GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Ron Gilbert (GrumpyGamer) (grumpygamer@mastodon.gamedev.place)'s status on Wednesday, 12-Apr-2023 07:19:11 JST Ron Gilbert (GrumpyGamer) Ron Gilbert (GrumpyGamer)

    I'm 100% in favor of 2fa, but use a standard system that allows for my password manager to solve it. Don't send me a SMS or email or require your custom goofy app.

    In conversation Wednesday, 12-Apr-2023 07:19:11 JST from mastodon.gamedev.place permalink
    • Embed this notice
      Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:19:01 JST Jake Hildreth (acorn) :blacker_heart_outline: Jake Hildreth (acorn) :blacker_heart_outline:
      in reply to
      • Diego Elio Pettenò
      • ASCIInaut

      @ASCIInaut @flameeyes @grumpygamer

      Yet again I need to shout “THREAT MODEL”. Saving your TOTPs in your password manager is good enough for 95% of people.

      In conversation Wednesday, 12-Apr-2023 07:19:01 JST permalink
    • Embed this notice
      ASCIInaut (asciinaut@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:19:08 JST ASCIInaut ASCIInaut
      in reply to
      • Diego Elio Pettenò

      @flameeyes @grumpygamer I always get very sad when people save their second factor back to the first factor for convenience. This is the digital form of PINs written on the magnetic stripe cards. ?

      In conversation Wednesday, 12-Apr-2023 07:19:08 JST permalink
    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 07:19:09 JST Diego Elio Pettenò Diego Elio Pettenò
      in reply to

      @grumpygamer email 2FA should work better than SMS, but password manager TOTP would just make it "security fiction" for what it's worth.

      https://flameeyes.blog/2021/11/30/2fa-totp-keys-and-password-managers/

      In conversation Wednesday, 12-Apr-2023 07:19:09 JST permalink
    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 07:31:39 JST Diego Elio Pettenò Diego Elio Pettenò
      in reply to
      • Jake Hildreth (acorn) :blacker_heart_outline:
      • ASCIInaut

      @horse @ASCIInaut please read the post, I do indeed talk about thread models.

      For those people there's no need for 2FA at all at that point, the password manager is already a suitable defence.

      In conversation Wednesday, 12-Apr-2023 07:31:39 JST permalink
    • Embed this notice
      Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:31:39 JST Jake Hildreth (acorn) :blacker_heart_outline: Jake Hildreth (acorn) :blacker_heart_outline:
      in reply to
      • Diego Elio Pettenò
      • ASCIInaut

      @flameeyes @ASCIInaut And what about sites that force you to use MFA?

      In conversation Wednesday, 12-Apr-2023 07:31:39 JST permalink
    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 07:36:17 JST Diego Elio Pettenò Diego Elio Pettenò
      in reply to
      • Jake Hildreth (acorn) :blacker_heart_outline:
      • ASCIInaut

      @horse @ASCIInaut that's literally the one case I explicitly call "Security Fiction" in this context.

      Read the post before passing judgement, next time?

      In conversation Wednesday, 12-Apr-2023 07:36:17 JST permalink
    • Embed this notice
      Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:36:17 JST Jake Hildreth (acorn) :blacker_heart_outline: Jake Hildreth (acorn) :blacker_heart_outline:
      in reply to
      • Diego Elio Pettenò
      • ASCIInaut

      @flameeyes @ASCIInaut Absolutely not. This is social media.

      In conversation Wednesday, 12-Apr-2023 07:36:17 JST permalink
    • Embed this notice
      ASCIInaut (asciinaut@infosec.exchange)'s status on Wednesday, 12-Apr-2023 07:36:56 JST ASCIInaut ASCIInaut
      in reply to
      • Jake Hildreth (acorn) :blacker_heart_outline:
      • Diego Elio Pettenò

      @horse @flameeyes @grumpygamer Yes, that's right. The real problem is that the decades old concept of knowing something to authenticate yourself no longer scales with increasing computing power. ?

      In conversation Wednesday, 12-Apr-2023 07:36:56 JST permalink
    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 08:32:11 JST Diego Elio Pettenò Diego Elio Pettenò
      in reply to
      • Jake Hildreth (acorn) :blacker_heart_outline:
      • ASCIInaut

      @horse @ASCIInaut (unreasonably deadpan here) ah but social media is what we make of it ourselves!

      What if we actually used it to spread the nuance that comes with concept like threat model, and discuss how to explain reasonable people when sites insist on terrible practices due to bandwagons rather than thought out security considerations?

      In conversation Wednesday, 12-Apr-2023 08:32:11 JST permalink
    • Embed this notice
      Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 08:32:11 JST Jake Hildreth (acorn) :blacker_heart_outline: Jake Hildreth (acorn) :blacker_heart_outline:
      in reply to
      • Diego Elio Pettenò
      • ASCIInaut

      @flameeyes @ASCIInaut

      but but but

      (I started reading your blog shortly after my last post. I was interrupted by dinner but intend to finish reading tomorrow.)

      In conversation Wednesday, 12-Apr-2023 08:32:11 JST permalink
    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Wednesday, 12-Apr-2023 20:28:02 JST Diego Elio Pettenò Diego Elio Pettenò
      in reply to
      • Jake Hildreth (acorn) :blacker_heart_outline:
      • ASCIInaut

      @horse @ASCIInaut to be clear, I also have a ton of "low stake" 2FAs in my password manager because too many services are unreasonable re: 2FA and it's easier to go with the flow.

      I just wish it wasn't needed.

      In conversation Wednesday, 12-Apr-2023 20:28:02 JST permalink
    • Embed this notice
      Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 12-Apr-2023 20:28:02 JST Jake Hildreth (acorn) :blacker_heart_outline: Jake Hildreth (acorn) :blacker_heart_outline:
      in reply to
      • Diego Elio Pettenò
      • ASCIInaut

      @flameeyes @ASCIInaut LOL! That's exactly my point. For most people, EVERY account they use is low-stakes. 2FA may be security fiction, but it's also reality, so why not make it easy to use?

      In conversation Wednesday, 12-Apr-2023 20:28:02 JST permalink
    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Thursday, 13-Apr-2023 00:15:00 JST Diego Elio Pettenò Diego Elio Pettenò
      in reply to
      • Jake Hildreth (acorn) :blacker_heart_outline:
      • ASCIInaut

      @horse @ASCIInaut I agree on making it easier (website should stop insisting I use *their* app, especially for TOTP! I'll take a push notification, maybe), but I'd rather make it less bullshit too -- send me an email with the code, you already have my email, don't ask me for a phone number.

      In conversation Thursday, 13-Apr-2023 00:15:00 JST permalink
    • Embed this notice
      Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Thursday, 13-Apr-2023 00:15:00 JST Jake Hildreth (acorn) :blacker_heart_outline: Jake Hildreth (acorn) :blacker_heart_outline:
      in reply to
      • Diego Elio Pettenò

      @flameeyes I've yet to run across a site that requires me use *their* app other than Microsoft Authenticator. Which other services do that?

      In conversation Thursday, 13-Apr-2023 00:15:00 JST permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.