• 2 Posts
  • 23 Comments
Joined 1 year ago
Cake day: June 8th, 2023
  • vvv@programming.devtoAsklemmy@lemmy.mlHow do you backup 2FA setup codes/QR codes?
    7·
    1 month ago

    Not a security scientist, but in my interpretation, it’s the “categories” of the factors that matter. Ideally, you use some two of three of:

    • something (only) you know - generally represented by passwords
    • something (only) you have - most commonly represented by some device. you prove that you have the device by providing a token only that device can generate.
    • something (only) you are - generally represented by biometrics

    the goal then is maintaining the "only"s.

    if you tell someone your password, or they see you type it in, or they beat it out of you with a wrench, it’s no longer something “only” you know, and it is compromised.

    if you use the same password on two websites, and one website is compromised, the password is compromised.

    OTPs from a key fob or yubikey or something are similarly compromised if the device that provides them is left out in public/lost/stolen/beaten out of you with a wrench.

    biometrics are again, are compromised if it’s not “only” you with access to them - someone scans you face while you’re asleep, or smashes your finger off with their wrench.

    having multiple factors in the same category, like having two passwords, or two otp tokens, or two finger prints, doesn’t significantly improve security. if you give up one thing you remember, it’s likely you’ll give up more. if one fob from your keychain is stolen, the second fob on that keychain is of no additional help.

    you can start shifting what categories these things represent though.

    if you write down your password in a notebook or a spreadsheet, they become thing you have.

    OTPs can become something you know if you remember the secret used to generate them.

    knowing many different things is hard, so you can put them in a password vault. the password vault is then something you have, which can be protected by something you know. so although your OTPs and passwords are in one place, you still require two factors to get access to them.

    you still need to protect your "only"s though. and don’t put yourself in situations where people with wrenches want your secrets.

  • vvv@programming.devtoTechnology@lemmy.worldNovel attack against virtually all VPN apps neuters their entire purposeEnglish
    45·
    2 months ago

    (obligatory I’m not a network surgeon this is likely not perfectly correct)

    The article mentions network interfaces, DHCP and gateways so real quick: a network interface usually represents a physical connection to a network, like an Ethernet port or a WiFi card. DHCP is a protocol that auto configured network routes and addresses once a physical connection is established, like when you jack in via an ethernet cable, it tells you the IP address you should go by, the range of IP address on the network you’ve connected to, where you can resolve domain names to IP addresses. It also tells you the address of a default gateway to route traffic to, if you’re trying to reach something outside of this network.

    You can have more than one set of this configuration. Your wired network might tell you that your an address is 10.0.0.34, anything that starts with 10.0.0. is local, and to talk to 10.0.0.254 if you’re trying to get to anything else. If at the same time you also connect to a wireless network, that might tell you that your address is 192.168.0.69, 192.168.0.* is your local network, and 192.168.0.254 is your gateway out. Now your computer wants to talk to 4.2.2.2. Should it use the wireless interface and go via 192.168.0.254? or the wired one and use 10.0.0.254? Your os has a routing table that includes both of those routes, and based on the precedence of the entries in it, it’ll pick one.

    VPN software usually works by creating a network interface on your computer, similar to an interface to a WiFi card, but virtual. It then asks the OS to route all network traffic, through the new interface it created. Except of course traffic from the VPN software, because that still needs to get out to the VPN provider (let’s say, at 1.3.3.7) via real Internet.

    So if you’re following along at home, your routing table at this point might look like this:

    • traffic to 1.3.3.7 should go to 10.0.0.254 via the wired interface
    • all traffic should go to the VPN interface
    • traffic to 10.0.0.* should go to the wired interface
    • all traffic should go to 10.0.0.254 via the wired interface
    • traffic to 192.168.0.* should go to the wireless interface
    • all traffic should go to 192.168.0.254 via the wireless interface

    whenever your os wants to send network packets, it’ll go down this list of rules until one applies. With that VPN turned on, most of the time, only those two first rules will ever apply.

    If I’m reading the article correctly, what this attack does, is run a DHCP server, that when handing out routing rules, will send one with a flag that causes, for example, the last two rules to be placed at the top of the list instead of the bottom. Your VPN will still be on, the configuration it’s requested the OS to make would still be in place, and yet all your traffic will be routed out to this insecure wireless network that’s somehow set itself as the priority route over anything else.

  • vvv@programming.devtoSelfhosted@lemmy.worldJoplin alternative neededEnglish
    3·
    6 months ago

    Why do you need to back up that server data? The great thing about joplin, is that the full content of your notes (and history) is distributed, like a git repo. As long as you have one device left with your notes, everything else can be bootstrapped from there. If your sync server burns down, start a new one and sync your notes to it again.