bcl @bcl@infosec.exchange

Some more #LastPass research, once again proving that locally encrypted passwords don't necessarily result in data being safe/private on their server. Issue reported November last year, supposedly fixed (I have my doubts).

#infosec #passwords #bugbounty

https://palant.de/2019/03/18/should-you-be-concerned-about-lastpass-uploading-your-passwords-to-its-server

Not the conclusion I expected: "The point should no longer be that we want the right to use the web anonymously to remain. We should rather fight to get this right back, because at some point somewhere along the way we lost it and nobody noticed." This post is the more explicit version of my thread here yesterday.

https://palant.de/2019/03/12/how-much-privacy-do-you-have-left-on-the-web

#privacy #anonymity

dnscrypt-proxy 2.0.20 released

"Cloaking can now do load-balancing between sets of IPv4 and IPv6 addresses, and startup time has been drastically reduced when using many DoH servers."

https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.20

"How To Get Started on Mastodon and Leave Twitter Behind" by Max Eddy https://www.pcmag.com/article/364850/how-to-ditch-twitter-and-join-mastodon

Pinafore got a shout-out in PCMag! Maybe I should offer a plastic-wrapped Pinafore CD-ROM in their next issue

i'm not even saying "ugh security is hard" i'm saying the attack surface for ssh has been understood for Quite Awhile and we should have decent defaults to make it SAFE to use. Which means:

1. Deny root login
2. Deny password authentication
3. Require public-key authentication
4. Close off any deprecated key exchange methods
5. Auto-ban brute force attempts

That's like. A minimum best effort. Really.

Really.

#Slub: New backdoor malware hits Slack and Github platforms

“The attackers also appear to be professionals, based on their way of handling their attack. They only use public third party services, and therefore did not need to register any domains or anything else that could leave a trail. The few email addresses we found during the investigation were also using trash email systems, giving the attackers a clean footprint” researchers added.

https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/

So, now that someone has found a better version of SPECTRE and Meltdown that you can execute from Javascript, what are we going to do? Source: https://arxiv.org/pdf/1903.00446.pdf

Governments should not use face surveillance tools. Rather, they must confront how damaging this surveillance technology is to the people they have a duty to protect. https://www.eff.org/deeplinks/2019/02/governments-must-face-facts-about-face-surveillance-and-stop-using-it

I need input on this suggested #Keybase integration in Mastodon. I have provided a summary of what I know here:

https://github.com/tootsuite/mastodon/pull/10013#issuecomment-468790773

#mastodev

Just published on opensource.com - writeup on Reducing Security Risks with Centralized Logging https://opensource.com/article/19/2/reducing-security-risks-centralized-logging

pretty cool ( thanks @nusenu )

"I've put out a new ansible relayor release to make running Tor relays easier."

- tor's Sandboxing is now also enabled on Ubuntu by default

- OpenBSD is now a first class relayor citizen

- tor alpha version is now v0.4.0.x

https://github.com/nusenu/ansible-relayor/releases/tag/v19.0.0

Don't have enough money for a GPU Hashcracker?
Spin one up in AWS*!

Guess every 8 character (Upper, Lower, Number, Symbol) password** in 3 hours, 10 minutes!

Not bad for $25 an hour.
----
* p3.16xlarge 8x Tesla V100 GPU Instance
** NTLM (Windows) Hash

#hacking #cracking #hashcat #infosec

A reminder that if you want to support a small business making the best #keyboards in existence, a group of Lexmark employees once bought the buckling-spring #keyboard manufacturing rights from IBM and the factory where they were made and formed this company, who will sell you a brand new one https://www.pckeyboard.com/

OnionShare 2 adds anonymous dropboxes, supports new Tor addresses, and is translated into a dozen new languages https://micahflee.com/2019/02/onionshare-2/