #AQtpakN4QBZEFNIB3Q by tiago@social.skewed.de
2022-12-23T13:24:35Z
0 likes, 0 repeats
@Randallb They don't upload anything anywhere. The attack surface is substantially smaller.
(DIR) Post #AQtpgdTOyqVaai3t68 by kordinglab@neuromatch.social
2022-12-23T13:25:25Z
0 likes, 0 repeats
@tiago what makes the 1passwd attractive to me is that I can use it on all my devices. Its easy to install. I reasonably trust them (although my trust was apparently a bit misplaced). And because I never have to type passwords (apart from master password) it feels safe.
(DIR) Post #AQtqBrKTVvhmXem5y4 by tiago@social.skewed.de
2022-12-23T13:31:16Z
0 likes, 0 repeats
@kordinglab I understand it's very convenient. But the idea that there is a central service that stores thousands of people's passwords if frankly absurd from a security perspective.I understand that the passwords are encrypted before they are uploaded, but the attack surface becomes so large that I would never feel safe with such a system.I store my passwords with the Gnome keyring and Firefox. I also only need to type the master password. But my passwords never leave my machine.
(DIR) Post #AQtqdUh3GcbCRjVoTw by kordinglab@neuromatch.social
2022-12-23T13:36:03Z
0 likes, 0 repeats
@tiago but how do the passwords get to your phone? And also, as long as the master password does not leave my machine, is the attack surface a problem?
(DIR) Post #AQtrLLCZuwnzkbAMyW by tiago@social.skewed.de
2022-12-23T13:44:10Z
0 likes, 0 repeats
@kordinglab They don't get to my phone. I lose that convenience. There is usually a trade-off between convenience and security, and this is what I choose.The larger attack surface is a problem because encryption is not fail-safe, and now there is a central point of failure.Don't underestimate the ability of someone cracking your master password if they have access to the raw ciphertext. See here: https://social.skewed.de/@gsuberland@chaos.social/109559625014104081Besides, it may not be necessary for attackers to crack your master password. If they can crack one of your hundred of encrypted passwords — for example because it's a simple password, or has been generated with a known or faulty algorithm, the attacker can go from there.
(DIR) Post #AQts3ahbeGT2Z9mNf6 by gdbassett@mastodon.social
2022-12-23T13:52:10Z
0 likes, 0 repeats
@tiago @kordinglab The lack of convenience with passwords _is_ the issue.Far more breaches have occurred due to password reuse (often associated with credentials stuffing) than from attacks on password managers.Cloud sync of passwords is a security-convenience trade-off, but for me personally, with it. And at the macro level, likely worth it as well.
(DIR) Post #AQtsIMeQAoBtKXKls0 by tiago@social.skewed.de
2022-12-23T13:54:52Z
0 likes, 0 repeats
@gdbassett @kordinglab No, the trade-off you mention doesn't exist. I don't reuse passwords, and they are all randomly generated and stored encrypted with a master password. I just don't upload them to the cloud. The attack surface is strictly smaller.
(DIR) Post #AQtsWxxWGACd5qEIme by tiago@social.skewed.de
2022-12-23T13:57:31Z
0 likes, 0 repeats
@gdbassett @kordinglab I would be tempted to use a “cloud” service if I could use my own server like @nextcloud or something.I just think that central server with hundreds of thousands of people's passwords — even if encrypted — is a truly terrible idea.
(DIR) Post #AQtsr45PBkrVt7VC40 by gdbassett@mastodon.social
2022-12-23T14:01:08Z
0 likes, 0 repeats
@tiago @kordinglab While you should be applauded for sacrificing convenience for security, based on my experience cataloging breaches for the Data Beach Investigations Report you are likely the exception.
(DIR) Post #AQtsvjlaAFJoJcSSQa by tiago@social.skewed.de
2022-12-23T14:02:00Z
0 likes, 0 repeats
@gdbassett @kordinglab @nextcloud I'll be damned, of course password storage on @nextcloud is a thing: https://nextcloud.com/de/blog/password-managers-for-nextcloud/Will investigate more.
(DIR) Post #AQtt3RAvAc0oyKyveC by tiago@social.skewed.de
2022-12-23T14:03:21Z
0 likes, 0 repeats
@gdbassett @kordinglab Which is a sad state of affairs, specially in view of the article linked a the top of this thread.
(DIR) Post #AQttDOxqFGkr0jcD3o by gdbassett@mastodon.social
2022-12-23T14:05:10Z
0 likes, 0 repeats
@tiago @kordinglab yeah, the security community if well aware of the LastPass breaches. Honestly we're appreciate their executive leadership being so forthcoming though we are waiting to hear more specifics about what fields are and aren't encrypted to pass judgement.
(DIR) Post #AQttOqqcumqwfxhTO4 by tiago@social.skewed.de
2022-12-23T14:07:14Z
0 likes, 0 repeats
@gdbassett @kordinglab Regardless of the severity, a distributed system would not be susceptible to any of this.
(DIR) Post #AQttZoKCdSxe2JlBFw by gdbassett@mastodon.social
2022-12-23T14:09:14Z
0 likes, 0 repeats
@tiago @kordinglab @nextcloud "running your own server" is an interesting thing. (I once thought MS should make a personal server for homes and still run a Synology.)On the one hand it would be highly beneficial for lots of people to have their own servers. On the other, it prevents those people from taking advantage of economics of scale that have been highly beneficial (think Gmail's ability to filter spam). And there is still the single point of failure in the software produced.
(DIR) Post #AQttoOACBY65F41xAG by gdbassett@mastodon.social
2022-12-23T14:11:50Z
0 likes, 0 repeats
@tiago @kordinglab assuming there are no vulnerabilities present in the software on every server (https://www.greynoise.io/blog/2022-a-look-back-on-a-year-of-mass-exploitation).
(DIR) Post #AQttuRSwosupDogixM by tiago@social.skewed.de
2022-12-23T14:12:59Z
0 likes, 0 repeats
@gdbassett @kordinglab @nextcloud (I would not trust MS with any of this.)We would not need to have a single server per inhabitant of the planet, it would be fine to have a larger granularity. Remember the ISPs in the old days, from where you would get your email? That was the right model.I run my own server and my spam filter works just fine. We can have economy at scale by sharing filters, trained ML models, etc.
(DIR) Post #AQtu8CGi7Uxs8sWUoC by tiago@social.skewed.de
2022-12-23T14:15:27Z
0 likes, 0 repeats
@gdbassett @kordinglab No, this assumption is not needed! Of course every implementation can have a vulnerability. But *all else being equal*, a distributed one has a strictly smaller attack surface in this context, since even if it is compromised, you cannot get *all* passwords at once.
(DIR) Post #AQtuENpM3dFTjEg4Tw by gdbassett@mastodon.social
2022-12-23T14:16:32Z
0 likes, 0 repeats
@tiago @kordinglab @nextcloud in Microsoft's defense, they provide some of the best security on the planet these days. Local ISPs are reliant on the software provided them and often lack the robust operations necessary to handle common cyber threats. (What local ISPs is running a multi-person 24/7 dedicated soc.)
(DIR) Post #AQtuSAs51aSFbHWovw by gdbassett@mastodon.social
2022-12-23T14:19:02Z
0 likes, 0 repeats
@tiago @kordinglab but you don't need to get all the passwords at once, just before security response occurs. And that's tends to be a race between the attackers scripting and a small orgs ops.
(DIR) Post #AQtuluBskhynerCP5s by tiago@social.skewed.de
2022-12-23T14:22:35Z
0 likes, 0 repeats
@gdbassett @kordinglab I don't need to tell you that small servers are also less important targets.If find the “quality of software” argument strange, since it's same for every scenario.
(DIR) Post #AQtuqPJeyEyhLlz3S4 by tiago@social.skewed.de
2022-12-23T14:23:27Z
0 likes, 0 repeats
@gdbassett @kordinglab @nextcloud MS is subject to US government subpoenas, and for all I know probably actively collaborates with NSA mass surveillance.
(DIR) Post #AQtvBX7DAVOpcWEbvE by gdbassett@mastodon.social
2022-12-23T14:27:15Z
0 likes, 0 repeats
@tiago @kordinglab @nextcloud Ultimately you have to pick your poison. All software is made somewhere. https://mastodon.social/@dcoderlt@ohai.social/109547448673528370
(DIR) Post #AQtvXelLPt7ti0YWJs by gdbassett@mastodon.social
2022-12-23T14:31:14Z
0 likes, 0 repeats
@tiago @kordinglab Attackers tend to be economically driven. A rising issue is to take critical vulnerabilities, automate their exploitation, and then sell the access.In our 2022 report (page 31, figure 43), from honeypot data, we observed a type of attacker sales funnel from scanning for hosts to executing an exploit.
(DIR) Post #AQtvxvCEwFyACrezGS by gdbassett@mastodon.social
2022-12-23T14:33:01Z
0 likes, 0 repeats
@tiago @kordinglab Again, this is not to say this would apply to you. I have no doubt you'd secure and patch your servers and services with alacrity. (Many security folks do as well.) My concern is the broader population.
(DIR) Post #AQtvxvcTMix9WDvw9Y by tiago@social.skewed.de
2022-12-23T14:36:00Z
0 likes, 0 repeats
@gdbassett @kordinglab I honestly don't understand how having a centralized global password storage can somehow be better for the broader population. I think this is madness.
(DIR) Post #AQtwaR3cvbzI1fzpNQ by gdbassett@mastodon.social
2022-12-23T14:42:53Z
0 likes, 0 repeats
@tiago @kordinglab Thankfully there isn't a single centralized password manager. There's lastpass, 1Password, bitwarden, the password managers in browsers, in OSs, and many others.And it's definitely a balance (and one that isn't settled in the security community). For example, a common solution is to use 1password and sync the vault through something like dropbox.
(DIR) Post #AQtxY0fEBhNfXizVCa by gdbassett@mastodon.social
2022-12-23T14:48:07Z
0 likes, 0 repeats
@tiago @kordinglab Here's @fsmontenegro, a friend and one of the best security analysts in the world, pontificating on how the security community sees the lastpass incident: https://infosec.exchange/@fsmontenegro/109563471808329552.