Passwords alone are insufficient security, no matter where you store them. 2FA is barely sufficient for most things if that 2FA is based on randomized codes sent by SMS.

My setup is to use a USB key via passthrough plus password in a sanitized, sandboxed environment for critical tasks. Naturally, neither the host nor the guest OS are Windows based.

Burrito of Peace wrote on Dec 29, 2021, 19:58:
Passwords alone are insufficient security, no matter where you store them. 2FA is barely sufficient for most things if that 2FA is based on randomized codes sent by SMS.

My setup is to use a USB key via passthrough plus password in a sanitized, sandboxed environment for critical tasks. Naturally, neither the host nor the guest OS are Windows based.

2FA via SMS is 0FA
^^

That said, if your local machine is pwned then it doesn't really matter

Burrito of Peace wrote on Dec 29, 2021, 19:58:
Passwords alone are insufficient security, no matter where you store them. 2FA is barely sufficient for most things if that 2FA is based on randomized codes sent by SMS.

My setup is to use a USB key via passthrough plus password in a sanitized, sandboxed environment for critical tasks. Naturally, neither the host nor the guest OS are Windows based.

What does this mean exactly, for most websites, banking etc. ? I have several websites I have to use for work or banking, and they only have an option for Password plus Phone SMS; only one website even has an option for Password + 'Secure' Phone App, which I just have to hope is valid, since it's not like I personally vetted each of those few App options or anything, or that those apps won't get hacked in the future without anybody knowing.

I know you basically run IT for one company, so I guess you mean you setup your own USB key(homebrew application or commercial program/device?) setup there, but a lot of places don't even give those kinds of options, as far as I can tell.

That said, I do all my banking or job work online via a Linux box and the above, but a lot of those decisions are really out of the end user's control.

It probably bores you guys to tears to talk any sort of 'work' topic on a game website of old farts, but it seems like hacking is only going to get worse as time goes on, and I'd like to not get online robbed anytime soon.

*EDIT* Quick google: like these hardware devices? Bringing back Dongles?

Further googling: Apparently some banks such as Evil Bank of America have that dongle option, but as I said, the vast majority of sites I have don't seem to support it, although I guess I need to start asking around.

*EDIT 2* Okay, multiple pages deep, some financial institutions do seem to have at least Password + My Proprietary Phone App, or Corporate Security App, as options. Sigh, now to read up on each one of these fucking apps.

This comment was edited on Dec 30, 2021, 11:27.

It probably bores you guys to tears to talk any sort of 'work' topic on a game website of old farts, but it seems like hacking is only going to get worse as time goes on, and I'd like to not get online robbed anytime soon.

I don't get bored and always learn from these discussions.

MoreLuckThanSkill wrote on Dec 30, 2021, 11:04:

Burrito of Peace wrote on Dec 29, 2021, 19:58:
Passwords alone are insufficient security, no matter where you store them. 2FA is barely sufficient for most things if that 2FA is based on randomized codes sent by SMS.

My setup is to use a USB key via passthrough plus password in a sanitized, sandboxed environment for critical tasks. Naturally, neither the host nor the guest OS are Windows based.

What does this mean exactly, for most websites, banking etc. ? I have several websites I have to use for work or banking, and they only have an option for Password plus Phone SMS; only one website even has an option for Password + 'Secure' Phone App, which I just have to hope is valid, since it's not like I personally vetted each of those few App options or anything, or that those apps won't get hacked in the future without anybody knowing.

I know you basically run IT for one company, so I guess you mean you setup your own USB key(homebrew application or commercial program/device?) setup there, but a lot of places don't even give those kinds of options, as far as I can tell.

That said, I do all my banking or job work online via a Linux box and the above, but a lot of those decisions are really out of the end user's control.

It probably bores you guys to tears to talk any sort of 'work' topic on a game website of old farts, but it seems like hacking is only going to get worse as time goes on, and I'd like to not get online robbed anytime soon.

*EDIT* Quick google: like these hardware devices? Bringing back Dongles?

Further googling: Apparently some banks such as Evil Bank of America have that dongle option, but as I said, the vast majority of sites I have don't seem to support it, although I guess I need to start asking around.

*EDIT 2* Okay, multiple pages deep, some financial institutions do seem to have at least Password + My Proprietary Phone App, or Corporate Security App, as options. Sigh, now to read up on each one of these fucking apps.

Apps are better, as long as they aren't an hidden euphemism for "2FA via SMS"
Examples, Google/Paypal both use Authenticator apps, rotating numerical pins that nobody can ever hack
Meanwhile my bank uses chip-tan meaning I have a card reader at home for my own card, that generates a PIN completely aside from anything that could be hacked and once I use it is gone after 10 minutes.

Point is, lot of ways to make yourself more secure.
Least secure is definitely SMS since the messages are cached in the background traffic on cell towers, and anyone with a 50$ device can read them out in realtime. They are plaintext.

So he already had malware installed on his machine, and instead of logging keys or something else, it just stole the stored passwords. Not like that is some kind of new nefarious twist other than all the passwords being in one convenient place, I guess. A lot of the scare stories always make it sound like there is some massive new security flaw that we should be terrified of, but when you read the details, the person's machine was already compromised in some way.

I am going to preface this by stating that I got very little sleep last night and I don't feel well so if this is less than coherent, I apologize in advance.

eRe4s3r wrote on Dec 30, 2021, 07:02:
2FA via SMS is 0FA
^^

That said, if your local machine is pwned then it doesn't really matter

I don't disagree about SMS, personally, but many companies go with SMS 2FA because it is the lowest, and cheapest, hanging fruit.

The problem we need to get away from, that is decades in the making, is user+interface+base system access=usage. We also need to completely reject authenticator apps as being "secure". I'll explain more below in my response to MLTS:

/---\

MoreLuckThanSkill wrote on Dec 30, 2021, 11:04:
Many questions, snipped for brevity...

Let me start off by explaining my computing posture. I operate under the mindset of zero trust. But I incorporate the concept of inherently distrusting people as well as systems. I have been called paranoid, on this very board, because I have dead man's switches in all my computing devices that will wipe the entire device if and when those switches are tripped. This is because I cannot neither guarantee nor trust that a bad actor will not gain physical access to any of my devices. As Steve Wozniak once said "Never trust a computer you can't throw out of a window" and as Andy Grove once said "Only the paranoid survive". Given my profession and philosophy, I'm at a higher risk for being compromised than, say, some guy growing apples in Washington state.

There will be people who disagree with me but I do not trust autheticator apps in the slightest. The most frequent platform to deploy an authenticator app? A mobile device. Which platform is the biggest target for bad actors? Mobile devices. So if your device is compromised, you cannot guarantee nor trust that your apps on the same device are not also compromised. A read-only cryptokey, like a Yubikey or others, is damn near impossible to compromise in and of itself. So, in my opinion, they are a safer bet than authenticator apps. For myself, I create my own cryptokeys so they aren't so obvious and look like run of the mill USB keys that any nerd like myself would carry around. You can start with any USB key you have laying around and following this guide. It starts off with the easy use of USB PAM in Linux and, further from there if you choose to, you can build your own cryptokey with about $5 bucks in parts.

Building on that, I also highly recommend using an OS with an immutable system base like Fedora Silverblue for system security. It's hard to be compromised when malware cannot attack the system and only has write access to userland. Userland which will prompt you for any tasks that require elevation. It is incumbent on the user to know why something is asking for their credentials to perform a task. This requires diligence and attentiveness which you, as a user, should be practicing anyway. Moreover, your applications will be in a mostly secure sandboxed environment since they are Flatpaks. Think of them as self contained modules which don't require being installed in to the system base to be functional. Like software Legos. macOS already does this, by the way. Only Windows is slow to improve security. I guess pretty but useless taskbars are more important.

The next two layers in this "Why the fuck did I ask this paranoid nerd these questions" cake is virtualization and obfuscation. I, personally, have a host OS with another virtual machine atop it based on Fedora Silverblue for tasks like banking, using a VPN to access work, and other tasks that I want to make as secure as possible. If I think, for whatever reason, that the guest OS is compromised, I can easily blow it away without affecting the host OS and be back in business in under an hour. At no point do I have to worry about the two intermingling. Since most of us are rocking quad cores or better, it's not much of a performance issue since you're only using the virtual machine for very specific tasks and you're not letting it run continuously. Since you're on Linux, you'll want to use QEMU/KVM instead of Virtualbox for this and use Virtual Machine Manager to configure and manage the virtual machine. In my opinion, QEMU/KVM is the best virtualization for desktop Linux that is both more performant and configurable. The plus side is that you're not using Oracle garbage, either.

Next is obfuscation. You've no doubt heard that "Security through obfuscation is not security at all"...which is true. But it can be an effective layer in your overall stack. For example, I am using what is called a "user agent switcher" or UAS. What this allows me to do is lie to websites about which browser and OS I am using. For example, if Blue or Franz were to dig in to the logs, they would find that I am "on" Windows 10 using Firefox 95...which is far from the truth. However, if I hit a website that is compromised and the bad actors yell "JACKPOT! We have an exploit for Windows 10 and/or Firefox 95! Fire the payload"...then nothing happens. Another good obfuscation trick is MAC address randomization. I believe both the latest versions of iOS and Android do this. You can pull off this trick on Linux, too However, be advised that this is only really useful to prevent eavesdropping on a local network. It is great on a laptop if you happen to be using public wifi, though. Now, you probably already know about VPNs so the only thing I will point out is to use a VPN that has multi-route support. What that means is that, for example, you connect to their Dallas node but your traffic doesn't exit the Dallas node. Instead, it routes your traffic to Switzerland or France or Germany and your traffic exits there.

Finally, "hacking" is nothing more than understanding a system well enough to exploit it for your use. It is neither inherently good nor bad. So learning "hacking" skills is good for both defense and survival. Take the time to learn how your system/device can be exploited and either exploit it for your own purposes or create deterrents for those who would try to do the same to you.

Thanks for the replies, and Burrito of Peace, way to feed my personal paranoia about mobile phone apps. I almost entirely avoid phone apps, unless I have to use one for work or something, because there doesn't seem to be any trustworthy authority vetting all of these sufficiently in the first place, then of course, if the phone itself is compromised...

I will look into professionally made USB keys or making my own as you suggest, (your link seems broken at the moment but I will google it later) but I definitely don't see all my various work sites and others supporting these USB Keys, unless you are getting them to act as basically an authenticator application? I do see support for things like Yubikey listed on bigger websites like Amazon/Google etc. obviously. What the hell happens if you old-school lose the dongle, or it breaks? 2 hour phone call to support?

I know you suggest VPNs, but of course those can be compromised, bought out or outright run by nefarious agents in the first place too...

I guess I will also read up on using virtual machines as you say.

Now I'm tempted to just throw all my computers into a pile and sledgehammer them to pieces though, knowledge = depression.

MoreLuckThanSkill wrote on Dec 30, 2021, 18:40:
I know you suggest VPNs, but of course those can be compromised, bought out or outright run by nefarious agents in the first place too...

Generally speaking the secret to using a vpn is avoiding the free ones.
I've used PIA Private Internet Access before, they're fine. Currently having a sale.
https://www.privateinternetaccess.com/order/PIA_HOLIDAY2021E3?
3 years for $80.
That's a decent price.

My recommendation for a commercial VPN is Proton since they do have a multi-route solution called "Secure Core".

It's what I personally use when I need to use something other than my own VPN setup.

If you're concerned about using a third party VPN, you can always setup your own either at home or on a VPS with WireGuard.

I don't trust any mobile device or anything on it. I barely use mine for the very rare phone call or Wire messaging. I never text.

My future plan is being completely off-grid and eschewing technology as much as possible. Part of that is because I am beyond burned out. The other part is because we've jumped the shark. We've rushed to put everything online for the sake of convenience with security often treated as an afterthought with ridiculously undersized budgets that are only begrudgingly allocated. How many breaches have there been this year, for example? That's only going to get worse.

EDIT: I clicked on all three links and they came up fine for me. But just in case;

Zero trust: https://en.wikipedia.org/wiki/Zero_trust_security_model
PAM USB key: https://github.com/ColumPaget/pam_usbkey
MAC randomization: https://greycoder.com/how-to-set-your-mac-address-randomly-using-linux/

Second EDIT:

The reason I recommend Proton over, say PIA, is the legal protection that Proton provides. PIA, for example, is based in the US which as we know has absolutely piss poor data privacy and protection laws. Moreover, it is far easier in the US to have your data subponead by anyone with a badge. Proton, on the other hand, is based in Switzerland which has some of the strongest and most well tested data privacy and protection laws in the world. They have a zero compliance policy with foreign governments and only respond to Swiss government requests. Given the US government's historic record of unlawful and unannounced surveillance of its citizens, often with the enablement by corporations, anything based in the US is the last place I would want to trust for a secure VPN solution.

As I said previously, however, if you have the desire, you'll roll your own VPN solution and include jumphosts at different VPS providers around the world and set each host as a strict no-log server.

This comment was edited on Dec 30, 2021, 21:55.

RedEye9 wrote on Dec 30, 2021, 18:53:
I've used PIA Private Internet Access before, they're fine. Currently having a sale.
https://www.privateinternetaccess.com/order/PIA_HOLIDAY2021E3?
3 years for $80.

Thanks for passing the word. This is something I've been meaning to do for a while now and I just never got around to it. PIA was at the top of my list already from a RL friend recommendation from someone who has been in the IT field as long as BoP and I have been (and you too Redeye?). Anyway, at $80 for 40 months (36 + 4 months free) I didn't see how I couldn't sign up -- especially since I've known for a long time I needed to.

Mr. Tact wrote on Dec 30, 2021, 21:34:

RedEye9 wrote on Dec 30, 2021, 18:53:
I've used PIA Private Internet Access before, they're fine. Currently having a sale.
https://www.privateinternetaccess.com/order/PIA_HOLIDAY2021E3?
3 years for $80.

Thanks for passing the word. This is something I've been meaning to do for a while now and I just never got around to it. PIA was at the top of my list already from a RL friend recommendation from someone who has been in the IT field as long as BoP and I have been (and you too Redeye?). Anyway, at $80 for 40 months (36 + 4 months free) I didn't see how I couldn't sign up -- especially since I've known for a long time I needed to.

Not really in the field, in a former life I was a maintenance drone in a semiconductor factory. Nowadays I carry around 3 different size hammers and beat on people and their computers, tablets, phones, printers etc.
I learn a lot in forums like this.

What's funny about the pia advertisement is how they marketed it in an email.

Your exclusive
(EMAIL-ONLY)
holiday gift from PIA

Although the following section might not apply to what i linked, who knows?

And that’s not all! Activate this offer today, and we’ll freeze ❄️ your PIA subscription at this incredible price for as long as you remain a customer. This exclusive offer is live now and you can only get it by using the link in this email.

RedEye9 wrote on Dec 30, 2021, 21:51:
Although the following section might not apply to what i linked, who knows?

And that’s not all! Activate this offer today, and we’ll freeze ❄️ your PIA subscription at this incredible price for as long as you remain a customer. This exclusive offer is live now and you can only get it by using the link in this email.

Ahh, I wondered about that. I noticed they had my renewal listed as 29 April 2025 for $79.00. I was wondering if that was a goof of some kind or if perhaps it was going to update once something got processed on the backend. Hopefully I got in on the deal permanently, that would be nice. That would be the second good customer service thing to happen to me today -- might be time to buy a lottery ticket (especially since Powerball is up to $500m).