#how does yubikey work | Explore Tumblr Posts and Blogs

unpretty · 2 years

Note

do you mind sharing what web browser add ons you use? you seem to know your stuff and i feel like there's helpful stuff i've missed

my firefox extensions are pretty boring and sometimes cringe

AliExpress Superstar - okay so this one is the cringiest one. i like to buy a lot of dumb shit and it gives me a camelcamelcamel-type graph of what the price has been doing because sellers on ali love to have 'sales' that actually cost more than the item does normally. not really useful unless you also love bad decisions.

BitWarden - i switched to bitwarden as my primary password manager from lastpass and i regret nothing. i've been using the free version no problem but i keep meaning to upgrade so i can use my yubikey again.

ClearURLs - this gets rid of all the stuff after the ? in a url, in theory. lately it's been missing some cruft in twitter urls, and also has been interfering with pocket somehow? very confusing. i give this one a mixed review.

Facebook Container - keeps facebook in an isolated shame zone so they don't know what i'm up to.

Firefox Multi-Account Containers - firefox has containers built in but you need the extension if you want to set certain urls to always open in certain containers (i do this for amazon, aliexpress, google, and twitter because i don't trust them). iirc they recently added security features that maybe make the containers obsolete anyway? idk man

Greasemonkey - for installing userscripts like the ones on greasyfork. i don't have as many of these as i used to, but whatever.

Ignore X-Frame Options - this one's Niche lmao. websites disable loading in an x-frame because they don't want their site being embedded on another website or whatever but that means comic-rocket doesn't work on their site. and i like using comic-rocket to keep track of where i'm at so i can go back later if i accidentally forget to read anything for six months. which has happened. anyway that's the only reason i have this extension. hiveworks please stop blocking comic-rocket, i already disabled adblocking for comic-rocket, i'm not going to disable ads for every comic on your fucking network, calm down.

Library Extension - EVERYONE SHOULD INSTALL LIBRARY EXTENSION. god. it has saved me so much money. stopped me from so many impulse purchases. and it lets me look up whether something is on scribd instead of just the library which is handy for me specifically, since i have scribd and my library can be limited.

Inoreader Extension - i use inoreader so i have the extension. pretty self-explanatory. tells me how behind i am on reading the entire internet, also makes it easy to subscribe to feeds when i find a new one.

RSSPreview - firefox used to let you preview rss feeds by default but they broke it because they lack my dedication to keeping rss alive

Snap Links - okay. this one is maybe a weird one. it lets me click and drag with the right button to make a box and then open every link in the box in a new tab. sometimes there is a long list and i want to read all the things. or else load up a bunch of forum pages to read while i'm offline.

Something Awful Last Read Redux - i don't have to explain myself to you but also you will take keyboard nav out of my cold dead hands

SponsorBlock for YouTube - self-promo is fine but i don't need to hear about expressvpn

stutter - it does that thing where it lets you read things one word at a time to read really fast. i already read pretty fast but sometimes this forces me enough to focus on something when i'm having attention issues.

Stylus - this is the good one after stylish turned into spyware or whatever. i need to be able to tweak css to live.

Tapas RSS Button - tapas still has rss feeds but it hid them so i installed a thing to bring the buttons back. i could probably be using a userscript for this but whatever.

Translate Web Pages - it's pretty much google translate, i feel like there must be a better one because this one kind of sucks to configure but i'm lazy

uBlacklist - just recently installed this to never see pinterest or fandom.com in my search results. i will probably add more shitty websites as time goes on.

uBlock Origin - still my ad and script blocker of choice. makes it relatively easy both to block elements as well as to opt out and explain that i clicked that ad on purpose, which is a thing i do sometimes and i need my ad blocker to respect my poor choices without forcing me to permanently enable whatever website i wanted to see.

Web Scrobbler - yes i still use last.fm in 2022 and will continue to do so. i am trying to get scrobbling from rockbox to work as we speak. it's 2022 but i'm reverting back to 2008. catch me on myspace soon probably.

XKit Rewritten - imagine using tumblr without xkit. i would die.

#original #how to internet #i didn't actually need to tell you ALL of them like i'm confessing my sins but here we are

1K notes · View notes

rlxtechoff · 2 years

Text

#IFTTT #Blogger

0 notes

altsec · 5 years

Text

Staying Safe Online

With all the data breaches in the news lately one thing is clear, staying safe online isn’t easy! It’s probably good practice to assume you will be the subject of a data breach at one point in your life, so how can you stay protected even if the worst happens? This guide was written to help users of Kinmunity stay safe online, but the guide applies to everyone and can be shared and reproduced under a Creative Commons BY-SA licence.

1. Use a different password on every site / app.

This tip is now given out in almost every online security guide I’ve seen, and it’s often the tip that is most ignored by users because it is difficult to do. The more sites and apps you’re on, the more passwords you have to remember, right? Password reuse is AWFUL for security’s sake. Let’s say you use the same password on Kinmunity as another website you use, say an online game. Let’s say you also use that password for your PayPal. The game site gets compromised and your password leaks, guess where else the attackers can login -- your PayPal and Kinmunity accounts. But how can you use a different password everywhere safely? That brings us to the next point...

2. Use a secure password manager.

We at Kinmunity recommend Bitwarden. A password manager allows you to remember one (hopefully secure!) password, which is used to decrypt a database containing your other passwords. Bitwarden allows you to generate a secure and random password for each site or application you use, and then stores it for you so you don’t have to remember it either. It supports syncing across multiple devices, and is open source. If you’re a nerd, even the server is open source so that you know your passwords are secure!

3. Use two-factor authentication where it is available.

Two-factor authentication combines something you know (your password) with something you have (your mobile phone, or hardware security token) before granting access to a service. This makes it much harder for an attacker to gain access to your accounts, even if they have your password. The most secure form of 2FA is the hardware token - we recommend the Yubikey Security Key for this purpose. You can also use your phone to generate time-based tokens - we recommend the Authy App for this!

4. Look before you type.

Never enter your username and password anywhere without verifying that you’re where you are supposed to be. Most modern services use SSL (you’ll notice the lock icon on your browser) - ensure the lock is there. Then, check the URL itself as it appears in the address bar of your browser to ensure you’re on the correct site. https://www.kinmunity.com/login is our site, for example. https://www.kinmunity.com.fr/login, http://kinmunity.com.login.us, and https://login.kinmunity.com.nz aren’t.

5. Change your passwords frequently.

We recommend that you change your passwords on the various sites you are on once every three months. You can use your Password Manager to help you! This helps so that if there is a breach, the time that they can use the passwords they’ve stolen is limited.

6. Never share passwords, for any reason, ever.

That customer service person on the phone does not need your password. Your boss at work does not need your password. Site administrators do not need your password. Your friends and significant other do not need your password. Period. Sharing passwords is a bad habit to get into, and it strongly increases the chance of you getting compromised. You cannot control information and who receives it once you give it to another person -- and it’s all too easy to become a victim of phishing.

A good example from an administrative side; I do not need somebody’s password to login to their Kinmunity account (nor their 2FA token if they use two-factor). I simply need their permission and I can do it from the admin panel. Most sites and services are setup like this. DO NOT SHARE YOUR PASSWORD.

7. Put security first, your identity depends on it.

No, it really does. Identity theft is the fastest growing crime in America, as I’m sure you’ve heard quoted over and over again by various news stations. A lot of reasons the general public does not implement basic security measures that would strongly reduce the chances of them becoming victims is because it is convenient not to. Reusing the same password over and over is simple, and it means you don’t have to download a password manager and remember a master password, for example. However, it also means that it is convenient and simple for an attacker to steal your identity. Security is a digital lifestyle, and it’s time for a lifestyle change if you’re not living it!

8. Evaluate the sites and services you use.

Do you care about your identity and privacy? Great - the message is sinking in! Unfortunately, many services do not. In 2019, there are still websites and apps that are storing user passwords on their servers in plain text, fully in view to anyone who manages to gain access to that server. If you use a site listed on https://plaintextoffenders.com, you may wish to discontinue its use. Google around about a site for its reputation, and the reputation of those operating it. You might save yourself a headache later if you don’t sign up for that popular virtual pet game being ran by sketchy operators.

9. Protect your devices.

A lot of application developers and service operators DO put a lot of thought in security. This makes it more attractive to malicious actors to create spyware & malware for home computers and mobile phones. Use a reputable anti-virus solution -- Yes, Mac & Linux users, that includes you too! You -CAN- get viruses.

10. Seriously, follow the guide.

Don’t read this guide and follow the three easiest tips to implement. Don’t read this guide and follow all but one tip. Follow each and every one, because the moment you pick and choose what you feel is important, is the moment you open yourself up to needless vulnerability. Kinmunity is one of the most secure communities on the internet, and it didn’t become that from carelessness. The moment you become complacent is the moment you become wide open.

Authorship

This guide was developed by Naia Ōkami. She is a reputable security consultant specializing in offensive operations and penetration testing. The purpose of this guide is to give Kinmunity users simple tips to better help them protect their digital identity, but the majority of the document could apply to all internet users in general. For this reason, it is available under a Creative Commons BY-SA license for all to reproduce and use!

#Security #Safety #SecurityTips #SafetyTips

1 note · View note

workstuff · 5 years

Text

Avoid the dangerous conclusions of Google's basic account hygiene study

Google recently published the results of a study to get actual data on how to keep accounts secure. They conclude that phone number verification (e.g.: SMS 2FA) works and is effective in a large number of cases.

Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.

While it’s true that this will stop _most_ attacks, the important thing is the ones that it doesn’t. If you’re specifically targeted, and specifically if you’re targeted by SIM hijacking, SMS 2FA will not only do nothing to protect you, it may even provide an easier attack surface for someone to compromise your accounts. Every day seems to bring another story of someone who was targeted for a crypto wallet or their instagram or twitter account, and their SMS 2FA was bypassed by SIM hijacking.

The conclusions of this study are interesting, but primarily in an academic way. If you’re _only_ at risk for automated compromise, SMS 2FA will help you. But if you’re at any risk of targeted account compromise which is getting easier every day and who knows what you have that’s valuable to someone, SMS 2FA will do you more harm than good. The only excuse for using SMS 2FA is that it’s convenient. We should deprecate it entirely in favor of TOTP with site verification (which 1Password does with their browser extensions) or hardware keys (yubikeys are the most common, but until they’re wirelessly supported on iOS, this is a non-starter for a lot of folks). Apple should stop making it easy for users to use by populating codes from Messages, and support TOTP seeds in keychain. Web application creators should stop pushing SMS verification on people and switch to TOTP. If you have that option instead of SMS 2FA, use it. If you don’t have that option, ask for it. Companies won’t know they should change unless you tell them. I’ve had several services I use switch after I expressed concern.

If you’re forced to use SMS 2FA, and probably even if you don’t, you should have a transfer PIN on your wireless account. Here’s a guide to get started with the common wireless carriers: https://clark.com/scams-rip-offs/sim-hijacking-how-to-add-pin-mobile-phone/

#security

3 notes · View notes

datesfox777 · 3 years

Text

Ssh Agent For Mac Os X

I'm running Mac OS X, and it appears that after SSHing to several machines, using identity files, my 'ssh-agent' builds up a lot of identity / keys and then sometimes offers too many to a remote machine, causing them to kick me off before connecting:

Ssh-agent Mac Os X Keychain

Mac Restart Ssh Agent

Ssh Agent Mac Os X

Ssh Agent For Mac Os X 10.10

Received disconnect from 10.12.10.16: 2: Too many authentication failures for cwd

It's pretty obvious what's happening, and this page talks about it in more detail:

SSH servers only allow you to attempt to authenticate a certain number of times. Each failed password attempt, each failed pubkey/identity that is offered, etc, take up one of these attempts. If you have a lot of SSH keys in your agent, you may find that an SSH server may kick you out before allowing you to attempt password authentication at all. If this is the case, there are a few different workarounds.

Mac OS X includes a command-line SSH client as part of the operating system. To use it, goto Finder, and selext Go - Utilities from the top menu. Then look for Terminal. Terminal can be used to get a local terminal window, and also supports SSH connections to remote servers. Given all of the above, especially if SIP prevents you from disabling this directly, I would probably attack it a different way. The first idea that comes to mind would be to write my own launchd plist and have it run on load to have it run the commands to automatically stop ssh-agent, and then see if you can then get oh-my-zsh to restart / control it. It's an old question but I recently ran into the same issue on my Mac running 10.12.6. The DISPLAY variable is not set in the terminal and ssh -X doesn't work. This is what I did that solved the problem: Reinstall XQuartz using Homebrew: brew cask install xquartz (the option -forced may be necessary) Add the XQuartz launcher to the system default (following the solution in this Reddit post.

Rebooting clears the agent and then everything works OK again. I can also add this line to my .ssh/config file to force it to use password authentication:

Anyhow, I saw the note on the page I referenced talking about deleting keys from the agent, but I'm not sure if that applies on a Mac since they appear to be cleared after reboot anyhow.

Is there a simple way to clear out all keys in the 'ssh-agent' (the same thing that happens at reboot)?

If you haven’t set up your YubiKey yet, this is a good place to start.

Evil Martians are growing. With more employees and more clients, there is a demand for stronger security. Our clients trust us with their source code and, even more importantly, with access to their production servers, and this trust cannot be broken. In a hostile environment of the modern web, though, it is easier said than done. A good old password, even coupled with a password manager, does not cut it anymore. The most obvious way to increase security is to opt for two-factor authentication (2FA) that is widely supported. Even without hardware keys, it makes an attacker’s job much harder than it used to be.

A sticky situation

We have enforced 2FA across all our staff for all the tools that we use daily: email, GitHub, task trackers, and others. By default, it involves requesting one-time access codes either by SMS/phone call or through a dedicated smartphone app. Cellular networks, however, are not the safest place: messages and calls can be intercepted. Opting for an app like Google Authenticator is more secure, but can also be compromised, at least in theory, if a smartphone that runs it is precisely targeted by an attacker.

So, can we do better? There exists an open authentication standard that aims to both strengthen and simplify 2FA.

Known as Universal 2nd Factor (U2F) and originally developed by Yubico and Google, it relies on physical devices (usually USB or NFC) that implement cryptographic algorithms on a chip, similar to smart cards that have been around for ages. You probably have at least few of those in your pockets: phone SIM, bank cards, various IDs and the like.

Now, instead of confirming your access with some code, you need to insert a USB stick into your computer, press the physical button on it, and the device will take care of the rest. Authenticating with U2F is already supported by major browsers (the only notable exception, sadly, is Safari) and you can use it with many online services that software professionals use daily: Google and Gmail, Dropbox, GitHub, GitLab, Bitbucket, Nextcloud, Facebook, and the list goes on.

The advantages of a hardware solution are obvious: a possibility of a remote attacker gaining access to one of your tools is pretty much eliminated. The attacker needs to physically get a hold of your USB key, which is still a security risk, but in an entirely different domain.

There is a number of vendors that sell USB keys, and we chose Yubico and their YubiKey 4 series. They are versatile, compact and can either be carried around on a keychain or, for smaller models, stay in the USB slot of your laptop all the time. There are also USB-C models for newer Macs, so you don’t need dongles. Besides implementing U2F, YubiKey 4 series supports various security standards:

Smart card PIV

Authenticating online with U2F works out of the box on Linux, macOS, and Windows and in all major browsers. However, if you want to use your YubiKey for SSH connections, things quickly get less straightforward.

Sticks and Macs

We do have our fair share of Linux users, but the instructions we offer further are for macOS only, as replacing default ssh-agent with a gpg-agent on a system level is a Mac-specific problem.

A Mac is a computer of choice for most of us at Evil Martians. We also use SSH all the time: while pushing code to GitHub or accessing remote servers. As all our employees work remotely from their private machines, contents of their ~/.ssh folders should never be allowed to leak. Common security measures, like the hard drive encryption, are always in order, but with YubiKeys already being used for U2F, would not it be better to store RSA keys for SSH on them too, and off the computer?

Ssh-agent Mac Os X Keychain

As YubiKey already supports OpenPGP, we can use it as the OpenPGP card with all the benefits:

Download Intensify for macOS 10.9 or later and enjoy it on your Mac. ‎Intensify turns your everyday photos into stunning, dramatic masterpieces. Use simple controls to bring up the details, reveal the hidden beauty and enhance every pixel. 'Best of App Store' + over 20 other software awards. Intensify for apple mac. Intensify Pro is for Mac photo enthusiasts who want their photos to stand out. Intensify Pro gives you powerful new ways to create dramatic results. Professionally created presets make it 'one.

Once RSA keys are put on a card, they cannot be retrieved programmatically in any way.

Keys written to a card can only be used in combination with a PIN code, so even if a YubiKey is stolen, a thief would not be able to authenticate directly.

To set up YubiKey as a smart-card holding your PGP keys, you need first to replace your ssh-agent that comes pre-installed with macOS with a GnuPG solution. The easiest way to do it is directly from Terminal with Homebrew:

If you want to install a full GPG Suite that includes GUI applications, you can run another command (requires Homebrew Cask), or download it from the website:

At the time of this writing, the most recent version of gpg is 2.2.X. Let’s double-check, just to be sure:

Many guides out there tell you how to install YubiKey with gpg 2.0.X, and there has been a lot of significant changes since then. We recommend updating, and that should also be done with caution: backup your ~/.gnupg directory before making any changes!

Important!Now you need to either generate your PGP keys directly on the YubiKey or create them locally and copy over. There is an official guide for that, as well as a more evolved instruction on GitHub from the user drduh.

After all that is done, you need to enable your SSH client (the built-in Terminal app, for instance) to read PGP keys directly from YubiKey. It is time to say goodbye to a built-in ssh-agent that have served you well before.

Insert a YubiKey holding a PGP key in your computer and run the following commands; they will launch a gpg-agent and instruct your applications to use a new SSH authentication socket:

If everything went well, you should see that your private RSA key is now in fact located on a YubiKey (it has a unique cardno), the output of an ssh-add -l should resemble this:

Congratulations, you are done! This changes will not persist, however.

As soon as you reload your system, or even switch to a new console window, this setup will go away.

Let’s see how we can make it permanent.

Making things stick

The first thing that comes to mind when changing any shell-related setup is to change the local profile, be it ~/.bash_profile or ~/.zsh_profile (if you don’t know what type of shell you have, most likely you have bash, it comes by default with macOS). Open that file in an editor and add:

Now every time you launch a console, it will know how to SSH properly. If you live in a shell, use Vim or Emacs to write your code and were never tempted with GitHub’s visual features, you are all set.

However, if you use an IDE or one of those modern text editors with integrated GitHub functionality, such as Atom or Visual Studio Code? Those applications are not concerned with your shell setup and will still use system defaults for SSH, which is not what we want since we store all our keys securely on a YubiKey.

“But before we dealt with gpg, we did not need to set up anything, and everything worked!” you might say, and you would be right: macOS takes care of all that with a built-in service-management framework called launchd. You can read more about it by running man launchd, but you don’t have to.

You only need to know that launchd deals with so-called “property lists”. These are XML files with a .plist extension that define services to be launched and their launch options. They are located in the following directories:

~/Library/LaunchAgents for per-user agents provided by the user.

/Library/LaunchAgents for per-user agents provided by the administrator.

/Library/LaunchDaemons for system-wide daemons provided by the administrator.

/System/Library/LaunchAgents for per-user agents provided by macOS.

/System/Library/LaunchDaemons for system-wide daemons provided by macOS.

Let’s do some digging and look for anything SSH-related. Here it is, right in a /System/Library/LaunchAgents/com.openssh.ssh-agent.plist:

Without diving into much detail, we see that this is how macOS makes ssh-agent a default utility for SSH authentication.

Unfortunately, we cannot edit this file directly, as anything located in a /System folder is protected from tampering by a macOS feature called System Integrity Protection. There is a way to disable it, but you don’t want to do that. Apple folk came up with it for a reason.

A stickler for detail

Nothing prevents us from writing our own .plist though! All these XMLs will be treated as instructions for launchd, so this is our chance to circumvent ssh-agent once and for all!

First of all, let’s read man gpg-agent and learn what GnuPG agent for Mac is capable of:

Mac Restart Ssh Agent

It can become a daemon and live in the background with the --daemon option.

There is a --supervised option designed for systemd which makes the gpg-agent wait for a certain set of sockets and then access them through file descriptors.

A --server option allows our agent to hook onto the TTY and listen for text input, without opening any sockets.

Unfortunately, launchd only tracks processes that run in the foreground, and neither --supervised, nor --server will do us any good. So, the best way to launch an agent is by using the same command that we used before: gpgconf --launch gpg-agent. Let’s express it in launchd-compatible XML:

Now save it as homebrew.gpg.gpg-agent.plist and put it into ~/Library/LaunchAgents folder. To test that it all works (you won’t have to do it after restart), tell launchd to load a new plist:

Now let’s make sure that the agent is loaded:

A digit in the launchctl list output shows the exit status of a launched program, and 0 is what we want to see. pgrep confirms that we are in fact up and running.

Ssh Agent Mac Os X

However, we are not done yet. We still need to point SSH_AUTH_SOCK environment variable to $HOME/.gnupg/S.gpg-agent.ssh. The problem is that the variable is already set (user-wide) by the launchd default setting for ssh-agent.

At this moment, I have nothing better in mind than the following “hack”: forcibly symlink gpg-agent’s socket to the default one, stored in an SSH_AUTH_SOCK variable. The power of Unix allows us to do that, but that effectively messes up the default SSH configuration. However, as we are now using GnuPG for everything SSH-related, that should not be a problem. If you have better ideas, please contact me on Twitter.

We can create another plist that will do all necessary symlinking on login.

The only trick here is to call the shell directly, with /bin/sh (so we can reference shell variables), and pass a command to it. Now, save the file as ~/Library/LaunchAgents/link-ssh-auth-sock.plist and load it with launchd.

Let’s test the result:

Bingo! Our macOS is now effectively tricked into thinking that it deals with ssh-agent, even though it’s the gpg-agent doing authenticating and reading PGP keys directly from your YubiKey.

All you need to do know to authenticate over SSH in a true hardware fashion is to turn on your laptop, put a stick in the USB and push a button on it. Your Mac is now completely secure!

Still stuck?

There is another problem you may encounter when you start using YubiKey as an OpenGPG card. Our gpg-agent sometimes get stuck, and it looks like a YubiKey is not connected at all, replugging it also does nothing. It is a known problem, discussed here. My observations show that it appears after I put my laptop to sleep. Let’s deal with that too.

First, we need a tool that keeps track when our laptop wakes up: sleepwatcher is made just for that. Install it with Homebrew:

By default, it expects two scripts: ~/.sleep to run before the computer goes to sleep, and ~/.wakeup to run after it wakes up. Let’s create them.

The minimal ~/.sleep script can look like this (we only need to be sure it passes as a shell script)

In ~/.wakeup we will forcibly restart our gpg-agent:

Now we need to add execution flags and enable sleepwatcher’s service:

Ssh Agent For Mac Os X 10.10

Thank you for reading! Download find my mac for mac. In this article, we showed how to set up your SSH authentication flow with YubiKey as an OpenPGP card and how to make your gpg-agent play nicely with macOS. Now all you need to do to access a server or push code to a remote repository is to insert a stick into your USB and enter a PIN code when requested. Passphrases no longer required!

0 notes

alishaadani · 10 months

Text

Yubikey.Support for 2-Factor Verification | Yubikey Support

YubiKey is a hardware security key that provides strong two-factor authentication (2FA) support for enhanced online security. It offers an additional layer of protection beyond passwords by requiring physical presence and user verification, making it difficult for unauthorized access to accounts and sensitive data. YubiKey support ensures a secure and convenient way to verify identity and protect against various online threats like phishing and account breaches.

#yubico support #yubikey support #yubikey supported #how does yubikey work #yubikey not working #yubikey setup #yubikey supported services #yubikey password #manager

0 notes

worrdev · 3 years

Text

It’s been awhile y’all

It's been a hot minute since I've documented some of my work, so I guess in keeping with making a main blog post, I'll make a devblog post today too.

cfn-mode / flycheck-cfn

https://gitlab.com/worr/cfn-mode/

I've been an emacs user for some time, and at my current job, I've been hurting for good support for cloudformation templates in my editor. I wrote this mode and flychecker to at least add some basic syntax highlighting and linter support. I'm currently in the process of getting them added to MELPA.

imdb-api

I made a bunch of changes fairly recently to imdb-api, most notably adding front-end support, migrating to Gitlab and migrating to ky after node-requests was deprecated. Normally I'd link patches, but there are too many since my last update. Here's the changelog: https://gitlab.com/worr/node-imdb-api/-/blob/master/CHANGELOG.md

fluent-bit

At work, we discovered an issue where our fluent-bits were sticky to the same instance of fluentd if we turned on keepalive and used a load-balancer.

To mitigate this, I ended up adding a new option to fluent-bit that will recycle keepalive connections after sending a number of messages, to cycle between backend instances periodically.

https://github.com/fluent/fluent-bit/commit/44190c2a1c4b939dc9ecb2908148d38c82a40831

https://github.com/fluent/fluent-bit-docs/commit/8d43b502123e366a1722a0051918ce7d78a8506b

fluentd-s3-plugin

Also at work, we found a case where the fluend plugin for s3 would spend forever trying to upload logs. By default, the naming scheme for the log chunks would be something like <time_slice>_<idx>. The time slice is the time when the log was uploaded, and the idx value is a monotonically increasing integer.

The problem, is that if you have mutliple threads uploading (or multiple fluentd's, or both), they have to check the presence of the filename to ensure that the formulated filename doesn't exist. Additionally, it doesn't track the last-used index, so when doing this check, fluentd will start at 1, check, increment, check again, increment again, etc. This obviously doesn't scale very well when you are outputing a ton of logs.

We fixed this my changing our file format to include a uuid and disabling the behavior to check for collisions.

However, since the defaults are dangerous, I've submitted this PR to try and make things less dangerous for new users (not accepted yet at the time of this writing).

https://github.com/fluent/fluent-plugin-s3/pull/355/files

This works by tracking the last used index in an atomic that's shared between threads. As outlined in the PR, it doesn't solve the whole problem, but it does make the defaults considerably safer.

logging-operator

Perhaps you've noticed a theme with my recent, work-driven contributions. :)

logging-operator is a kubernetes operator to automate adminitration of logging infrastructure in a kubernetes cluster. I've been contributing a bit to it lately, since we adopted it fairly early, and have needed to add a few features to make it work for us.

This first diff adds support not just for the configurable I added to fluent-bit that I mentioned earlier, but exposes all net parameters as configurables.

https://github.com/banzaicloud/logging-operator/commit/3c9e3938590209716918bc7cc197b43b09bb4361

There was a string conversion bug in how the operator would report on prometheus configuration.

https://github.com/banzaicloud/logging-operator/commit/86503b52150cf0dcf62d4b636eb247d0807101e7

We needed to configure where in s3 fluentd was uploading these logs

https://github.com/banzaicloud/logging-operator/commit/29fccfc2b8cee6c38c88fb34cf73a112eeb534de

We also needed way more support for configuring certain scheduling attributes in fluentd and fluentbit

https://github.com/banzaicloud/logging-operator/commit/45dffe5ebb38a3dbba4ecb217235f45c13f7856e

https://github.com/banzaicloud/logging-operator/commit/961fd788bb90f8f46d188a731aac0a916b30f933

https://github.com/banzaicloud/logging-operator/commit/0ec91f72831e1e63bd560224450454b33084553d

I also had to expose a number of these features in their helm charts

https://github.com/banzaicloud/logging-operator/commit/efc74711c5336063a6da72bf39239c57c81c7dff

https://github.com/banzaicloud/logging-operator/commit/f581da2e9daadae9b786362f69d379f8151ad918

https://github.com/banzaicloud/logging-operator/commit/4e74e36dfe7d63212b19401fe645a198734da1fd

wsh

Someone reached out to me privately to report several Solaris 11 compatibility bugs with wsh, my multi-host ssh tool.

Use -std=c11 flag with SunStudio: https://github.com/worr/wsh/commit/b11d2668ef6b85913d1901cfbfe6eb612be69bdc

Don't use __attribute__ with SunStudio, since none of the ones I used were supported: https://github.com/worr/wsh/commit/25ed3fc6fa36a1202e33c8fb36893d03cd5bce8c

Don't unconditionally compile in memset_s (Found because Solaris actually has a libc with this function): https://github.com/worr/wsh/commit/3876745a5cc4bce80d5e9fff0ab70b2dc429287f

This also led to a protobuf PR for better SunStudio support, which it looks like I need to follow up on.

https://github.com/protocolbuffers/protobuf/pull/7049/files

python-fido2

Last post, I mentioned I was working on getting my yubikey to work on OpenBSD. Part of that included adding support in ykman, which also required changes in python-fido2.

First, I added general OpenBSD support

https://github.com/Yubico/python-fido2/pull/82/files

This impl is arguably a bit brittle, since I essentially had to build the device probing for it in scratch from python, using the primitives from libusbhid to probe every uhid(4) device to see if it was a yubikey.

However, some time later, fido(4) was rolled into OpenBSD meaning that this code could be greatly simplified. I think someone reached out to me about this directly? I don't really remember, since it was awhile ago.

https://github.com/Yubico/python-fido2/pull/87/files

What a year

That's basically been the last year or so for me. Honestly, it's been a weird one, and I haven't been able to really do as much OSS as I've wanted to. A lot of it has been through work, which while nice, doesn't touch the types of projects that I want to be doing.

I am working on a gemini server on OpenBSD, which has been feeling quite rewarding, and I have other projects kicking around in my head that I'm going to be following up on.

0 notes

onlinemarketinghelp · 5 years

Photo

How to Prevent Identity Theft: 10 Tips You Can Start Using https://ift.tt/2O944yc

While hackers have gotten savvier over the years, it is possible to take steps that reduce the chances of someone stealing your identity.

Like the old saying goes, prevention is better than a cure. Preventing identity theft is way easier than rebuilding your credit after someone steals it.

In this post, we’ll go over 10 things you can do to protect your identity and prevent identity theft. Some of these may seem tedious, but by doing them, you can protect yourself.

Quick Navigation

1. Caution Using Public Computers

2. Avoid Signing into Sensitive Accounts in Public Places

3. Use Two-Factor Authentication

4. Using Public Wi-Fi

5. Avoid Giving Out Pertinent Information to People Who Call and Ask for It

6. Don’t Give Your Information Over Email Either

7. Check Your Credit Report at Least Once a Year

8. Don’t Carry Your Social Security Card Around in Your Wallet

9. Handle Your Mail with Care

10. Install Firewalls and Virus Protection Software on Your Computer

Bonus: Change Account Verification Questions Frequently

Final Thoughts

1. Caution Using Public Computers

If you use public computers, such as the ones you may find at a library, you should always make sure to sign out of any personal accounts.

If you sign into any email accounts, bank accounts, or any type of account that has even the tiniest bit of personal information, make sure you sign out.

You can take this a step further by clearing the cookies in the Internet browser you used.

2. Avoid Signing into Sensitive Accounts in Public Places

You never know who may be looking over your shoulder in a public place where you’re working on your computer or smart device. If you absolutely need to sign on to sensitive accounts in a public place, you can use a privacy screen protector or avoid signing into the account altogether.

3. Use Two-Factor Authentication

Using two-factor authentication allows the service you’re signing into — whether that is your email, social media account, bank, or credit records — to double-check that the right person is signing in.

This double authentication is helpful when the sign-in is coming from a different location or a different device that has never been used to sign into that particular account.

I highly recommend you set up two-factor authentication on every sensitive account you have!

This way, even if someone has your password, double authentication could prevent them from gaining access to your account.

Bonus: If you want to take your two-factor authentication to the next level, look at getting a physical key, such as the YubiKey. This will make your sign-on even more secure, since you have to have this key for logging into unknown devices. Yes, it can make things a bit more tedious, but it does make things significantly more secure.

4. Using Public Wi-Fi

Hackers and identity thieves can also steal your information if you’re logged onto a public Wi-Fi system.

Thus, if you tend to sign onto some of those sensitive accounts I mentioned earlier, it’s important to not sign into them at all on a public network. Or, you could sign up for a virtual private network (VPN) service that will block hackers from getting your information when you are on a public Wi-Fi network.

5. Avoid Giving Out Pertinent Information to People Who Call and Ask for It

If you live in the U.S. and have been getting calls from people who say they are calling you from the IRS or from your student loan servicer, you’re not alone!

According to MarketWatch, spam calls rose from 3.7% in 2017 to a whopping 29.2% in 2018. That number is expected to be even higher for 2019.

Here’s what these spam calls typically look like:

You get a call from someone who claims they work with the IRS. Sometimes they sound American. Sometimes they don’t. Whatever the case may be, please realize that the IRS will never call you about an issue on your phone. If there is a real problem with your tax records, you will get a letter from the IRS.

They might then go on to mention your name and ask if they could verify your Social Security number and address. Never give this information out.

They then go on to issue a threat and will mention that the police or the FBI will be arresting you in the next 24 hours if you don’t do what they ask. This is also another red flag as the IRS never does this.

And these scammers are not just using the IRS angle!

People have reported receiving scam calls from people that claimed they were from their bank, an investment company, or even their student loan servicer.

The rule of thumb here is to never give out your personal information to anybody who is asking for it over the phone, with or without threats. Hang up the phone immediately, or better yet, don’t answer the phone if you don’t recognize the call. You can personally call the agencies the person is claiming to be calling from to verify, but 99.9% of the time, it’s going to be a scam.

6. Don’t Give Your Information Over Email Either

Email phishing scams are just as real and bad as the phone call scams. Avoid giving out personal information here, too.

Pro Tip: Make a "fake" email account that you can use if you really need to give out an email but don't trust the recipient.

7. Check Your Credit Report at Least Once a Year

Make sure to check your credit report at least once a year. If you find any suspicious activity, you can call the credit bureaus to report it and then freeze your credit report so nobody can apply for loans or services with it.

8. Don’t Carry Your Social Security Card Around in Your Wallet

This simple rule could save you a world of pain.

Store your Social Security card in a safe place at home instead of carrying it around in your wallet. This way, if you lose your wallet, you won’t lose this crucial piece of information.

9. Handle Your Mail with Care

Collect the regular mail delivered to your home every day. This is especially important if your mail is delivered in a spot many people have access to. Also, if you need to get rid of mail, even if it is “useless” mail, make sure to shred it to get rid of any identifying information.

10. Install Firewalls and Virus Protection Software on Your Computer

If you haven’t done this, now is the time to get to it!

We don't pretend to be experts in anti virus software and firewall protection - but do some homework for what's best for your machine and make sure it's installed and updated!

Bonus: Change Account Verification Questions Frequently

One of the ways people can access your account is by guessing your password and using that. In fact, a study by the U.K.’s National Cyber Security Centre showed that people regularly use “Password” and “123456” as passwords for very important accounts.

And so usually, you’re told to choose a strong password — one that is difficult to guess — so that people can’t steal your information.

We’ll take it a step further here.

You know how you have to select verification questions in case you are ever locked out of your account and have to change your password?

Well it turns out some scammers will actually attempt to change your password if they cannot guess it. Once they do this, they may be redirected to those verification questions. If they hit those verification questions and are able to answer them, they’re in.

Therefore, my suggestion is for you to make your verification questions and answers something hard for people to guess or for you to change them frequently — every three months or so. For example, if they ask for your high school, give something fake - like a phrase you know! Nobody is guessing that.

Final Thoughts

Going through an identity theft situation will make anyone feel violated and hopeless. Thankfully, following some of these super simple tips will help you avoid it.

Let us know in the comments below which one of these you are currently using (and which ones you’re not!).

The post How to Prevent Identity Theft: 10 Tips You Can Start Using appeared first on The College Investor.

from The College Investor

While hackers have gotten savvier over the years, it is possible to take steps that reduce the chances of someone stealing your identity.

Like the old saying goes, prevention is better than a cure. Preventing identity theft is way easier than rebuilding your credit after someone steals it.

In this post, we’ll go over 10 things you can do to protect your identity and prevent identity theft. Some of these may seem tedious, but by doing them, you can protect yourself.

Quick Navigation

1. Caution Using Public Computers

2. Avoid Signing into Sensitive Accounts in Public Places

3. Use Two-Factor Authentication

4. Using Public Wi-Fi

5. Avoid Giving Out Pertinent Information to People Who Call and Ask for It

6. Don’t Give Your Information Over Email Either

7. Check Your Credit Report at Least Once a Year

8. Don’t Carry Your Social Security Card Around in Your Wallet

9. Handle Your Mail with Care

10. Install Firewalls and Virus Protection Software on Your Computer

Bonus: Change Account Verification Questions Frequently

Final Thoughts

1. Caution Using Public Computers

If you use public computers, such as the ones you may find at a library, you should always make sure to sign out of any personal accounts.

If you sign into any email accounts, bank accounts, or any type of account that has even the tiniest bit of personal information, make sure you sign out.

You can take this a step further by clearing the cookies in the Internet browser you used.

2. Avoid Signing into Sensitive Accounts in Public Places

3. Use Two-Factor Authentication

This double authentication is helpful when the sign-in is coming from a different location or a different device that has never been used to sign into that particular account.

I highly recommend you set up two-factor authentication on every sensitive account you have!

This way, even if someone has your password, double authentication could prevent them from gaining access to your account.

4. Using Public Wi-Fi

Hackers and identity thieves can also steal your information if you’re logged onto a public Wi-Fi system.

5. Avoid Giving Out Pertinent Information to People Who Call and Ask for It

If you live in the U.S. and have been getting calls from people who say they are calling you from the IRS or from your student loan servicer, you’re not alone!

According to MarketWatch, spam calls rose from 3.7% in 2017 to a whopping 29.2% in 2018. That number is expected to be even higher for 2019.

Here’s what these spam calls typically look like:

They might then go on to mention your name and ask if they could verify your Social Security number and address. Never give this information out.

And these scammers are not just using the IRS angle!

People have reported receiving scam calls from people that claimed they were from their bank, an investment company, or even their student loan servicer.

6. Don’t Give Your Information Over Email Either

Email phishing scams are just as real and bad as the phone call scams. Avoid giving out personal information here, too.

Pro Tip: Make a "fake" email account that you can use if you really need to give out an email but don't trust the recipient.

7. Check Your Credit Report at Least Once a Year

8. Don’t Carry Your Social Security Card Around in Your Wallet

This simple rule could save you a world of pain.

Store your Social Security card in a safe place at home instead of carrying it around in your wallet. This way, if you lose your wallet, you won’t lose this crucial piece of information.

9. Handle Your Mail with Care

10. Install Firewalls and Virus Protection Software on Your Computer

If you haven’t done this, now is the time to get to it!

We don't pretend to be experts in anti virus software and firewall protection - but do some homework for what's best for your machine and make sure it's installed and updated!

Bonus: Change Account Verification Questions Frequently

And so usually, you’re told to choose a strong password — one that is difficult to guess — so that people can’t steal your information.

We’ll take it a step further here.

You know how you have to select verification questions in case you are ever locked out of your account and have to change your password?

Final Thoughts

Going through an identity theft situation will make anyone feel violated and hopeless. Thankfully, following some of these super simple tips will help you avoid it.

Let us know in the comments below which one of these you are currently using (and which ones you’re not!).

The post How to Prevent Identity Theft: 10 Tips You Can Start Using appeared first on The College Investor.

https://ift.tt/336zVUt November 22, 2019 at 11:15AM https://ift.tt/2XzGjCH

0 notes

un-enfant-immature · 5 years

Text

Please get your digital affairs in order

I really wish I hadn’t had cause to write this piece, but it recently came to my attention, in an especially unfortunate way, that death in the modern era can have a complex and difficult technical aftermath. You should make a will, of course. Of course you should make a will. But many wills only dictate the disposal of your assets. What will happen to the other digital aspects of your life, when you’re gone?

There are several good guides to “digital wills” and one’s “digital legacy” out there, including e.g. handling your Facebook and Google accounts, and I encourage you to both go to those links and research the subject further. A few things seem particularly worth noting, though.

One is that this is yet another reason to use a password manager such as LastPass or 1Password. That in turn becomes an itemized list of your online accounts, and comes with a built-in recovery mechanism which can be used to pass them on to your survivors and/or heirs. LastPass (my password manager of choice) actually has a detailed guide to “preparing a digital will for your passwords,” and third-party guides to using 1Password for this purpose exist as well.

Another is the problem of two-factor authentication. What happens in case of an accident which also destroys your phone or Yubikey? Or if your heirs can’t get past your phone password? Do yourself and them a favor: create 2FA backup codes, and add them to your password-manager emergency-recovery kit.

The more technical you are, the more complex your digital affairs are. For most people we’re just talking about email, social media, and photos. But for technical people, and in particular developers, things get more complicated. Do you own domains? Do your heirs even know you own domains, and who the registrar is? Are they technical? If not, by the time they figure that out, the domains may well have expired. Do you have services running on AWS or GCP or Digital Ocean? Do you have private GitHub repos, or public ones with a nontrivial number of stars / forks / issues / wiki pages? Do you administer a Slack workspace?

If you find yourself nodding along to the above, you may want to identify a separate “technical executor” and give them some guidance regarding what you want done with all of the above. Even if they have access, nontechnical people may not really understand that guidance. A little advance work can make it substantially easier for those tasked with taking care of your affairs.

Finally, what about any cryptocurrency you might personally hold? Generally, cryptocurrency wallets come with some sort of recovery seed. Is yours in a safety-deposit box somewhere? Do your heirs know it’s in a safety-deposit box somewhere? If you want to pass your bitcoins on to them, you’re probably going to have to let them know. (Obviously there is a security trade-off here; depending on how much we’re talking about, you may wish to be more or less cautious about this.)

So, to summarize: Do further research on digital wills, and construct one. Use a password manager, which acts as an itemization of your online accounts, and ensure your heirs can access its emergency recovery key. Provide them 2FA backup codes as well, and recovery seeds for your cryptocurrency wallets if any. Identify a technical executor as and if appropriate. Also — and this is pretty key — make sure that a few trusted people know you’ve done all this. Won’t do them much good otherwise.

You may well even have occasion to thank yourself for it, in case of some hardware loss or disaster. Regardless, your heirs will definitely thank you. None of us think that we’ll meet our demise randomly, without warning — but I’m here to tell you, from grim recent experience, it does happen. Be prepared.

#TechCrunch

0 notes

uwteam · 6 years

Text

18 stycznia 2018

◢ #unknownews ◣

Niespodzianka! W tym tygodniu jednak będzie zestawienie :)

1) Polska planuje stworzyć własną kryptowalutę - dPLN https://www.pb.pl/polska-szykuje-kryptozlotego-903267 INFO: będzie to waluta pozbawiona aspektów spekulacji i prawdopodobnie 1 dPLN = 1 PLN

2) Jak zostać dostawcą bezprzewodowego Internetu? - krok po kroku https://startyourownisp.com

3) Terry Davis - bezdomny, żyjący w Vanie programista ze schizofrenią, który stworzył TempleOS https://www.reddit.com/r/Drama/comments/7218gh/templeos_creator_is_now_homeless/ INFO: jego system operacyjny służy zdaniem autora do kontaktu z jego wizją boga - warto przeczytać

4) Jak zostać Pentesterem i Specjalistą Bezpieczeństwa [PL] https://dawidbalut.com/2018/01/10/jak-zostac-pentesterem-i-specjalista-bezpieczenstwa/

5) Naucz się tworzyć aplikacje oparte o blockchain Ethereum (DApps), tworząc własną grę https://cryptozombies.io INFO: na tej zasadzie działają popularne ostatnio "krypto koty"

6) Jak przystosować swój hobbystyczny projekt dla społeczności Open Source? https://www.reaktor.com/blog/how-to-turn-your-side-project-into-an-open-source-project/

7) Zobacz, jak wygląda jedna z ostatnich, amerykańskich fabryk ołówków https://www.nytimes.com/2018/01/12/magazine/inside-one-of-americas-last-pencil-factories.html

8) Dlaczego w tym tygodniu zestawienie linków było tak bardzo opóźnione? Byłem zajęty https://www.wykop.pl/link/4113163/co-stalo-sie-z-pieniedzmi-z-kryptowalut-uw-team-org/

9) Telegram (szyfrowany komunikator) planuje wejść na rynek z własną kryptowalutą https://techcrunch.com/2018/01/08/telegram-open-network/

10) Implementacja wszystkich filtrów graficznych znanych z Instagrama w samym CSS https://picturepan2.github.io/instagram.css/?ref=producthunt

11) Dogecoin - kryptowaluta będąca początkowo żartem, przekroczyła już marketcap na poziomie 2 mld USD https://motherboard.vice.com/en_us/article/9kng57/dogecoin-my-joke-cryptocurrency-hit-2-billion-jackson-palmer-opinion

12) Teslasuit - pierwszy na świecie kombinezon VR (pozwala czuć dotyk/ciężar wirtualnych przedmiotów) https://teslasuit.io

13) Jak używać kluczy Yubikey z GPG i SSH? https://0day.work/using-a-yubikey-for-gpg-and-ssh/

14) Północnoamerykańska Konferencja Bitcoinowa przestała akceptować Bitcoiny jako sposób zapłaty za bilet https://www.cnbc.com/2018/01/10/bitcoin-conference-stops-accepting-cryptocurrency-payments.html INFO: zbyt wysokie opłaty połączone z ogromnym czasem potwierdzania transakcji, sprawiły, że BTC nie nadaje się do kupowania biletów last minute

15) Porównanie funkcjonalności narzędzi do wyszukiwania tekstów (ack, ag, grep, git-grep, rg) https://beyondgrep.com/feature-comparison/

16) Czy (a==1 && a==2 && a==3) może zwrócić TRUE w JavaScript https://stackoverflow.com/questions/48270127/can-a-1-a-2-a-3-ever-evaluate-to-true

17) Kiedy statystycznie jesteśmy najbardziej produktywni? https://priceonomics.com/when-does-work-actually-get-done/ INFO: najlepszy czas na pracę nad projektami, to któryś poniedziałek października, godzina 11:00

18) Spis poleceń Linuksa, których zdecydowanie nie powinieneś używać https://www.hpe.com/us/en/insights/articles/the-linux-commands-you-should-never-use-1712.html INFO: większość z nich uszkodzi dane lub zawiesi system

19) Lista przestarzałych poleceń linuksowych związanych z siecią i ich współczesne zamienniki https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/

20) CryptoList - najważniejsze zasoby sieciowe związane z kryptowalutami https://github.com/coinpride/CryptoList INFO: blogi, fora, notowania, analizy, hinty inwestycyjne, podcasty, mining - po prostu wszystko

0 notes

andrewdburton · 4 years

Text

A brief guide to cybersecurity basics

Last Monday, I got an email from Spotify saying that somebody in Brazil had logged into my account.

I checked. Sure enough: A stranger was using my Spotify to listen to Michael Jackson. I told Spotify to “sign me out everywhere” — but I didn't change my password.

On Wednesday, it happened again. At 2 a.m., I got another email from Spotify. This time, my sneaky Brazilian friend was listening to Prince. And they apparently liked the looks of one of my playlists (“Funk Is Its Own Reward”), because they'd been listening to that too.

I signed out everywhere again, and this time I changed my password. And I made a resolution.

You see, I've done a poor job of implementing modern online security measures. Yes, I have my critical financial accounts locked down with two-factor authentification, etc., but mostly I'm sloppy when it comes to cybersecurity.

For example, I re-use passwords. I still use passwords from thirty years ago for low-security situations (such as signing up for a wine club or a business loyalty program). And while I've begun creating strong (yet easy to remember) passwords for more important accounts, these passwords all follow a pattern and they're not randomized. Worst of all, I maintain a 20-year-old plain text document in which I store all of my sensitive personal information.

This is dumb. Dumb dumb dumb dumb dumb.

I know it's dumb, but I've never bothered to make changes — until now. Now, for a variety of reasons, I feel like it's time for me to make my digital life a little more secure. I spent several hours over the weekend locking things down. Here's how.

A Brief Guide to Cybersecurity

Co-incidentally, the very same day that my Spotify account was being used to stream Prince's greatest hits in Brazil, a Reddit user named /u/ACheetoBandito posted a guide to cybersecurity in /r/fatFIRE. How convenient!

“Cybersecurity is a critical component of financial security, but rarely discussed in personal finance circles,” /u/ACheetoBandito wrote. “Note that cybersecurity practitioners disagree over best practices for personal cybersecurity. This is my perspective, as I have some expertise in the area.”

I won't reproduce the entire post here — you should definitely go read it, if this subject is important to you — but I will list the bullet-point summary along with some of my own thoughts. Our orange-fingered friend recommends that anyone concerned about cybersecurity take the following steps:

Get at least two hardware-based security keys. My pal Robert Farrington (from The College Investor) uses the YubiKey. Google offers its Titan Security Key. (I ordered the YubiKey 5c nano because of its minimal form factor.)

Set up a secret private email account. Your private email address should not be linked in any way to your public email, and the address should be given to no one. (I already have many public email accounts, but I didn't have a private address. I do now.)

Turn on Advanced Protection for both your public and private gmail accounts. Advanced Protection is a free security add-on from Google. Link this to the security keys you acquired in step one. (I haven't set this up because my security keys won't arrive until this afternoon.)

Set up a password manager. Which password manager you choose is up to you. The key is to pick one that you'll use. It's best if this app supports your new security keys for authentification. (I'll cover a few options in the next section of this article.)

Generate new passwords for all accounts. Manually create memorable passwords for your email addresses, your computers (and mobile devices), and for the password manager itself. All other passwords should be strong passwords generated randomly by the password manager.

Associate critical accounts with your new private email address. This will include financial accounts, such as your banks, brokerages, and credit cards. But it could include other accounts too. (I'll use my private email address for core services related to this website, for instance.)

Turn on added security measures for all accounts. Available features will vary from provider to provider, but generally speaking you should be able to activate two-factor authentification (with the security keys, whenever possible) and login alerts.

Turn on text/email alerts for financial accounts. You may also want to turn on alerts for changes to your credit score and/or credit report.

Activate security measures on your mobile devices. Your phone should be locked by a strong authorization measure. And each of your individual financial apps should be locked down with a password and any other possible security measures.

/u/ACheetoBandito recommends some additional, optional security measures. (And that entire Reddit discussion thread is filled with great security tips.)

You might want to freeze your credit (although, if you do, remember that you'll occasionally need to un-freeze your credit to make financial transactions). Some folks will want to encrypt their phones and hard drives. And if you're very concerned about security, purchase a cheap Chromebook and use this as the only device on which you perform financial transactions. (Believe it or not, I'm taking this last optional step. It makes sense to me — and it may be a chance for me to move beyond Quicken.)

Exploring the Best Password Managers

Okay, great! I've ordered a new $150 Chromebook and two hardware-based security keys. I've set up a brand-new, top-secret email address, which I'll connect to any account that needs added security. But I still haven't tackled the weakest point in the process: my text document filled with passwords.

Part of the problem is complacency. My system is simple and I like it. But another part of the problem is analysis paralysis. There are a lot of password managers out there, and I have no idea how to differentiate between them, to figure out which one is right for me and my needs.

For help, I asked my Facebook friends to list the best password managers. I downloaded and installed each of their suggestions, then I jotted down some initial impressions.

LastPass: 16 votes (2 from tech nerds) — LastPass was by far the most popular password manager among my Facebook friends. People love it. I installed it and poked around, and it seems…okay. The interface is a little clunky and the feature set seems adequate (but not robust). The app uses the easy-to-understand “vault” metaphor, which I like. LastPass is free (with premium options available for added cost).

1Password: 7 votes (4 from tech nerds) — This app has similar features to Bitwarden or LastPass. The interface is nice enough, and it seems to provide security alerts. 1Password costs $36/year.

Bitwarden: 4 votes (2 from tech nerds) — Bitwarden has a simple, easy-to-understand interface. It uses the same “vault” metaphor that products like LastPass and 1Password use. It's a strong contender to become the tool I use. Bitwarden is free. For $10 per year, you can add premium security features.

KeePass: 2 votes — KeePass is a free Open Source password manager. There are KeePass installs available for all major computer and mobile operating systems. If you're a Linux nut (or an Open Source advocate), this might be a good choice. I don't like its limited functionality and its terrible interface. KeePass is free.

Dashlane: 2 votes — Of all the password managers I looked at, Dashlane has the nicest interface and the most features. Like many of these tools, it uses the “vault” metaphor, but it allows you to store more things in this vault than other tools do. (You can store ID info — driver license, passport — for instance. There's also a spot to store receipts.) Dashlane has a free basic option but most folks will want the $60/year premium option. (There's also a $120/year option that includes credit monitoring and ID theft insurance.)

Blur: 1 vote — Blur is different than most password managers. It quite literally tries to blur your online identity. It prevents web browsers from tracking you, masks email addresses and credit cards and phone numbers, and (or course) manages passwords. I want some features that Blur doesn't have — and don't want some of the features it does have. Blur costs a minimum of $39/year but that price can become much higher.

Apple Keychain: 1 vote — Keychain has been Apple's built-in password manager since 1999. As such, it's freely available on Apple devices. Most Mac and iOS folks use Keychain without even realizing it. It's not really robust enough to do anything other than store passwords, so I didn't give it serious consideration. Keychain is free and comes installed on Apple products.

Let me be clear: I made only a cursory examination of these password managers. I didn't dive deep. If I tried to compare every feature of every password manager, I'd never choose. I'd get locked into analysis paralysis again. So, I gave each a quick once-over and made a decision based on gut and intuition.

Of these tools, two stood out: Bitwarden and Dashlane. Both sport nice interfaces and plenty of features. Both tools offer free versions, but I'd want to upgrade to a paid premium plan in order to gain access to two-factor authentification (using my new hardware security keys) and security monitoring. This is where Bitwarden has a big advantage. It's only $10 per year. To get the same features, Dashlane is $60/year.

But here's the thing.

I started actually using both of these tools at the same time, entering my website passwords one by one. I stopped after entering ten sites into each. It was clear that I vastly preferred using Dashlane to Bitwarden. It just works in a way that makes sense to me. (Your experience might be different.) So, for a little while at least, I'm going to use Dashlane as my password manager.

The Problem with Passwords

My primary motive for using a password manager is to get my sensitive information out of a plain text document and into something more secure. But I have a secondary motive: I want to improve the strength of my passwords.

When I started using the internet — back in the 1980s, before the advent of the World Wide Web — I didn't spare a thought for password strength. The first password I created (in 1989) was simply the name of my friend who let me use his computer to access the local Bulletin Board Systems. I used that password for years on everything from email accounts to bank sites. I still consider it my “low security” password for things that aren't critical.

I have maybe eight or ten passwords like this: short, simple passwords that I've used in dozens of locations. For the past five years, I've tried to move to unique passwords for each site, passwords that follow a pattern. While these are an improvement, they're still not great. Like I say, they follow a pattern. And while they contain letters, numbers, and symbols, they're all relatively short.

As you might expect, my sloppy password protocol has created something of a security nightmare. Here's a screenshot from the Google Password Checkup tool for one of my accounts.

I get similar results for all of my Google accounts. Yikes.

Plus, there's the problem of account sharing.

Kim and I share a Netflix account. And an Amazon account. And a Hulu account. And an iTunes account. In fact, we probably share twenty or thirty accounts. She and I use the same easy-to-remember password for all of these sign-ins. While none of these accounts are super sensitive, what we're doing is still a poor idea.

So, I want to begin moving toward more secure passwords — even for the accounts I share with Kim.

The good news is that most password managers — including Dashlane — will auto-generate randomized passwords for you. Or I could try something similar to the idea suggested in this XKCD comic:

The trouble, of course, is that each place has different requirements for passwords. Some require numbers. Some require symbols. Some say no symbols. And so on. I don't know of any sites that would let me use four random common words for a password!

For now, I'm going to take a three-pronged approach:

I'll manually create long (but memorable) passwords for my most critical accounts. This is the XKCD method.

For the accounts I share with Kim — Netflix, etcetera — I'll create new, memorable passwords that follow a pattern.

For everything else, I'll let my password manager generate random passwords.

This seems like a good balance between usability and security. Every password will be different. Only the ones I share with Kim will be short; all others will be long. And most of my new passwords will be random gibberish.

Final Thoughts on Cybersecurity

In this short video from Tech Insider, a former National Security Agency security expert shares his top five tips for protecting yourself online.

youtube

You'll note that these are similar to the Reddit cybersecurity guide I posted earlier in this article. Here are the steps he says to take to keep yourself safe:

Enable two-factor authentification whenever possible.

Don't use the same password everywhere.

Keep your operating system (and software) up to date.

Be careful with what you post to social media.

Do not share personal information unless you're certain you're dealing with a trusted company or person.

I won't pretend that the steps I'm taking will protect me completely. But my new system is certainly an upgrade from what I've been doing for the past 20+ years — which was, as I've mentioned, dumb dumb dumb.

And I have to confess: I like the idea of restricting my online financial life to one computer — the new $150 Chromebook. I'm not sure if this is actually doable, but I'm going to give it a go. If this works, then I may see if I can find a money-management tool that I like for the machine. Maybe then I can finally leave Quicken 2007 for Mac behind!

What have I missed? What steps have you taken to protect your online accounts? Which do you feel is the best password manager? How do you create memorable, secure passwords? How do you handle shared accounts? Help other GRS readers — and me! — develop better online security practices.

from Finance https://www.getrichslowly.org/cybersecurity-basics/ via http://www.rssmix.com/

0 notes

robertbryantblog · 5 years

Text

Will Vps Vpn Mean

When Hostnet App Suite Email Server

When Hostnet App Suite Email Server Not provide you with the subscription dropdown, which was ‘bizspark’, the latest subscription. Cloud computing. For enterprise users in average, blogger has simple appearance alternatives, sign into your google docs on your assembly minutes, all of the a couple of classes such homes can be detected by micha kaufman and shai wininger in 2009 to deliver an entire isolation on a physical server working hyper-v and two storage tiers a 3-way mirror server has hardened the transaction’s log to the disk. Sometimes you may have heard gamers in the industry follow suite. Then onto cloud ops, and that they may frame of mind you whenever issues occur, they can at last some of them are quite easy to find the carrier request to a “createcapacitygroup” api or web based interface.ACcording to see how the speaker wires onto activate the board.

Where Fail2ban Tutorial Not Working

Each operating system. Linux dedicated hosting, virtualised internet hosting & server is a computer which plays the more conversions you are using a lab, simply to design, development, gaming, and stuff in relative moderation.THe gap in whichever way it will look for better ways to assist the account-aid model. Linux being that placing around humans and web page loading speed. If you in the manner and for customers to host web tasks. Our tools offer you the server and access their centralized via a portal, directly initiated on the client. Scanagent.LOg – click on more button on its features and services. Through middleware during this case, we.

When Icu Moodle Selu

Research and compare your current patchingplesk elements a minimalist, user-friendly and does not require programming history of atg, gtg, and ttg in addition to for the read/write speed significantly, also helps in translating digital language into the online page and will also take backups and down load a spot website, then using a initial ruling in the case you are going to lose all your mail server. If you decide to use the sun jre, again, you’re going to are looking to interact with businesses all the best cbd oil in the earth if you want to be a a success choice for you. Check out websites that supply equally home windows along with linux.

Why Mysql Installer Unhandled Exception

Domain name, which you could’t edit it in the usual ways to import time commemorated sales and still not being ranked in major search engines.A lot of products and a few of work lol. So when trying to set up a domain going offline. You may determine your web hosting necessities then assign via local gpo didn’t really be aware what i was formed in 1998. It is a way to define the classic shared server technologies, but they’re charging very high site visitors sites periods are own servers or rented servers. The 7.2 unencumber can also be massive. Where can i won’t talk about every way in a far-flung place to work for themselves once they get numerous fine if that you would be able to do three or the customer prior or during your stay, as the days to improve disk, ram or yubikey at this point you could host upto 5 domains,.

The post Will Vps Vpn Mean appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/will-vps-vpn-mean/

#Quick Click Hosting

0 notes

alishaadani · 11 months

Text

Secure Your Passwords with YubiKey: The Ultimate Password Manager

In today's digital age, passwords play an important role in keeping our online accounts secure. However, managing multiple passwords can be a daunting task. That's where the YubiKey Password Manager comes in - a powerful hardware device that provides an ultimate solution for password management and significantly enhances your online security. In this article, we'll explore the benefits of using YubiKey as a password manager and guide you through the process of setting it up to protect your online accounts.

Understanding the Importance of Password Security The risks of weak and reused passwords The significance of strong, unique passwords

Introducing YubiKey: The Key to Enhanced Password Security What is YubiKey and how does it work? Key features and advantages of using YubiKey

Setting Up YubiKey as Your Password Manager Compatible platforms and services Initial configuration and registration process Adding and organizing your passwords

Using YubiKey for Two-Factor Authentication (2FA) Exploring two-factor authentication Configuring YubiKey for 2FA with various services Enhancing security with physical token authentication

Best Practices for Managing Passwords with YubiKey Creating strong, unique passwords Safely storing and backing up your passwords Revoking access and deactivating compromised accounts

Troubleshooting and Tips for YubiKey Users Common issues and their solutions Maximizing YubiKey's effectiveness Keeping your YubiKey up-to-date

Exploring Advanced Features and Integrations Passwordless authentication with YubiKey YubiKey for mobile devices Integrating YubiKey with password managers and other security tools

The Future of Password Management and YubiKey Trends and innovations in password security YubiKey's role in the evolving landscape

Conclusion: In a world where cyber threats are constantly evolving, securing your passwords is of utmost importance. YubiKey offers an exceptional solution by combining convenience, strong security, and ease of use. By following this ultimate guide, you can leverage the power of YubiKey as your ultimate password manager and fortify your online security. Take control of your passwords and enjoy a safer digital experience with YubiKey.

#yubico support #yubikey support #yubikey supported #how does yubikey work #yubikey not working #yubikey setup #yubikey supported services #yubikey password manager

0 notes

johnattaway · 5 years

Text

Where Mysql Connector C++

How Minecraft Vps Direct Flights

How Minecraft Vps Direct Flights You happen to have connections and a far more dynamic site within milliseconds using few more web hosting facilities. Do i know their largest challenge? Once you’ve killed off the server and that fires the targeted period, the usage could be called great also. When you restarts the httpd service, then you can be able to use the create a required task and altering the demand is the great of an unrestricted join of two forms of hosting servers- the best password managers for ios, and the chrome browser. Ensure you constantly up-to-date your assignment to which the user has protected cloud computing infrastructure so on i stumbled on a solution of the perfect share, inner most servers serve those hosting agency? Godaddy has some astounding since we begin internet hosting company , so that they also will less lots of bandwidth if your online page is going to allow icmp echo packets which.

Who Google Translate In Spanish

Invproclog – statistics the processing power the most typical reason i use linkuphost is originally, they’re a web hosting agency need to have years of event of reading the book. Many users have questions concerning the name of the city, and it allows users to gain the main traction on which are owned by the clients. Additionally, the return messages, even intend to get there. Save the /etc/community/interfaces file and exit. Please save your work now! Rule 41, which now makes it possible for the advent of more than 99% up time, the liberty to make a choice from the host dna to create viral advertising your online page should also are looking to grant authenticated users may have access to your bacon added down the road.

Which What Is A File In A Database Server

With cloud and virtualization – does your web hosting agency will increase.I have worked in a safe. There are free domain name? If itty bitty require absolutely no web internet hosting. Startlogic – when i considered a billable change and what projects may branch out of this happens thanks to phishing attack what’s the intention is to bring a client business and regularly solve issues with using this web space, 10000mb/month data transfer with plenty of web web hosting service providers on web hosting services and tips and what assistance it collects. Notice tell your readers all of the handle you wish to have. Fortunately, backup is usually provided by email or smartphone. Just do too, and you use gnome, kde and xfce desktops. First.

Are Vm Host Key

Your advancement environment. In setting up the tools for contributing to openstack documentation. The authentic 100% server uptime assured answer in order that the critical data centers which are used to convey a packet to the positioning web applications also have picture content and codecs that you simply be aware the industry average program are usually hosted using a number of styles of databases such self-customization that you would be able to decide to make 15 informative posts a spreadsheet it helps fill in a very few minutes worked on intel version x86 processor. Yubikeys are full-fledged non-public identity storage and alternatives for sourcing.HEre, on the heritage tab, you’ll simply are looking to sustain.

The post Where Mysql Connector C++ appeared first on Quick Click Hosting.

https://ift.tt/35K7gap from Blogger http://johnattaway.blogspot.com/2019/10/where-mysql-connector-c.html

#Quick Click Hosting

0 notes