Just a reminder, if your 2FA codes are stored in your cloud provider along with the passwords, you don't have 2FA anymore.
Do NOT turn on Google Authenticator sync as it significantly decreases your security and apparently gives Google access to them..
If you want to backup your codes, buy a dedicated memory card for your point and shoot camera, and take photos of the QR codes obtained via Transfer accounts -> Export accounts.
If you wanted to protect a high availability #kubernetes or similar #cluster#webserver#server from #hacking, would it be advantageous and possible to use sufficiently different #Linux versions for each #node so that not all nodes have the same #vulnerabilities. Which Linux versions would be most different & so most unlikely to suffer the same vulnerabilities or #vulnerability yet work together somehow? Would using a #riscv node with an #arm node & an #intel node offer any #security advantages?
Just shipped some improvements to sudo mode, 2fa checkpoint and password resets, besides the redesigned layouts, it now features optional captcha support and implements a random sleep timeout to make brute forcing less useful!
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
.... if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.
Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.
Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.
The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.
“It’s really frustrating: I want to build cool things on top of LLMs, but a lot of the more ambitious things I want to build—the things that other people are enthusiastically exploring already—become a lot less interesting to me if I can’t protect them against being exploited.” - @simon
ESET buys 18 corporate routers, over half contain "a treasure trove of sensitive data... including corporate credentials, VPN details, cryptographic keys, and more."
Seems a surprising number of organizations don't have robust hardware decommissioning policies in place, or are overlooking network infrastructure equipment.
This is a great series of articles by security researcher Mike Kuketz that documents the data transmission behavior of popular web browsers on their default settings, examining the type of connections they make and what data they "phone home" with:
Please check your dot files for passwords and other secrets, do it today! If you find any rotate them and remove it from that file. If you ever checked them into source control like git, upload the new copy too.Sectets belong in a keyring, vault, or password manager not some random file on your disk. If you need them in your shell for one reason or another check out what APIs or CLIs your password manager or OS keyring may provide, with a bit of scripting you will get far #Security#passwordhygiene#Shells#dotfiles
Smartphones using the Snapdragon 630 chip were found to call home to Qualcomm without the consent of the user, bypassing the whole operating system. Data includes unique hardware ID, current IP, country, your ISP, list of installed apps and other data.
However, back then it was the a java process on OS level that requested the data, not the firmware.
Should it be true that Qualcomm, instead of fixing the issue properly, simply moved it to a lower level (as @nitrokey implies) this could be huge. Perhaps @kuketzblog is better at analyzing this than me. #privacy#security#android#qualcomm
g10 Code becomes a KDE patron🎉! g10 Code are the creators and maintainers of #GnuPG, the vital #encryption engine 🔒 that is one of the fundamental technologies that ensures #privacy 🔑 and #security online.
The new #Synology#DSM72 release candidate has arrived! DSM 7.2 - 64551 brings all the features from the beta with a lot of new #security patches and updates for the various platforms and frameworks that the system is using.
LineageOS hinterlässt weder einen datenschutzfreundlichen, noch wirklich sicheren Eindruck. Es unternimmt keine besonderen Anstrengungen, um sich von Google abzunabeln. Fairerweise muss man aber auch erwähnen: Das haben sie nie behauptet. 👇
@Cloudguy as a fun side effect, it "loses" 100% of the privacy and interaction/accessibility settings. Turns off listen "ding" (request sounds), enables the upload-everything "enhancements" (adaptive listening) etc. Anyone resetting Alexa devices should definitely review ALL of the device settings after.
"Loses" because it keeps all of the convenience settings, volumes, alarms, audio mixer, wifi, etc.. must be an accident that privacy and accessibility are reset, right?