I am going to preface this by stating that I got very little sleep last night and I don't feel well so if this is less than coherent, I apologize in advance.
eRe4s3r wrote on Dec 30, 2021, 07:02:
2FA via SMS is 0FA
That said, if your local machine is pwned then it doesn't really matter
I don't disagree about SMS, personally, but many companies go with SMS 2FA because it is the lowest, and cheapest, hanging fruit.
The problem we need to get away from, that is decades in the making, is user+interface+base system access=usage. We also need to completely reject authenticator apps as being "secure". I'll explain more below in my response to MLTS:
MoreLuckThanSkill wrote on Dec 30, 2021, 11:04:
Many questions, snipped for brevity...
Let me start off by explaining my computing posture. I operate under the mindset of zero trust.
But I incorporate the concept of inherently distrusting people as well as systems. I have been called paranoid, on this very board, because I have dead man's switches in all my computing devices that will wipe the entire device if and when those switches are tripped. This is because I cannot neither guarantee nor trust that a bad actor will not gain physical access to any of my devices. As Steve Wozniak once said "Never trust a computer you can't throw out of a window" and as Andy Grove once said "Only the paranoid survive". Given my profession and philosophy, I'm at a higher risk for being compromised than, say, some guy growing apples in Washington state.
There will be people who disagree with me but I do not trust autheticator apps in the slightest. The most frequent platform to deploy an authenticator app? A mobile device. Which platform is the biggest target for bad actors? Mobile devices. So if your device is compromised, you cannot guarantee nor trust that your apps on the same device are not also compromised. A read-only cryptokey, like a Yubikey or others, is damn near impossible to compromise in and of itself. So, in my opinion, they are a safer bet than authenticator apps. For myself, I create my own cryptokeys so they aren't so obvious and look like run of the mill USB keys that any nerd like myself would carry around. You can start with any USB key you have laying around and following this guide.
It starts off with the easy use of USB PAM in Linux and, further from there if you choose to, you can build your own cryptokey with about $5 bucks in parts.
Building on that, I also highly recommend using an OS with an immutable system base like Fedora Silverblue for system security. It's hard to be compromised when malware cannot attack the system and only has write access to userland. Userland which will prompt you for any tasks that require elevation. It is incumbent on the user to know why something is asking for their credentials to perform a task. This requires diligence and attentiveness which you, as a user, should be practicing anyway. Moreover, your applications will be in a mostly secure sandboxed environment since they are Flatpaks. Think of them as self contained modules which don't require being installed in to the system base to be functional. Like software Legos. macOS already does this, by the way. Only Windows is slow to improve security. I guess pretty but useless taskbars are more important.
The next two layers in this "Why the fuck did I ask this paranoid nerd these questions" cake is virtualization and obfuscation. I, personally, have a host OS with another virtual machine atop it based on Fedora Silverblue for tasks like banking, using a VPN to access work, and other tasks that I want to make as secure as possible. If I think, for whatever reason, that the guest OS is compromised, I can easily blow it away without affecting the host OS and be back in business in under an hour. At no point do I have to worry about the two intermingling. Since most of us are rocking quad cores or better, it's not much of a performance issue since you're only using the virtual machine for very specific tasks and you're not letting it run continuously. Since you're on Linux, you'll want to use QEMU/KVM instead of Virtualbox for this and use Virtual Machine Manager to configure and manage the virtual machine. In my opinion, QEMU/KVM is the best virtualization for desktop Linux that is both more performant and configurable. The plus side is that you're not using Oracle garbage, either.
Next is obfuscation. You've no doubt heard that "Security through obfuscation is not security at all"...which is true. But it can be an effective layer in your overall stack. For example, I am using what is called a "user agent switcher" or UAS. What this allows me to do is lie to websites about which browser and OS I am using. For example, if Blue or Franz were to dig in to the logs, they would find that I am "on" Windows 10 using Firefox 95...which is far from the truth. However, if I hit a website that is compromised and the bad actors yell "JACKPOT! We have an exploit for Windows 10 and/or Firefox 95! Fire the payload"...then nothing happens. Another good obfuscation trick is MAC address randomization. I believe both the latest versions of iOS and Android do this. You can pull off this trick on Linux, too
However, be advised that this is only really useful to prevent eavesdropping on a local network. It is great on a laptop if you happen to be using public wifi, though. Now, you probably already know about VPNs so the only thing I will point out is to use a VPN that has multi-route support. What that means is that, for example, you connect to their Dallas node but your traffic doesn't exit the Dallas node. Instead, it routes your traffic to Switzerland or France or Germany and your traffic exits there.
Finally, "hacking" is nothing more than understanding a system well enough to exploit it for your use. It is neither inherently good nor bad. So learning "hacking" skills is good for both defense and survival. Take the time to learn how your system/device can be exploited and either exploit it for your own purposes or create deterrents for those who would try to do the same to you.
"Just take a look around you, what do you see? Pain, suffering, and misery." -Black Sabbath, Killing Yourself to Live.