Apple blows chunks

hindsight2020 said:
like we often say about DoD IT cYbErSeCurITY: "It's so secure, NOBODY can get in!" :D Currently we sit here, unable to review debrief HUD tapes because the peripherals (DTC USB readers) are blacklisted by the nonners on the non-flying side of base. Winning. Heck, one of my subordinates spent 25 minutes trying to get them to open up the port to the printer. A printer... So we hear ya.
Click to expand...
In their (slight) defense printers can be an attack surface. . .like a lot of consumer junk, too. We used to joke the the "S" in "IOT" stood for "security".
 
2-Bit Speed said:
I guess that depends. I consider my house (relatively) secure.
Click to expand...

Security is all about protecting against risk. If your house is breached (which is probably easier than you realize) and the notebook stolen, you now don’t have your own passwords, and someone has access to all of your accounts. If your house floods, or burns, or the notebook gets misplaced, you lose access to your accounts. If you use your passwords outside of your house, the risk increases. There is nothing secure about storing unencrypted passwords in a notebook (or, certainly, in plaintext on your computer.) I suppose you could argue that all of your passwords are materially complex and unique, you encode them in a way only you know, and you store them in a flood and fireproof safe which can't easily be removed from your house, but I suspect that none of those things are true for most people.

Password managers don’t completely eliminate risk, but properly used, they significantly reduce it while providing significant convenience. In addition to protecting passwords with encryption and MFA (including, optionally, a physical token), they can generate highly complex and strong passwords which most people would not generate on their own. There are other benefits to a password manager, such as breach detection, automated password cycling, passkey support, encrypted credit card and note storage, and syncing across devices, which a paper notebook does not provide.
 
Last edited:
Not to nit pick, but information security is about managing risk, not protecting against it.

In an office, which is often a shared or open environment, writing down passwords is discouraged for a number of reasons. Part of that is security, part of that is compliance which is part of security, and part of that is just accountability. But at home, writing down passwords isn't necessarily a bad plan.

While there are some theoretical advantages in using some password managers, there are also added risks of using any such system. While the risks of using personal cloud based storage or downloaded apps for passwords may not be high enough to be a concern for most people, I'm not one to recommend them unless the convenience and availability override any other risks.

Now that's just for personal use. If you have a business where you maintain a number of on-prem servers, then an on-prem PAM (privileged access management), still not cloud based, system might make sense. That's when all those fancy features make sense, for the admin accounts - not the user accounts - of your IT systems. But if you're operating at that scale I hope you're not getting your IT information from a pilot's forum.

I know, I know, what I'm saying isn't trendy, and it doesn't support all the noise about what a great idea it is to use a password management system. Or personal VPN. Or whatever other magic hair growing formula is out there. (Except FIPS 140 USB drives. Those actually are pretty cool.)
 
JGoodish said:
Security is all about protecting against risk. If your house is breached (which is probably easier than you realize) and the notebook stolen, you now don’t have your own passwords, and someone has access to all of your accounts. If your house floods, or burns, or the notebook gets misplaced, you lose access to your accounts. If you use your passwords outside of your house, the risk increases. There is nothing secure about storing unencrypted passwords in a notebook (or, certainly, in plaintext on your computer.) I suppose you could argue that all of your passwords are materially complex and unique, you encode them in a way only you know, and you store them in a flood and fireproof safe which can't easily be removed from your house, but I suspect that none of those things are true for most people.

Password managers don’t completely eliminate risk, but properly used, they significantly reduce it while providing significant convenience. In addition to protecting passwords with encryption and MFA (including, optionally, a physical token), they can generate highly complex and strong passwords which most people would not generate on their own. There are other benefits to a password manager, such as breach detection, automated password cycling, passkey support, encrypted credit card and note storage, and syncing across devices, which a paper notebook does not provide.
Click to expand...

Go on! Go on! You're on a roll!
 
managing risk, which some don't understand includes consideration of the cost of protection vs the cost of losing the data (corrupted or copied or ...)

Kind of like aircraft insurance, if the cost of hull insurance exceeds the cost of the hull, then it would be kind of, ahem, dumb to have hull insurance.
 
Albany Tom said:
MFA on a phone is silly, IMO, and I work in infosec. One old definition of MFA is to combine something you have, and something you know.
Click to expand...
MFA in general is terrible, at least the way it is generally implemented.

In practice, it requires each of us to provide an ever-expanding set of personal data to each and every company we do business with. This does not reduce our individual risk, it increases it.

A competent hacker doesn't go after one person. They go after databases that have info on large numbers of people. The more personal info those databases have, the more valuable that target is to a hacker.

Forcing complex passwords or sending a code to a phone does nothing to mitigate the hacking risk, and just adds more data that can be hacked to enable ID theft from other platforms using the same personal data to implement MFA.
 
MFA with SMS or email is indeed terrible, and barely more secure than not having at all, but how is MFA with a TOTP requiring anyone to give out more personal data? It’s as anonymous as it is possible to be.

I personally use the best MFA that the service provides. If a service allows for TOTPs I use that and disable SMS/email fallback if possible. Also I always store recovery codes when possible and use that for password reset instead of email.

Financial institutions are the worst offenders of only using crappy SMS based MFA. One of the most sensitive accounts we regularly have and the entire industry is a decade or more behind in terms of security practices.
 
AKiss20 said:
MFA with SMS or email is indeed terrible, and barely more secure than not having at all, but how is MFA with a TOTP requiring anyone to give out more personal data?
Click to expand...
It forces the user to give out a mobile number that they should have zero interest in sharing. This in and of itself is a major security breach.
 
StraightnLevel said:
It forces the user to give out a mobile number that they should have zero interest in sharing. This in and of itself is a major security breach.
Click to expand...
I literally said using a TOTP, not SMS, in the paragraph you quoted. How does using a TOTP a la Google Authenticator (pick your favorite app) require giving out a mobile number? It doesn’t.
 
StraightnLevel said:
Forcing complex passwords or sending a code to a phone does nothing to mitigate the hacking risk
Click to expand...
Password rules as implemented generally are not sufficient to avoid good dictionary attacks, but having long, random passwords as provided by password managers absolutely does reduce risk. Forcing humans to come up with passwords on their own with no system encourages 2 things:

1) short, native language passwords that are easy to remember. This makes them incredibly susceptible to dictionary attack or basic social engineering attacks (not hard to figure out your spouse’s birthday).

2) password reuse. This is the even more problematic one as now your security is only as good as that of the weakest website or service you used that password with. Whenever any service gets its passwords leaked because they have crap security and authentication implementation (the service shouldn’t be able to even figure out your password in clear text, not to mention have it leaked) those leaked passwords are instantly tried on dozens of high value services. If you reuse your password now you have multiple accounts compromised from a single data breach.

The best password based security is to use long, complex, and random passwords that are used for one thing and one thing only. Passwords generally aren’t a good solution but if we are using them there are definitely better and worse practices.
 
AKiss20 said:
The best password based security is to use long, complex, and random passwords that are used for one thing and one thing only. Passwords generally aren’t a good solution but if we are using them there are definitely better and worse practices.
Click to expand...

I disagree.
 
It's not like it's impossible to make copy of portions of the notebook...
 
StraightnLevel said:
MFA in general is terrible, at least the way it is generally implemented.

In practice, it requires each of us to provide an ever-expanding set of personal data to each and every company we do business with. This does not reduce our individual risk, it increases it.

A competent hacker doesn't go after one person. They go after databases that have info on large numbers of people. The more personal info those databases have, the more valuable that target is to a hacker.

Forcing complex passwords or sending a code to a phone does nothing to mitigate the hacking risk, and just adds more data that can be hacked to enable ID theft from other platforms using the same personal data to implement MFA.
Click to expand...
For most consumer implementations, I agree completely. Because it's being implemented for lowest possible cost for the provider, and because it's almost always done solely to meet compliance requirements.

A decent way to do it that doesn't require phone numbers or personal data is a combination of a smart card, or hardware or software token, and a short PIN. That combination is pretty common for large businesses, but it's generally considered too expensive for anyone to want to use it for consumer applications. So nobody will until it's mandated by someone.

Privacy is a good point. We have very few protections around that, and every proposal I've seen doesn't address the root problem. The problem is that no one seems to understand that personal data is owned by the individual, and collecting and selling that data without an agreement to compensate the individual for that use is really theft.

Or in other words, if someone stalks a single person, in many states it's a crime. But if a company stalks 100 million people, and then sells access to that data, it's a business model. And there are at least a dozen large companies doing that very thing. Why we permit it is beyond my understanding, except for greed.
 
You must log in or register to reply here.
Back
Top