Podcasts about u2f

William Brown tells us all about how confusing and complicated the FIDO authentication universe is. He talks about WebAuthn implementation challenges to flaws in the FIDO metadata service that affect how hardware tokens are authenticated against. The conversation covers the spectrum of hardware security key quality, attestation mechanisms, and the barriers preventing open source developers from improving industry standards despite their expertise. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-03-fido_auth_william_brown/

Sun, 21 Jul 2024 21:00:00 GMT http://relay.fm/mpu/754 http://relay.fm/mpu/754 Passwords, Passkeys, & Beyond, with Damien Schreurs 754 David Sparks and Stephen Hackett Damien Schreurs joins the program to talk to Stephen and David about what makes a good password, the deal with passkeys, and Apple's upcoming Passwords application. Damien Schreurs joins the program to talk to Stephen and David about what makes a good password, the deal with passkeys, and Apple's upcoming Passwords application. clean 4810 Damien Schreurs joins the program to talk to Stephen and David about what makes a good password, the deal with passkeys, and Apple's upcoming Passwords application. This episode of Mac Power Users is sponsored by: Sanebox: Stop drowning in email! NetSuite: The leading integrated cloud business software suite. Zocdoc: Find the right doctor, right now with Zocdoc. Sign up for free. Guest Starring: Damien Schreurs Links and Show Notes: Sign up for the MPU email newsletter and join the MPU forums. More Power Users: Ad-free episodes with regular bonus segments Submit Feedback Relay FM 10th Anniversary Extravaganza | Hackney Empire Macpreneur Macpreneur - YouTube Damien Schreurs (@damienschreurs) • Instagram Use Passphrases for Your Wi-Fi Network and Streaming Apps | 1Password What is a Rainbow Table & How to Prevent These Attacks Advanced Data Protection for iCloud - Apple Support YubiKey 5 | Authentication for Secure Login | Yubico Token2 T2F2-Dual FIDO2, U2F and TOTP Security Key Passkeys: What they are and how to use them - Google Passkeys.io – A Real-World Passkey Demo & Info Page WebAuthn.io Passkeys Directory OTP Auth - App Store Sign in to apps with your Apple ID using app-specific passwords - Apple Support

Sun, 21 Jul 2024 21:00:00 GMT http://relay.fm/mpu/754 http://relay.fm/mpu/754 David Sparks and Stephen Hackett Damien Schreurs joins the program to talk to Stephen and David about what makes a good password, the deal with passkeys, and Apple's upcoming Passwords application. Damien Schreurs joins the program to talk to Stephen and David about what makes a good password, the deal with passkeys, and Apple's upcoming Passwords application. clean 4810 Damien Schreurs joins the program to talk to Stephen and David about what makes a good password, the deal with passkeys, and Apple's upcoming Passwords application. This episode of Mac Power Users is sponsored by: Sanebox: Stop drowning in email! NetSuite: The leading integrated cloud business software suite. Zocdoc: Find the right doctor, right now with Zocdoc. Sign up for free. Guest Starring: Damien Schreurs Links and Show Notes: Sign up for the MPU email newsletter and join the MPU forums. More Power Users: Ad-free episodes with regular bonus segments Submit Feedback Relay FM 10th Anniversary Extravaganza | Hackney Empire Macpreneur Macpreneur - YouTube Damien Schreurs (@damienschreurs) • Instagram Use Passphrases for Your Wi-Fi Network and Streaming Apps | 1Password What is a Rainbow Table & How to Prevent These Attacks Advanced Data Protection for iCloud - Apple Support YubiKey 5 | Authentication for Secure Login | Yubico Token2 T2F2-Dual FIDO2, U2F and TOTP Security Key Passkeys: What they are and how to use them - Google Passkeys.io – A Real-World Passkey Demo & Info Page WebAuthn.io Passkeys Directory OTP Auth - App Store Sign in to apps with your Apple ID using app-specific passwords - Apple Support

This interview was recorded at GOTO Aarhus for GOTO Unscripted.gotopia.techRead the full transcription of this interview hereEleanor Saitta - International Security Researcher & Co-founder of Open Source Tool TrikeJez Humble - SRE at Google Cloud & Lecturer at UC BerkeleyRESOURCESEleanordymaxion.orglinkedin.com/in/dymaxion@Dymaxioninfosec.exchange/@dymaxionJezcontinuousdelivery.comgithub.com/jezhumblelinkedin.com/in/jez-humble@jezhumblesre.google/resourcesDESCRIPTIONWhether you're building a new system with an established team, trying to tame a legacy ecosystem, or starting from scratch, how you think about security and reliability has a big impact on how hard they are for you to achieve.In a candid conversation between security expert Eleanor Saitta and technology thought leader Jez Humble, the critical role of architectural clarity in ensuring robust security and resilience comes to the forefront. Saitta emphasizes the necessity of understanding and intentionally designing your architecture, highlighting the challenges faced by organizations in adapting to changing ecosystems. They discuss the dual aspects of security – external services and internal IT operations – shedding light on the potential risks associated with Windows and Office usage.Hear in this GOTO Unscripted talk about the significance of architectural awareness and basic IT hygiene in safeguarding organizations against security threats.RECOMMENDED BOOKSJez Humble & David Farley • Continuous DeliveryJez Humble, Joanne Molesky & Barry O'Reilly • Lean EnterpriseNicole Forsgren, Jez Humble & Gene Kim • AccelerateLiz Rice • Container SecurityLiz Rice • Kubernetes SecurityAaron Parecki • OAuth 2.0 SimplifiedAaron Parecki • OAuth 2.0 ServersErdal Ozkaya • Cybersecurity: The Beginner's GuideKim, Humble, Debois, Willis & Forsgren • The DevOps HandbookTwitterInstagramLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily

Najczęstszym celem ataków internetowych oszustów jest obecnie sam użytkownik, a nie jego sprzęt. Na czym polegają oszustwa, z jakimi obecnie możemy spotkać się w wirtualnym świecie? O tym w kolejnym odcinku cyklu „Bezpieczni w Internecie” Karol Jurga rozmawia z Piotrem Koniecznym z Niebezpiecznik.pl. Ekspert zdradził, jakie techniki wykorzystują obecnie hakerzy oraz zdradził, jak możemy próbować się przed nimi chronić. Z podcastu dowiemy się także, czym różnią się ataki masowe od ataków ukierunkowanych, jak działa klucz U2F oraz dlaczego menadżer haseł to dobre rozwiązanie zabezpieczające. Zapraszamy do słuchania Sponsorem podcastu jest Google.

Vad är skönare än långa och säkra lösenord? Vad sägs om inga lösenord alls? Och att hanteringen kan vara både säkrare och smidigare än att ha lösenord, engångskoder och andra gammaldags processer? Emil Lundberg gästar podden och berättar om passkeys - det nya trevliga och säkra sättet att logga in på webben utan att behöva bekymra sig om lösenord. Varifrån kommer det, hur funkar det, hur är upplevelsen för användare, och inte minst vad behöver du som utvecklare tänka på? Ett stort tack till Cloudnet som sponsrar vår VPS! Har du kommentarer, frågor eller tips? Vi är @kodsnack, @tobiashieta, @oferlund, och @bjoreman på Twitter, har en sida på Facebook och epostas på info@kodsnack.se om du vill skriva längre. Vi läser allt som skickas. Gillar du Kodsnack får du hemskt gärna recensera oss i iTunes! Du kan också stödja podden genom att ge oss en kaffe (eller två!) på Ko-fi, eller handla något i vår butik. Länkar Emil Yubico Yubikey - har nämnts i några tidigare avsnitt Webauthn Emil på Jfokus 2022 om Webauthn Passkeys Prova på passkeys - demo av Yubico W3C Tvåfaktorautentisering Noll kontostölder hos Google sedan de införde säkerhetsnycklar för anställda Phising as a service PGP Windows hello Dashlane 1password Yubicos javabibliotek för passkeys Githubs bibliotek webauthn-json U2F - universal 2nd factor User verification - tvåfaktor utan lösenord Enterprise attestation Autofill-UI:t Titlar En kryptografisk nyckel med en USB-kontakt Säkrare tvåfaktorautentisering på webben Som Bankid, fast ännu enklare Lättare än de sämre alternativen Phishing as a service En väldigt tekniskt korrekt term Egentligen inte konstigare än Bankid En unik identitet för varje sajt Mellan din webbläsare och din server Jag har verifierat en extra faktor Ett kryptografiskt bevis Det säkraste som också är smidigast

In this episode, Joanna revisits one of her favourite definitions of "Flourishing" by Dr. Lynn Soots, a positive psychologist, as she focuses on the peaks and valleys of life we all experience.  The question is, do we ride them or tolerate them?   Tune in as our host uncovers and challenges what a quiet life for an Introvert genuinely entails and what it personally means for her. Although life was never promised to be easy, the spills, thrills, and the variety it throws us are what makes it precious. Hence, rather than resisting, let us embrace the journey and fully feel its richness.   KEY POINTS:   Definition of "Flourishing" by Dr. Lynn Soots The meaning of living a quiet life for Joanna What is inner turmoil? Practices to reduce inner turmoil Unnecessary conflict vs. Necessary conflict   PRODUCTS / RESOURCES: Email your suggested topics to Joanna@flourishingintroverts.com To register your interest in Unfulfilled to Flourishing https://quiet.flourishingintroverts.com/U2F  What Type of Introvert are you? Find out by taking this quiz: yourintroverttype.co.uk Visit Joanna's website here: flourishingintroverts.com Join the Flourishing Introverts Facebook community of like-minded Introverts here: web.facebook.com/groups/Introvertscorner  

This interview was recorded for GOTO Unscripted at GOTO Amsterdam.gotopia.techRead the full transcription of this interview hereEleanor Saitta - International Security Researcher & Co-founder of Open Source Tool TrikeAino Vonge Corry - Author of "Retrospectives Antipatterns"DESCRIPTIONIt's almost a given that you or your company will be hacked one day. How fast and how you react is the thing that makes the difference. Eleanor Saitta explains the ins and outs of an attack and what you should have in place to surpass it successfully. The interview is led by Aino Vonge Corry.RECOMMENDED BOOKSAino Vonge Corry • Retrospectives AntipatternsLiz Rice • Container SecurityLiz Rice • Kubernetes SecurityAaron Parecki • OAuth 2.0 SimplifiedAaron Parecki • OAuth 2.0 ServersAaron Parecki • The Little Book of OAuth 2.0 RFCsErdal Ozkaya • Cybersecurity: The Beginner's GuideRicher & Sanso • OAuth 2 in ActionWilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0TwitterLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily

Cześć! Minęło chwilę od ostatniej publikacji. Wracamy z Mateuszem z nowymi tematami, mam nadzieje, że już regularnie

Signal removing SMS support, Android VPN Leaks, Proton adding U2F hardware keys!, Firefox relay becoming useful, and a lot more - HUGE week! Welcome to the Surveillance Report - featuring Techlore & The New Oil to keep you updated on the newest security & privacy news. Support The Podcast Support us on Patreon: https://www.patreon.com/surveillancepod Monero: 46iGe5D49rpgH4dde32rmyWifMjw5sHy7V2mD9sXGDJgSWmAwQvuAuoD9KcLFKYFsLGLpzXQs1eABRShm1RZRnSy6HgbhQD Timestamps SR107 Sources: https://github.com/techlore/channel-content/blob/master/Surveillance%20Report%20Sources/SR107.md 00:00 Introduction00:54 Support us!01:18 Highlight Story (Signal Dropping SMS)14:22 Data Breaches19:41 Companies28:06 Research34:55 Politics44:38 FOSS49:33 Misfits58:01 Q&A1:05:32 Support us! Main SitesTechlore Website: https://techlore.tech The New Oil Website: https://thenewoil.org/ Surveillance Report Podcast: https://www.surveillancereport.tech/ Odysee: https://odysee.com/@surveillancereport:2 PeerTube: https://apertatube.net/c/surveillancereport/videos

Strona podcastu: https://z3s.pl/1337Rozmowa Kontrolowana: https://z3s.pl/live już o 21Zapraszamy na konferencję Oh My H@ck! Już 3 grudnia w Warszawie: https://omhconf.plLinki do omawianych tematów:00:37 Nowy ransomware atakuje Polskę: https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/02:10 Wyciek kodu z Intela: https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge04:07 0day w Zimbrze: https://securelist.com/ongoing-exploitation-of-cve-2022-41352-zimbra-0-day/107703/05:05 Phishing as a service: https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform06:07 Proton dodaje klucze U2F: https://proton.me/blog/security-keys07:39 Wpadka Microsoftu: https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/09:08 Apple utrudnia zycie hakerom: https://twitter.com/jifa/status/158083535020926566411:06 Wyciek danych z Celsiusa: https://www.wired.com/story/celsius-user-data-dump-crypto-tracing-scammers/Mam robić więcej? Rekomenduj znajomym, subskrybuj, słuchaj, oglądaj :)

Adam Langley (Google) comes on the podcast to talk about the evolution of WebAuthN and Passkeys!David's audio was a little finicky in this one. Believe us, it sounded worse before we edited it. Also, we occasionally accidentally refer to U2F as UTF. That's because we just really love strings.Transcript: https://share.descript.com/view/pBAXADn8gKWLinks:GoogleIO PresentationWWDC PresentationW3C WebAuthNAdam's blog on passkeys and CABLECable / Hybrid PRCTAP spec from FIDONoise NKPSKDERPDon't forget about merch! https://merch.securitycryptographywhatever.com/"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian. 

Kilka wskazówek, które mogą zwiększyć Twoje bezpieczeństwo. Alerty BIK, konto w systemie E-sąd, weryfikacja OC w UFG, WAP Billing, cyfrowy testament, U2F i 2FA. ✨Plik PDF: https://cdn.szurek.pl/porady_kacper_szurek.pdf

Link do filmiku o U2F, z którego ścieżka dzwiękowa stanowi ten odcinek:https://www.youtube.com/watch?v=Zr0PffkN09w&sub_confirmation=1

Link do filmiku o U2F, z którego ścieżka dzwiękowa stanowi ten odcinek:https://www.youtube.com/watch?v=Zr0PffkN09w&sub_confirmation=1

Nasz kanał stroni od polityki jak tylko może, jednakże decyzja Rządu o wyposażeniu polityków w klucze U2F po aferze z włamem na pocztę to w naszej ocenie genialna decyzja. Dlatego w tym odcinku opowiadamy o tym czym jest i jak działa tajemniczy klucz U2F. Czy można otworzyć nim swój dom lub samochód? O tym dowiecie się z tego odcinka!

Ochrona poczty - poczta Techniczne aspekty zabezpieczenia- Hasło - wyjątkowe dla poczty, używaj menedżera haseł np.. LastPass opisany tutaj https://cyberkurs.online/ebook-menedzer-hasel-poradnik/- MFA/U2F - drugi składnik logowania, wieloskładnikowe logowanie, np. poprzez Google Authenticator, Mirosoft Authenticator, lub klucz sprzętowy np. Yubico https://www.yubico.com/pl/product/security-key-nfc-by-yubico/- Aktualizowanie programów pocztowych, komputera, telefonu, przeglądarki, antywirusa,- Weryfikacja domeny do wejścia na pocztę.Zachowanie wokół poczty- Rozbicie spraw na życie osobiste i zawodowe. Dotyczy to: komputera, maila, telefonu,- Ignorowanie wymuszeń zmiany haseł,- Konsultowanie rzeczy niezrozumiałych,- Zgłoszenie wyłudzeń,- Subskrypcja z https://haveibeenpwned.com/- Jak się odzyskuje dostęp - stara poczta,- Kasowanie nieużywanych skrzynek,- Weryfikacja tożsamości nadawcy ( i intencji).Obsługa skrzynki- Szyfrowanie treści, załączników,- Kasowanie starych wiadomości,- Wysyłanie wiadomości z datą ważności,- Weryfikacja przekierowania poczty na inne adresy.Chciałbyś o coś zapytać? Znajdziesz namiar na mnie tu https://cyberkurs.online/kontakt/ i tu https://www.facebook.com/ArturMarkiewiczHakerEDUkator/Który ze sposobów najbardziej się spodobał?A który jest zaskoczeniem?:)PS jesteś adminem poczty? Chcesz poznać rady dla administratorów? Napisz na cyberkurs@cyberkurs.online podeśle Ci kilka wskazówek.

Czy wiesz, że najczęściej używane hasło to 123456? Na drugim miejscu plasuje się qwerty. To są przerażające fakty, w jaki sposób podchodzimy do tak istotnych spraw. Ja rozumiem, że często hasło wprowadza się wiele razy dziennie i nie chce nam się generować długich i skomplikowanych haseł. Jak się przed tym zabezpieczyć, co robić, jak żyć? O tym właśnie mówimy w tym odcinku naszego podcastu O programach po ludzku!

Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.   What is FIDO? “ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.” Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html   U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)   https://landing.google.com/advancedprotection/   FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess   FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/   IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  --    Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework   NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5   https://fidoalliance.org/certification/authenticator-certification-levels/   https://github.com/herrjemand/awesome-webauthn   https://fidoalliance.org/content/case-study/   https://loginwithfido.com/provider/   From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device? Consumer education initiative https://loginwithfido.com/   IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/   For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics   NTT DOCOMO introduces passwordless authentication for d ACCOUNT   https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

 Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.   What is FIDO? “ open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”   Did any one event precipitate creation of the FIDO alliance? UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html   U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)   https://landing.google.com/advancedprotection/   FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess   FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/   IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  --    Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework   NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5   https://fidoalliance.org/certification/authenticator-certification-levels/   https://github.com/herrjemand/awesome-webauthn   https://fidoalliance.org/content/case-study/   https://loginwithfido.com/provider/ From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?   Consumer education initiative https://loginwithfido.com/   IoT Devices- https://fidoalliance.org/internet-of-things/ https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/   For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN https://github.com/herrjemand/awesome-webauthn https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics   NTT DOCOMO introduces passwordless authentication for d ACCOUNT   https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Do you have ideas that you think would make a great start-up business, or are you already in the early stages but still unsure of how to go about it? Today’s guest, Brian Gill, will give you a few pointers on how you can set yourself up for success. Brian is the founder and CEO of Gillware Inc., and for the past 15 years, his company has helped over 100,000 consumers and companies in resolving data-related disasters. For the last 3 years, Gillware has been primarily focused on assisting companies with their out of network breach and ransomware incidents. In this episode, Brian shares his expertise on positioning yourself for growth, ransomware, and how businesses can avoid getting hacked. He also gives out his company’s Ransomware Stress Test, which benefits mid-sized businesses. The test walks them through a free questionnaire about the state of their IT and gives out a score and remediation tips.   You don’t want to start something that anybody else can do. – Brian Gill   Outline of This Episode   - [03:10] What start-up entrepreneurs should do to position themselves for growth   - [04:56] The process of narrowing ideas in choosing for an angel investment   - [08:31] The common theme for the start-ups that became successful   - [22:07] Why entrepreneurs should be aware of ransomware   - [28:53] How not to get hacked as explained by Brian   How to position yourself for growth As a seasoned tech CEO and board member that has co-founded 5 successful companies since 2004, Brian is experienced with early-stage fundraising, digital marketing, leading software teams, and project leadership. His advice for start-up entrepreneurs is to bootstrap as far as they can. This is to make sure that they have a large valuation and should take more money than they think they will need. You should not get stuck on a fundraising cycle. There should be a minimum of six months for a fundraiser to have any effect.   The angel investing community Angel investors are typically individuals who have spare cash available and are looking for a higher rate of return than would be given by more traditional investments. In choosing which business to invest in, the community gathers during a pitch and decides if that idea is worth investing in. When at least 2/3 of the group think that the idea is good, then it is worth investing.   What is Ransomware and how can it be avoided? Ransomware is an emerging form of malware that locks the user out of their files or their device, then demands an anonymous online payment to restore access. It is growing exponentially and is becoming at least a $6 billion problem for businesses and regular people alike. To avoid getting hacked, one’s user authentication should be complex, and you should never use the same password for everything online. Password vaults like Last Pass are helpful and become the first defense against ransomware. Brian also suggests using U2F, which uses two-factor authentication.   Resources & People Mentioned   - Brian Gill’s Website - https://www.gillware.com/   - Brian on LinkedIn - https://www.linkedin.com/in/brian-gill-68997a38/   - Take the Ransomware Stress Test - https://rst.gillware.com/   Music for “Just The Tips” is titled, “Happy Happy Game Show” by Kevin MacLeod (http://incompetech.com) Licensed under Creative Commons: By Attribution 3.0 License   Connect With James and Dean   James P. Friel:   - CEO Quickstart: https://jamespfriel.com/ceo-quickstart/   - Facebook Group: https://www.facebook.com/groups/hustledetox/   - Site: www.jamespfriel.com   - Facebook Group (BulletProof Business): https://www.facebook.com/groups/1107362546297055/   - Interested in being a guest on the show?   Dean Holland:   - Blog: www.DeanHolland.com   - FB Page: https://www.facebook.com/DeanHollandHQ   - Billion Dollar Project: https://www.facebook.com/groups/BillionDollarProject/   Just The Tips Podcast:   - Facebook Page: https://www.facebook.com/justthetipsshow/

Leo explains how to protect your online accounts with Yubico's YubiKey and other hardware security keys for two-factor authentication. Get YubiKey: https://amzn.to/35UYfdD Host: Leo Laporte Download or subscribe to this show at https://twit.tv/shows/ask-the-tech-guy Sponsor: LastPass.com/twit

Leo explains how to protect your online accounts with Yubico's YubiKey and other hardware security keys for two-factor authentication. Get YubiKey: https://amzn.to/35UYfdD Host: Leo Laporte Download or subscribe to this show at https://twit.tv/shows/ask-the-tech-guy Sponsor: LastPass.com/twit

Leo explains how to protect your online accounts with Yubico's YubiKey and other hardware security keys for two-factor authentication. Get YubiKey: https://amzn.to/35UYfdD Host: Leo Laporte Download or subscribe to this show at https://twit.tv/shows/ask-the-tech-guy Sponsor: LastPass.com/twit

Leo explains how to protect your online accounts with Yubico's YubiKey and other hardware security keys for two-factor authentication. Get YubiKey: https://amzn.to/35UYfdD Host: Leo Laporte Download or subscribe to this show at https://twit.tv/shows/ask-the-tech-guy Sponsor: LastPass.com/twit

Announcing HyperbolaBSD, IPFW In-Kernel NAT setup on FreeBSD, Wayland and WebRTC enabled for NetBSD 9/Linux, LLDB Threading support ready for mainline, OpenSSH U2F/FIDO support in base, Dragonfly drm/i915: Update, and more. Headlines HyperbolaBSD Announcement (https://www.hyperbola.info/news/announcing-hyperbolabsd-roadmap/) Due to the Linux kernel rapidly proceeding down an unstable path, we are planning on implementing a completely new OS derived from several BSD implementations. This was not an easy decision to make, but we wish to use our time and resources to create a viable alternative to the current operating system trends which are actively seeking to undermine user choice and freedom. This will not be a "distro", but a hard fork of the OpenBSD kernel and userspace including new code written under GPLv3 and LGPLv3 to replace GPL-incompatible parts and non-free ones. Reasons for this include: Linux kernel forcing adaption of DRM, including HDCP. Linux kernel proposed usage of Rust (which contains freedom flaws and a centralized code repository that is more prone to cyber attack and generally requires internet access to use.) Linux kernel being written without security and in mind. (KSPP is basically a dead project and Grsec is no longer free software) Many GNU userspace and core utils are all forcing adaption of features without build time options to disable them. E.g. (PulseAudio / SystemD / Rust / Java as forced dependencies) As such, we will continue to support the Milky Way branch until 2022 when our legacy Linux-libre kernel reaches End of Life. Future versions of Hyperbola will be using HyperbolaBSD which will have the new kernel, userspace and not be ABI compatible with previous versions. HyperbolaBSD is intended to be modular and minimalist so other projects will be able to re-use the code under free license. Forum Post (https://forums.hyperbola.info/viewtopic.php?id=315) A simple IPFW In-Kernel NAT setup on FreeBSD (https://www.neelc.org/posts/freebsd-ipfw-nat/) After graduating college, I am moving from Brooklyn, NY to Redmond, WA (guess where I got a job). I always wanted to re-do my OPNsense firewall (currently a HP T730) with stock FreeBSD and IPFW’s in-kernel NAT. Why IPFW? Benchmarks have shown IPFW to be faster which is especially good for my Tor relay, and because I can! However, one downside of IPFW is less documentation vs PF, even less without natd (which we’re not using), and this took me time to figure this out. But since my T730 is already packed, I am testing this on a old PC with two NICs, and my laptop [1] as a client with an USB-to-Ethernet adapter. News Roundup HEADS UP: Wayland and WebRTC enabled for NetBSD 9/Linux (https://mail-index.netbsd.org/pkgsrc-users/2020/01/05/msg030124.html) This is just a heads up that the Wayland option is now turned on by default for NetBSD 9 and Linux in cases where it peacefully coexists with X11. Right now, this effects the following packages: graphics/MesaLib devel/SDL2 www/webkit-gtk x11/gtk3 The WebRTC option has also been enabled by default on NetBSD 9 for two Firefox versions: www/firefox, www/firefox68 Please keep me informed of any fallout. Hopefully, there will be none. If you want to try out Wayland-related things on NetBSD 9, wm/velox/MESSAGE may be interesting for you. LLDB Threading support now ready for mainline (https://blog.netbsd.org/tnf/entry/lldb_threading_support_now_ready) Upstream describes LLDB as a next generation, high-performance debugger. It is built on top of LLVM/Clang toolchain, and features great integration with it. At the moment, it primarily supports debugging C, C++ and ObjC code, and there is interest in extending it to more languages. In February, I have started working on LLDB, as contracted by the NetBSD Foundation. So far I've been working on reenabling continuous integration, squashing bugs, improving NetBSD core file support, extending NetBSD's ptrace interface to cover more register types and fix compat32 issues and fixing watchpoint support. Then, I've started working on improving thread support which is taking longer than expected. You can read more about that in my September 2019 report. So far the number of issues uncovered while enabling proper threading support has stopped me from merging the work-in-progress patches. However, I've finally reached the point where I believe that the current work can be merged and the remaining problems can be resolved afterwards. More on that and other LLVM-related events happening during the last month in this report. OpenSSH U2F/FIDO support in base (https://www.undeadly.org/cgi?action=article;sid=20191115064850) Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk" (or "ed25519-sk" if your token supports it). Many tokens require to be touched/tapped to confirm this step. You'll get a public/private keypair back as usual, except in this case, the private key file does not contain a highly-sensitive private key but instead holds a "key handle" that is used by the security key to derive the real private key at signing time. So, stealing a copy of the private key file without also stealing your security key (or access to it) should not give the attacker anything. drm/i915: Update to Linux 4.8.17 (http://lists.dragonflybsd.org/pipermail/commits/2019-December/720257.html) drm/i915: Update to Linux 4.8.17 Broxton, Valleyview and Cherryview support improvements Broadwell and Gen9/Skylake support improvements Broadwell brightness fixes from OpenBSD Atomic modesetting improvements Various bug fixes and performance enhancements Beastie Bits Visual Studio Code port for FreeBSD (https://github.com/tagattie/FreeBSD-VSCode) OpenBSD syscall call-from verification (https://marc.info/?l=openbsd-tech&m=157488907117170&w=2) Peertube on OpenBSD (https://www.22decembre.eu/en/2019/12/09/peertube-14-openbsd/) Fuzzing Filesystems on NetBSD via AFL+KCOV by Maciej Grochowski (https://www.youtube.com/watch?v=bbNCqFdQEyk&feature=youtu.be) Twitter Bot for Prop65 (https://twitter.com/prop65bot/status/1199003319307558912) Interactive vim tutorial (https://www.openvim.com/) First BSD user group meeting in Hamilton, February 11, 2020 18:30 - 21:00, Boston Pizza on Upper James St (http://studybsd.com/) *** Feedback/Questions Samir - cgit (http://dpaste.com/2B22M24#wrap) Russell - R (http://dpaste.com/0J5TYY0#wrap) Wolfgang - Question (http://dpaste.com/3MQAH27#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Your browser does not support the HTML5 video tag.

LLDB Threading support now ready, Multiple IPSec VPN tunnels with FreeBSD, Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance, happy eyeballs with unwind(8), AWS got FreeBSD ARM 12, OpenSSH U2F/FIDO support, and more. Headlines LLDB Threading support now ready for mainline (https://blog.netbsd.org/tnf/entry/lldb_threading_support_now_ready) Upstream describes LLDB as a next generation, high-performance debugger. It is built on top of LLVM/Clang toolchain, and features great integration with it. At the moment, it primarily supports debugging C, C++ and ObjC code, and there is interest in extending it to more languages. In February, I have started working on LLDB, as contracted by the NetBSD Foundation. So far I've been working on reenabling continuous integration, squashing bugs, improving NetBSD core file support, extending NetBSD's ptrace interface to cover more register types and fix compat32 issues and fixing watchpoint support. Then, I've started working on improving thread support which is taking longer than expected. You can read more about that in my September 2019 report. So far the number of issues uncovered while enabling proper threading support has stopped me from merging the work-in-progress patches. However, I've finally reached the point where I believe that the current work can be merged and the remaining problems can be resolved afterwards. More on that and other LLVM-related events happening during the last month in this report. Multiple IPSec VPN tunnels with FreeBSD (https://blog.socruel.nu/text-only/how-to-multiple-ipsec-vpn-tunnels-on-freebsd.txt) The FreeBSD handbook describes an IPSec VPN tunnel between 2 FreeBSD hosts (see https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html) But it is also possible to have multiple, 2 or more, IPSec VPN tunnels created and running on a FreeBSD host. How to implement and configure this is described below. The requirements is to have 3 locations (A, B and C) connected with IPSec VPN tunnels using FreeBSD (11.3-RELEASE). Each location has 1 IPSec VPN host running FreeBSD (VPN host A, B and C). VPN host A has 2 IPSec VPN tunnels: 1 to location B (VPN host B) and 1 to location C (VPN host C). News Roundup Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance (https://www.phoronix.com/scan.php?page=news_item&px=Netflix-NUMA-FreeBSD-Optimized) Drew Gallatin of Netflix presented at the recent EuroBSDcon 2019 conference in Norway on the company's network stack optimizations to FreeBSD. Netflix was working on being able to deliver 200Gb/s network performance for video streaming out of Intel Xeon and AMD EPYC servers, to which they are now at 190Gb/s+ and in the process that doubled the potential of EPYC Naples/Rome servers and also very hefty upgrades too for Intel. Netflix has long been known to be using FreeBSD in their data centers particularly where network performance is concerned. But in wanting to deliver 200Gb/s throughput from individual servers led them to making NUMA optimizations to the FreeBSD network stack. Allocating NUMA local memory for kernel TLS crypto buffers and for backing files sent via sentfile were among their optimizations. Changes to network connection handling and dealing with incoming connections to Nginx were also made. For those just wanting the end result, Netflix's NUMA optimizations to FreeBSD resulted in their Intel Xeon servers going from 105Gb/s to 191Gb/s while the NUMA fabric utilization dropped from 40% to 13%. unwind(8); "happy eyeballs" (https://marc.info/?l=openbsd-tech&m=157475113130337&w=2) In case you are wondering why happy eyeballs: It's a variation on this: https://en.wikipedia.org/wiki/Happy_Eyeballs unwind has a concept of a best nameserver type. It considers a configured DoT nameserver to be better than doing it's own recursive resolving. Recursive resolving is considered to be better than asking the dhcp provided nameservers. This diff sorts the nameserver types by quality, as above (validation, resolving, dead...), and as a tie breaker it adds the median of the round trip time of previous queries into the mix. One other interesting thing about this is that it gets us past captive portals without a check URL, that's why this diff is so huge, it rips out all the captive portal stuff (please apply with patch -E): 17 files changed, 385 insertions(+), 1683 deletions(-) Please test this. I'm particularly interested in reports from people who move between networks and need to get past captive portals. Amazon now has FreeBSD ARM 12 (https://aws.amazon.com/marketplace/pp/B081NF7BY7) Product Overview FreeBSD is an operating system used to power servers, desktops, and embedded systems. Derived from BSD, the version of UNIX developed at the University of California, Berkeley, FreeBSD has been continually developed by a large community for more than 30 years. FreeBSD's networking, security, storage, and monitoring features, including the pf firewall, the Capsicum and CloudABI capability frameworks, the ZFS filesystem, and the DTrace dynamic tracing framework, make FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage systems. OpenSSH U2F/FIDO support in base (https://www.undeadly.org/cgi?action=article;sid=20191115064850) I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly. This means there will be no additional configuration hoops to jump through to use U2F/FIDO2 security keys. Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk" (or "ed25519-sk" if your token supports it). Many tokens require to be touched/tapped to confirm this step. You'll get a public/private keypair back as usual, except in this case, the private key file does not contain a highly-sensitive private key but instead holds a "key handle" that is used by the security key to derive the real private key at signing time. So, stealing a copy of the private key file without also stealing your security key (or access to it) should not give the attacker anything. Once you have generated a key, you can use it normally - i.e. add it to an agent, copy it to your destination's authorized_keys files (assuming they are running -current too), etc. At authentication time, you will be prompted to tap your security key to confirm the signature operation - this makes theft-of-access attacks against security keys more difficult too. Please test this thoroughly - it's a big change that we want to have stable before the next release. Beastie Bits DragonFly - git: virtio - Fix LUN scan issue w/ Google Cloud (http://lists.dragonflybsd.org/pipermail/commits/2019-November/719945.html) Really fast Markov chains in ~20 lines of sh, grep, cut and awk (https://0x0f0f0f.github.io/posts/2019/11/really-fast-markov-chains-in-~20-lines-of-sh-grep-cut-and-awk/) FreeBSD Journal Sept/Oct 2019 (https://www.freebsdfoundation.org/past-issues/security-3/) Michael Dexter is raising money for Bhyve development (https://twitter.com/michaeldexter/status/1201231729228308480) syscall call-from verification (https://marc.info/?l=openbsd-tech&m=157488907117170) FreeBSD Forums Howto Section (https://forums.freebsd.org/forums/howtos-and-faqs-moderated.39/) Feedback/Questions Jeroen - Feedback (http://dpaste.com/0PK1EG2#wrap) Savo - pfsense ports (http://dpaste.com/0PZ03B7#wrap) Tin - I want to learn C (http://dpaste.com/2GVNCYB#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Your browser does not support the HTML5 video tag.

Episode 100! This episode is Mostly Intro and Followup. Synology and QNAP; Pizza, Root beer, and Mead. Control your Echo with a laser, OpenSSH to support U2F, and beware insider threats. The Untitled Goose Game allows code injection; Fuzzing open source for fun and (no) profit. Could we decay nuclear waste with Ultra Fast lasers? And separation of music into tracks using machine learning. 0:00 - Welcome to episode 100! 3:19 - New Synology 4:29 - Cheese Pizza and Rootbeer Test 5:31 - Digiorno Delivers 8:08 - Making Mead 15:00 - QSnatch 16:02 - OpenSSH to support U2F 17:04 - Laser Controlled Voice Tube 21:19 - Trend Insider 22:18 - Episode 29 23:48 - Untitled Goose Game 27:18 - Fuzzing Libarchive 28:48 - OSS-Fuzz 37:04 - Chirped Pulse Amplification 40:53 - Spleeter  

Die Abkürzung FIDO steht für Fast IDentity Online und ermöglicht, vereinfacht formuliert, eine starke und sichere Authentifizierung im Internet- und das ganz ohne Passwörter. Wie sie bereits wissen, gilt die Kombination von Benutzername und Passwort längst nicht mehr als der heilige Gral, wenn es um die sichere Authentifizierung im Internet geht. So wurde 2013 die FIDO-Allianz gegründet. Die gemeinnützige Organisation hat das Ziel gemeinsam mit vielen verschiedenen Unternehmen, offene und lizenzfreie Standards für die weltweite Authentifizierung im Internet zu entwickeln und so die Online-Sicherheit signifikant zu erhöhen. Um dieses Ziel zu erreichen, hat die FIDO-Allianz bis 2014 zwei lizenzfreie Standards entwickelt, die unter den Namen U2F und UAF bekannt sind. U2F ist die Abkürzung für universeller zweiter Faktor. Der Standard beschreibt eine allgemeine Zwei-Faktor-Authentifizierung. Das bedeutet, dass man mit U2F bereits existierendes Verfahren zur Benutzerauthentifizierung mit einem zusätzlichen Faktor absichert. Diese Erweiterung kann z.B. die Benutzung eines Tokens beispielsweise ein USB-Stick sein, welches Informationen beinhaltet die die Authentifizierung erst ermöglichen. Der zweite Standard ist UAF, was für universelles Rahmenwerk zur Authentifizierung steht. Der Standard beschreibt, wie man sich im Internet ohne Passwort authentifiziert. Hierzu können biometrische Verfahren zum Einsatz kommen, sodass ein Benutzer aufgefordert wird sich z.B. per Fingerabdruck an einem Gerät zu authentifizieren.  Das Besondere an diesem Verfahren ist, dass der Fingerabdruck nicht an den Server weitergeleitet wird, sondern nur zu einer lokalen Authentifizierung beiträgt, sprich der Nutzer authentifiziert sich nur gegenüber einem lokalen Gerät, einem sogenannten FIDO Authenticator. Das kann beispielsweise ein Smartphone sein. Nach der lokalen Authentifizierung wird von dem Gerät die asymmetrische Kryptographie verwendet, um den Benutzer am Server authentifizieren zu können. Mit dem FIDO2 Projekt wurden die beiden FIDO-Standards U2F und UAF weiterentwickelt. FIDO2 besteht aus einer Web-Authentifizierungsspezifikation, bekannt als WebAuthn, welches für die Browser-Server-Kommunikation zuständig ist und das entsprechende Client-to-Authenticator-Protokoll, kurz CTAP-Protokoll, welches die Browser-Authenticator-Kommunikation definiert. Der neue FIDO2-Standard ersetzt das herkömmliche Passwort und führt folgende Sicherheitslevel für die Authentifizierung ein: Die Ein-Faktor-Authentifizierung: Hier wird das Passwort durch den Besitz des Authenticators ersetzt. Die Zwei Faktor Authentifizierung: Hier wird das Passwort durch den Authenticator und die Kenntnis über eine PIN, die zuvor im Authenticator gesetzt wurde, ersetzt. Die Ergänzung zu den bisherigen Standards besteht darin, dass mit FIDO2 nicht nur der Besitz des Authenticators, sondern durch die Verwendung eines PIN für den Token auch Wissen nachweisbar ist und damit gänzlich auf Passwörter verzichtet werden kann.   Wie funktioniert der Authentifizierungsprozess nun genau? Den Authentifizierungsprozess übernimmt ein Challenge-Response-Verfahren, wobei der Browser bei Authentifizierung an Webseiten die Rolle eines Relays übernimmt. Im Detail verhält sich das wie folgt: Die Webseite sendet eine Challenge an den Client-Browser, dieser leitet die Challenge mit weiteren Daten an den Authenticator weiter. Der Authenticator fragt die bei der Registrierung zuvor eingerichtete Zugangsberechtigung (privater Schlüssel) ab und überprüft Wissen des Benutzers (PIN). Sind diese Schritte erfolgreich, erzeugt er eine digitale Signatur der Challenge und übergibt diese an den Browser. Der Browser reicht die signierte Challenge an die Webseite weiter, welche die Signatur überprüft und bei erfolgreicher Verifizierung den Client authentifiziert Der Vorteil von der FIDO- Authentifizierung ist, dass sie auf die fortschrittlichere Challenge-Response Technik setzen, bei der das geteilte Geheimnis (der Private-Key) den Authenticator nicht verlässt und damit nicht übertragen werden muss. Dies hat vor allem beim Kompromittieren eines Endgeräts beträchtliche Vorteile, da Malware wie Keylogger keine Chance bekommen, Informationen abzugreifen, die eine Authentifizierung bei einem Dienst ermöglichen. Auf der anderen Seite muss man für den Fall eines Authenticator-Verlusts wichtige Vorkehrungen treffen: Entweder man richtet mehrere Authenticatoren ein, um sich im Falle eines Verlustes nicht auszusperren oder man muss auf Restore Codes zurückgreifen. Ein letztes Wort zum Schluss: In einer Zeit, in der sich die Online-Sicherheitslage drastisch verschlechtert, wird die Erfindung und Einführung von offenen Authentifizierungsstandards immer wichtiger. Geräte, die mit FIDO und FIDO2 kompatibel sind, bieten das Höchstmaß an Schutz vor Phishing- und Man-in-the-Middle-Angriffen. Mittlerweile haben mehrere große Webbrowser, darunter Chrome, Firefox und Microsoft Edge, die Standards bereits implementiert. Android und Windows 10 verfügen außerdem über integrierte Unterstützung für die FIDO-Authentifizierung. Kontakt: Ingo Lücker, ingo.luecker@itleague.de

Liz and Geoffrey take a look at how attackers compromise webcams and discuss why it's worth physically covering them. Malware and alleged threats of malware are only some of the avenues attackers take to access other people's webcams; vulnerabilities in legitimate software, like the recent Zoom security flaw, can also be exploited. Additionally, sharing ownership of your devices with another party like your school district or workplace may leave you and your webcams exposed. In the news, the FTC fines Facebook, weaknesses in Apple's iMessage and Visual Voicemail, and U2F support added to Firefox for Android.Show notes, timeline, and full transcript on looseleafsecurity.com

Den här veckan anordnade Facebook sin årliga utvecklarkonferens F8. Under den berättade Facebook-grundaren Mark Zuckerberg att ”the future is private”. Tess och Nikka diskuterar vad det egentligen innebär och hur trovärdigt uttalandet är. De återupptar också förra avsnittets diskussion om Google Authenticator och Nikka förklarar hur tvåfaktorsautentisering med U2F-metoden höjer säkerheten ytterligare. Bli säker-podden produceras av Nikka Systems tillsammans med Bredband2. Läs mer på nikkasystems.com respektive bredband2.com.

Josh and Kurt talk about the difficulty of security. We look at the difficulty of the EU not observing daylight savings time, which is probably magnitudes easier than getting security right. We also hit on a discussion on Reddit about U2F that shows the difficulty. Security today is too hard, even for the experts.

Ein Hoch auf endlich Mehr an Sicherheit -WebAuthn wird endlich umgesetzt und funktioniert in mehr Browsern! Es war die große Enttäuschung auf der letztjährigen Google I/O: Im Vorfeld groß und doch heimlich angekündigt, wollte Google Sicherheit zum kleinen Preis auch endlich für uns alle verfügbar machen. In Form dieser kleinen, siehe Bild unten, USB-Sticks, die zur Verifizierung bei Logins benutzt werden können und unter dem Namen Fido-Sticks/-Keys bekannt geworden sind. Vorbei die Zeiten, wo die sichersten Topmodelle für 70+ Euro verkauft wurden. Man spekulierte, dass Google seine Marktmacht und den Zwang, die Schlüssel künftig flächendeckend für die eigenen Accounts nutzen zu müssen, um einen Preis um die 10 oder 15€ Maximum anbieten würde. Doch es kam nichts - und im US-Store tauchte dann ohne weitere Worte ein USB-Stick für 50 Dollar auf. Nicht viel gewonnen für die Allgemeinheit... aber jetzt... Fido-Keys in drei Ausführungen: 2x USB, 1x NFC, 1x Bluetooth - demnächst auch in Deinem Browser! Ich bin ein großer Freund dieser FIDO-USB-Sticks. Es ist aktuell die sicherste Zwei-Wege-Methode für Logins. Du musst nur Deinen USB-Stick immer in der Hosentasche haben und ihn bitte niemals verlieren - schon wirst Du nach Nutzername und Passwort aufgefordert, den USB-Stick einzustecken und danach mit einem Finger das goldene Plättchen zu berühren. Schon bist Du verifiziert und eingeloggt. Aktuell gibt es, immer unterstellend, dass Du Deinen Schlüssel bei Dir hältst, keine Möglichkeit, diese zusätzliche Sicherheit zu umgehen - außer mit den Möglichkeiten, die die Anbieter z.B. unter dem Punkt "USB Stick verloren", anbieten. Wir reden also über eine Sicherheit Deiner Account- und dort hinterlegten Daten auf einem sehr hohen Niveau. Besonders bequem für jeden, der auf Passwort-Manager setzt. Die meisten, vor allem die bekannten, setzten ebenfalls auf diese Zwei-Wege-Authentifikation, um die jeweiligen "Passwortsafes" sicher vor fremden Zugriffen zu halten. Allerdings gab es bisher ein kleines Problem, was neben den teilweise horrenden Preisen ab 50 Euro aufwärts, den Einsatz dieser Sticks zurück hielt: die Tatsache, dass der bisherige Standard im Hintergrund nur mit Google Chrome funktioniert. Um den Preis wollte sich Google eigentlich schon letztes Jahr kümmern. Aber wie ich immer sage, der Koloss Google ist zu träge geworden. Aus dem Plan, diesen Stick für wenige Euro auf den Markt zu bringen und ihn langsam zum "verpflichtenden" Sicherheitsstandard für den Google Account zu machen - ist erst mal Geschichte. Aber immerhin hat sich das W3C, das Word Wide Web Consortium nun bewegt. Und mit dieser Änderung, technisch gesprochen, weg von U2F auf WebAuthn, können nun neben dem Chrome Browser auch Firefox und Edge mit den USB-Sticks umgehen. Da das W3C erst Ende März den "neuen" Standard, der zuvor nur eine unverbindliche Empfehlung war, umgesetzt hat, wird es zwar noch ein wenig dauern, bis dies reibungslos funktioniert. Aber ich empfehle Euch schon heute, sich mit der Technik und den USB-Sticks als benötigte Hardware - und sei es nur in der Theorie durch Web-Recherche - vertraut zu machen! Dies wird die Onlinesicherheit weit nach vorne bringen und das alles nur in Form eines kleinen USB-Sticks. Ohne diesen kommt keiner an der zusätzlichen Maske, die nach dem Stick fragt, vorbei. Und somit bleibt auch bei erfolgreichem Phishing der Zugang mit email und Passwort verwehrt. Aktuell kleiner Wermutstropfen: Wer sich jetzt engagiert mit einem neu gekauften Stick endlich bei Google anmelden möchte, muss dies aktuell noch mit Google's Chrome Browser machen. Dieser ist momentan noch der einzige Browser, der die Erstanmeldung korrekt umsetzt. Normale Logins zu bestehenden Accounts können aber, sobald Firefox und Microsoft reagiert haben, dann auch über die beiden weiteren Browser genutzt werden. Und über kurz oder lang wird Google auch die Registrierung auf die weiteren Browser ausgerollt haben, dann können die zweieinhalb weltweit verbreitetsten Browser durchgängig und nach Wahl und Präferenz problemlos genutzt wurden. Meinen PodCast abonnieren: | direkt | iTunes | Spotify | Google |

Biometrics and Master Fingerprints; Extensions, Add-ons and Playing Nice with CSP; 2FA, U2F and Google’s Advanced Protection Program; Sponsored by Netsparker https://www.troyhunt.com/weekly-update-113/

Hunting for Suspicious Processes with OSSEC https://isc.sans.edu/forums/diary/Hunting+for+Suspicious+Processes+with+OSSEC/24122/ NSSLabs Sues Crowdstrike, Symantec, ESET https://www.nsslabs.com/blog/company/advancing-transparency-and-accountability-in-the-cybersecurity-industry/ Bitcoin Core Vulnerability https://motherboard.vice.com/amp/en_us/article/qvakp3/a-major-bug-in-bitcoin-software-could-have-crashed-the-currency?__twitter_impression=true WebAuthn Standard https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet https://fidoalliance.org/

Hunting for Suspicious Processes with OSSEC https://isc.sans.edu/forums/diary/Hunting+for+Suspicious+Processes+with+OSSEC/24122/ NSSLabs Sues Crowdstrike, Symantec, ESET https://www.nsslabs.com/blog/company/advancing-transparency-and-accountability-in-the-cybersecurity-industry/ Bitcoin Core Vulnerability https://motherboard.vice.com/amp/en_us/article/qvakp3/a-major-bug-in-bitcoin-software-could-have-crashed-the-currency?__twitter_impression=true WebAuthn Standard https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet https://fidoalliance.org/

We promise to keep your identity private while we discuss the troubles of two-factor authentication. On this episode of the CISO/Security Vendor Relationship Podcast we discuss: Why don't more people use two-factor authentication? Does the UX still suck? Why can't we agree on a common model for how to authenticate? Will U2F be the saving grace for 2FA? Story on the debate. What are the signs your employees are going rogue? We debate the need to monitor employees this way. Are internal intrusions the same as external? Is monitoring the monitoring devices enough? What are the signs? Discussion on LinkedIn and a recommended book: "Nothing to Hide: The False Tradeoff between Privacy and Security." We play a round of "What's Worse?!" It's the game where we determine which is the worst of two really bad practices. In this case, the CISOs have to choose between two unpleasant marketing practices. How do CISOs balance compliance and security: The two aren't equal, but compliance is a means to prove that you're doing security right. Our guest hits it out of the park with a very clear explanation and also how to use compliance to better market your company. How do CISOs discover new solutions: This might as well be the title of this podcast, but we delve into some unique angles that CISOs are taking as they're avoiding traditional pitches from security vendors. Discussion on LinkedIn. Ten-second security tip touting the value of passphrases: See this cartoon for more. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Allan Alford (@AllanAlfordinTX), CISO, Mitel. Special thanks to our sponsor, SentinelOne, for supporting this episode and the podcast. Learn more about their autonomous endpoint protection. Contributions. Contributions. Contributions. I am cranking out a ton more content for not just the podcast, but also the entire series so I am very open and receptive to story ideas, suggestions for segments of the podcast, or anything else. Just connect with me on LinkedIn. Sponsor the podcast If you’re interested in sponsoring the podcast, contact David Spark at Spark Media Solutions.

Josh and Kurt talk about the latest attack on bluetooth and discuss phishing in the modern world. U2F is a great way to stop phishing, training is not. We also discuss airgaps in response to attacks on airgapped power utilities.

Bluetooth bug allows man-in-the-middle attacks on phones and laptops, serial killer electrocutes himself in jail cell sex act, Google launches its own USB-based FIDO U2F keys, and GhostPack. Full Show Notes: https://wiki.securityweekly.com/Episode569 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.com/securityweekly

Bluetooth bug allows man-in-the-middle attacks on phones and laptops, serial killer electrocutes himself in jail cell sex act, Google launches its own USB-based FIDO U2F keys, and GhostPack. Full Show Notes: https://wiki.securityweekly.com/Episode569 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.com/securityweekly

Eric successfully fishes, and Jon fixes his QNAP issue. Google says they haven't been phished since deploying U2F keys in 2017. Chrome flags HTTP sites as 'Not Secure' and Troy posts a video for why HTTPS matters even for static 'marketing' sites. Old movie GIFs and water on Mars.   QNAP Issue was Plex Can't Phish This (Google) Just Having 2FA isn't Perfect Chrome 68 Arrives Integrity Matters https://www.reddit.com/r/silentmoviegifs/ Water On Mars

In the final episode of Fatal Error, Chris and Soroush go through some follow-up, then recap the news from WWDC. 59. Why did they even hire Chris?? Swift Unwrapped Ghost Animoji has a tongue! (h/t @parrots) Platforms State of the Union CodeRunner Steve S Smith Marzipan Thread Jake Marsh on Intents UNNotificationContent.threadIdentifier One of many articles on SMS hijacking via SS7 (search the Web for “SS7 SMS Hijack” for more) YubiKey Social engineering SMS code Chromium Touch ID second factor (Tweet) Published after we recorded the episode: The Pixelbook's power button can double as a U2F security key Thank you for your support! Tweets & photos from the live show at WWDC: From @_ivancr From @_jessetipton From @jbradforddillon From @freak4pc

Jakiego oprogramowania używac, aby podnieść swój poziom bezpieczeństwa w Internecie? Bezpieczeństwo połączeń, bezpieczeństwo haseł, bezpieczeńśtwo płatności online. W tym odcinku dzielimy się tym softem, z którego sami korzystamy.Materiały do odcinka:https://niebezpiecznik.pl/007/

Jakiego oprogramowania używac, aby podnieść swój poziom bezpieczeństwa w Internecie? Bezpieczeństwo połączeń, bezpieczeństwo haseł, bezpieczeńśtwo płatności online. W tym odcinku dzielimy się tym softem, z którego sami korzystamy.Materiały do odcinka:https://niebezpiecznik.pl/007/

Summary This week Erik Meyer joins us to talk about the past, present and future of CSS. Delving into some web history, discussing why CSS can be overlooked in regards to app development and the reasons people can be off-put by CSS this episode is a delightful insight into the mind of a web legend. Resources Angular 4.4.X released. Be sure to update to the latest patch in 4.4 as there was an issue with the initial release Quick shoutout to the npm package ng-packagr for making it simple to package angular modules for npm As of Firefox 57.0a1, U2F is sitting behind a flag, which hopefully land soon the ability to use YubiKeys and the related security keys Polymer 2.1.0 landed, which now allows the setting of Polymer.passiveTouchGeastures to enable better scroll performance iOS 11 begins rolling out today, which means that Safari 11 has a new set of fixes and features, including more standards compliant flexbox, flags to enable experimental features, WebRTC and Media Capture for real-time video/audio, and much more The upcoming iPhone X “notch” does seem to have workarounds for the web which is good news Guests Eric Meyer (@meyerweb) Panel Justin Ribeiro (@justinribeiro) Danny Blue (@dee_bloo) Amal Hussein (@nomadtechie) Follow The Web Platform podcast on Twitter for regular updates @TheWebPlatform.  

This week on the show we interview Wendell from Level1Techs, cover Google Summer of Code on the different BSD projects, cover YubiKey usage, dive into how NICs work & This episode was brought to you by Headlines Google summer of code for BSDs FreeBSD (https://www.freebsd.org/projects/summerofcode.html) FreeBSD's existing list of GSoC Ideas for potential students (https://wiki.freebsd.org/SummerOfCodeIdeas) FreeBSD/Xen: import the grant-table bus_dma(9) handlers from OpenBSD Add support for usbdump file-format to wireshark and vusb-analyzer Write a new boot environment manager Basic smoke test of all base utilities Port OpenBSD's pf testing framework and tests Userspace Address Space Annotation zstandard integration in libstand Replace mergesort implementation Test Kload (kexec for FreeBSD) Kernel fuzzing suite Integrate MFSBSD into the release building tools NVMe controller emulation for bhyve Verification of bhyve's instruction emulation VGA emulation improvements for bhyve audit framework test suite Add more FreeBSD testing to Xen osstest Lua in bootloader POSIX compliance testing framework coreclr: add Microsoft's coreclr and corefx to the Ports tree. NetBSD (https://wiki.netbsd.org/projects/gsoc/) Kernel-level projects Medium ISDN NT support and Asterisk integration LED/LCD Generic API NetBSD/azure -- Bringing NetBSD to Microsoft Azure OpenCrypto swcrypto(4) enhancements Scalable entropy gathering Userland PCI drivers Hard Real asynchronous I/O Parallelize page queues Tickless NetBSD with high-resolution timers Userland projects Easy Inetd enhancements -- Add new features to inetd Curses library automated testing Medium Make Anita support additional virtual machine systems Create an SQL backend and statistics/query page for ATF test results Light weight precision user level time reading Query optimizer for find(1) Port launchd Secure-PLT - supporting RELRO binaries Sysinst alternative interface Hard Verification tool for NetBSD32 pkgsrc projects Easy Version control config files Spawn support in pkgsrc tools Authentication server meta-package Medium pkgin improvements Unify standard installation tasks Hard Add dependency information to binary packages Tool to find dependencies precisely LLVM (http://llvm.org/OpenProjects.html#gsoc17) Fuzzing the Bitcode reader Description of the project: The optimizer is 25-30% slower when debug info are enabled, it'd be nice to track all the places where we don't do a good job about ignoring them! Extend clang AST to provide information for the type as written in template instantiations. Description of the project: When instantiating a template, the template arguments are canonicalized before being substituted into the template pattern. Clang does not preserve type sugar when subsequently accessing members of the instantiation. Clang should "re-sugar" the type when performing member access on a class template specialization, based on the type sugar of the accessed specialization. Shell auto-completion support for clang. Bash and other shells support typing a partial command and then automatically completing it for the user (or at least providing suggestions how to complete) when pressing the tab key. This is usually only supported for popular programs such as package managers (e.g. pressing tab after typing "apt-get install late" queries the APT package database and lists all packages that start with "late"). As of now clang's frontend isn't supported by any common shell. Clang-based C/C++ diff tool. Description of the project: Every developer has to interact with diff tools daily. The algorithms are usually based on detecting "longest common subsequences", which is agnostic to the file type content. A tool that would understand the structure of the code may provide a better diff experience by being robust against, for example, clang-format changes. Find dereference of pointers. Description of the project: Find dereference of pointer before checking for nullptr. Warn if virtual calls are made from constructors or destructors. Description of the project: Implement a path-sensitive checker that warns if virtual calls are made from constructors and destructors, which is not valid in case of pure virtual calls and could be a sign of user error in non-pure calls. Improve Code Layout Description of the project: The goal for the project is trying to improve the layout/performances of the generated executable. The primary object format considered for the project is ELF but this can be extended to other object formats. The project will touch both LLVM and lld. Why Isn't OpenBSD in Google Summer of Code 2017? (http://marc.info/?l=openbsd-misc&m=149119308705465&w=2) Hacker News Discussion Thread (https://news.ycombinator.com/item?id=14020814) Turtles on the Wire: Understanding How the OS Uses the Modern NIC (http://dtrace.org/blogs/rm/2016/09/15/turtles-on-the-wire-understanding-how-the-os-uses-the-modern-nic/) The Simple NIC MAC Address Filters and Promiscuous Mode Problem: The Single Busy CPU A Swing and a Miss Nine Rings for Packets Doomed to be Hashed Problem: Density, Density, Density A Brief Aside: The Virtual NIC Always Promiscuous? The Classification Challenge Problem: CPUs are too ‘slow' Problem: The Interrupts are Coming in too Hot Solution One: Do Less Work Solution Two: Turn Off Interrupts Recapping Future Directions and More Reading Make Dragonfly BSD great again! (http://akat1.pl/?id=3) Recently I spent some time reading Dragonfly BSD code. While doing so I spotted a vulnerability in the sysvsem subsystem that let user to point to any piece of memory and write data through it (including the kernel space). This can be turned into execution of arbitrary code in the kernel context and by exploiting this, we're gonna make Dragonfly BSD great again! Dragonfly BSD is a BSD system which originally comes from the FreeBSD project. In 2003 Matthew Dillon forked code from the 4.x branch of the FreeBSD and started a new flavour. I thought of Dragonfly BSD as just another fork, but during EuroBSDCon 2015 I accidentally saw the talk about graphical stack in the Dragonfly BSD. I confused rooms, but it was too late to escape as I was sitting in the middle of a row, and the exit seemed light years away from me. :-) Anyway, this talk was a sign to me that it's not just a niche of a niche of a niche of a niche operating system. I recommend spending a few minutes of your precious time to check out the HAMMER file system, Dragonfly's approach to MP, process snapshots and other cool features that it offers. Wikipedia article is a good starter With the exploit, they are able to change the name of the operating system back to FreeBSD, and escalate from an unprivileged user to root. The Bug itself is located in the semctl(2) system call implementation. bcopy(3) in line 385 copies semid_ds structure to memory pointed by arg->buf, this pointer is fully controlled by the user, as it's one of the syscall's arguments. So the bad thing here is that we can copy things to arbitrary address, but we have not idea what we copy yet. This code was introduced by wrongly merging code from the FreeBSD project, bah, bug happens. Using this access, the example code shows how to overwrite the function pointers in the kernel used for the open() syscall, and how to overwrite the ostype global, changing the name of the operating system. In the second example, the reference to the credentials of the user trying to open a file are used to overwrite that data, making the user root. The bug was fixed in uber fast manner (within few hours!) by Matthew Dillon, version 4.6.1 released shortly after that seems to be safe. In case you care, you know what to do! Thanks to Mateusz Kocielski for the detailed post, and finding the bug *** Interview - Wendell - wendell@level1techs.com (mailto:wendell@level1techs.com) / @tekwendell (https://twitter.com/tekwendell) Host of Level1Techs website, podcast and YouTube channel News Roundup Using yubikeys everywhere (http://www.tedunangst.com/flak/post/using-yubikeys-everywhere) Ted Unangst is back, with an interesting post about YUBI Keys Everybody is getting real excited about yubikeys recently, so I figured I should get excited, too. I have so far resisted two factor authorizing everything, but this seemed like another fun experiment. There's a lot written about yubikeys and how you should use one, but nothing I've read answered a few of the specific questions I had To begin with, I ordered two yubikeys. One regular sized 4 and one nano. I wanted to play with different form factors to see which is better for various uses, and I wanted to test having a key and a backup key. Everybody always talks about having one yubikey. And then if you lose it, terrible things happen. Can this problem be alleviated with two keys? I'm also very curious what happens when I try to login to a service with my phone after enabling U2F. We've got three computers (and operating systems) in the mix, along with a number of (mostly web) services. Wherever possible, I want to use a yubikey both to login to the computer and to authorize myself to remote services. I started my adventure on my chromebook. Ultimate goal would be to use the yubikey for local logins. Either as a second factor, or as an alternative factor. First things first and we need to get the yubikey into the account I use to sign into the chromebook. Alas, there is apparently no way to enroll only a security key for a Google account. Every time I tried, it would ask me for my phone number. That is not what I want. Zero stars. Giving up on protecting the chromebook itself, at least maybe I can use it to enable U2F with some other sites. U2F is currently limited to Chrome, but it sounds like everything I want. Facebook signup using U2F was pretty easy. Go to account settings, security subheading, add the device. Tap the button when it glows. Key added. Note that it's possible to add a key without actually enabling two factor auth, in which case you can still login with only a password, but no way to login with no password and only a USB key. Logged out to confirm it would check the key, and everything looked good, so I killed all my other active sessions. Now for the phone test. Not quite as smooth. Tried to login, the Facebook app then tells me it has sent me an SMS and to enter the code in the box. But I don't have a phone number attached. I'm not getting an SMS code. Meanwhile, on my laptop, I have a new notification about a login attempt. Follow the prompts to confirm it's me and permit the login. This doesn't have any effect on the phone, however. I have to tap back, return to the login screen, and enter my password again. This time the login succeeds. So everything works, but there are still some rough patches in the flow. Ideally, the phone would more accurately tell me to visit the desktop site, and then automatically proceed after I approve. (The messenger app crashed after telling me my session had expired, but upon restarting it was able to borrow the Facebook app credentials and I was immediately logged back in.) Let's configure Dropbox next. Dropbox won't let you add a security key to an account until after you've already set up some other mobile authenticator. I already had the Duo app on my phone, so I picked that, and after a short QR scan, I'm ready to add the yubikey. So the key works to access Dropbox via Chrome. Accessing Dropbox via my phone or Firefox requires entering a six digit code. No way to use a yubikey in a three legged configuration I don't use Github, but I know they support two factors, so let's try them next. Very similar to Dropbox. In order to set up a key, I must first set up an authenticator app. This time I went with Yubico's own desktop authenticator. Instead of scanning the QR code, type in some giant number (on my Windows laptop), and it spits out an endless series of six digit numbers, but only while the yubikey is inserted. I guess this is kind of what I want, although a three pound yubikey is kind of unwieldy. As part of my experiment, I noticed that Dropbox verifies passwords before even looking at the second auth. I have a feeling that they should be checked at the same time. No sense allowing my password guessing attack to proceed while I plot how to steal someone's yubikey. In a sense, the yubikey should serve as a salt, preventing me from mounting such an attack until I have it, thus creating a race where the victim notices the key is gone and revokes access before I learn the password. If I know the password, the instant I grab the key I get access. Along similar lines, I was able to complete a password reset without entering any kind of secondary code. Having my phone turn into a second factor is a big part of what I'm looking to avoid with the yubikey. I'd like to be able to take my phone with me, logged into some sites but not all, and unable to login to the rest. All these sites that require using my phone as mobile authenticator are making that difficult. I bought the yubikey because it was cheaper than buying another phone! Using the Yubico desktop authenticator seems the best way around that. The article also provides instructions for configuring the Yubikey on OpenBSD A few notes about OTP. As mentioned, the secret key is the real password. It's stored on whatever laptop or server you login to. Meaning any of those machines can take the key and use it to login to any other machine. If you use the same yubikey to login to both your laptop and a remote server, your stolen laptop can trivially be used to login to the server without the key. Be mindful of that when setting up multiple machines. Also, the OTP counter isn't synced between machines in this setup, which allows limited replay attacks. Ted didn't switch his SSH keys to the Yubikey, because it doesn't support ED25519, and he just finished rotating all of his keys and doesn't want to do it again. I did most of my experimenting with the larger yubikey, since it was easier to move between machines. For operations involving logging into a web site, however, I'd prefer the nano. It's very small, even smaller than the tiniest wireless mouse transcievers I've seen. So small, in fact, I had trouble removing it because I couldn't find anything small enough to fit through the tiny loop. But probably a good thing. Most other micro USB gadgets stick out just enough to snag when pushing a laptop into a bag. Not the nano. You lose a port, but there's really no reason to ever take it out. Just leave it in, and then tap it whenever you login to the tubes. It would not be a good choice for authenticating to the local machine, however. The larger device, sized to fit on a keychain, is much better for that. It is possible to use two keys as backups. Facebook and Dropbox allow adding two U2F keys. This is perhaps a little tiresome if there's lots of sites, as I see no way to clone a key. You have to login to every service. For challenge response and OTP, however, the personalization tool makes it easy to generate lots of yubikeys with the same secrets. On the other hand, a single device supports an infinite number of U2F sites. The programmable interfaces like OTP are limited to only two slots, and the first is already used by the factory OTP setup. What happened to my vlan (http://www.grenadille.net/post/2017/02/13/What-happened-to-my-vlan) A long term goal of the effort I'm driving to unlock OpenBSD's Network Stack is obviously to increase performances. So I'd understand that you find confusing when some of our changes introduce performance regressions. It is just really hard to do incremental changes without introducing temporary regressions. But as much as security is a process, improving performance is also a process. Recently markus@ told me that vlan(4) performances dropped in last releases. He had some ideas why but he couldn't provide evidences. So what really happened? Hrvoje Popovski was kind enough to help me with some tests. He first confirmed that on his Xeon box (E5-2643 v2 @ 3.50GHz), forwarding performances without pf(4) dropped from 1.42Mpps to 880Kpps when using vlan(4) on both interfaces. Together vlaninput() and vlanstart() represent 25% of the time CPU1 spends processing packets. This is not exactly between 33% and 50% but it is close enough. The assumption we made earlier is certainly too simple. If we compare the amount of work done in process context, represented by ifinputprocess() we clearly see that half of the CPU time is not spent in etherinput(). I'm not sure how this is related to the measured performance drop. It is actually hard to tell since packets are currently being processed in 3 different contexts. One of the arguments mikeb@ raised when we discussed moving everything in a single context, is that it is simpler to analyse and hopefully make it scale. With some measurements, a couple of nice pictures, a bit of analysis and some educated guesses we are now in measure of saying that the performances impact observed with vlan(4) is certainly due to the pseudo-driver itself. A decrease of 30% to 50% is not what I would expect from such pseudo-driver. I originally heard that the reason for this regression was the use of SRP but by looking at the profiling data it seems to me that the queuing API is the problem. In the graph above the CPU time spent in ifinput() and ifenqueue() from vlan(4) is impressive. Remember, in the case of vlan(4) these operations are done per packet! When ifinput() has been introduced the queuing API did not exist and putting/taking a single packet on/from an interface queue was cheap. Now it requires a mutex per operation, which in the case of packets received and sent on vlan(4) means grabbing three mutexes per packets. I still can't say if my analysis is correct or not, but at least it could explain the decrease observed by Hrvoje when testing multiple vlan(4) configurations. vlaninput() takes one mutex per packet, so it decreases the number of forwarded packets by ~100Kpps on this machine, while vlanstart() taking two mutexes decreases it by ~200Kpps. An interesting analysis of the routing performance regression on OpenBSD I have asked Olivier Cochard-Labbe about doing a similar comparison of routing performance on FreeBSD when a vlan pseudo interface is added to the forwarding path *** NetBSD: the first BSD introducing a modern process plugin framework in LLDB (https://blog.netbsd.org/tnf/entry/netbsd_the_first_bsd_introducing) Clean up in ptrace(2) ATF tests We have created some maintanance burden for the current ptrace(2) regression tests. The main issues with them is code duplication and the splitting between generic (Machine Independent) and port-specific (Machine Dependent) test files. I've eliminated some of the ballast and merged tests into the appropriate directory tests/lib/libc/sys/. The old location (tests/kernel) was a violation of the tests/README recommendation PTRACE_FORK on !x86 ports Along with the motivation from Martin Husemann we have investigated the issue with PTRACE_FORK ATF regression tests. It was discovered that these tests aren't functional on evbarm, alpha, shark, sparc and sparc64 and likely on other non-x86 ports. We have discovered that there is a missing SIGTRAP emitted from the child, during the fork(2) handshake. The proper order of operations is as follows: parent emits SIGTRAP with sicode=TRAPCHLD and pesetevent=pid of forkee child emits SIGTRAP with sicode=TRAPCHLD and pesetevent=pid of forker Only the x86 ports were emitting the second SIGTRAP signal. PTSYSCALL and PTSYSCALLEMU With the addition of PTSYSCALLEMU we can implement a virtual kernel syscall monitor. It means that we can fake syscalls within a debugger. In order to achieve this feature, we need to use the PTSYSCALL operation, catch SIGTRAP with sicode=TRAPSCE (syscall entry), call PTSYSCALLEMU and perform an emulated userspace syscall that would have been done by the kernel, followed by calling another PTSYSCALL with sicode=TRAPSCX. What has been done in LLDB A lot of work has been done with the goal to get breakpoints functional. This target penetrated bugs in the existing local patches and unveiled missing features required to be added. My initial test was tracing a dummy hello-world application in C. I have sniffed the GDB Remote Protocol packets and compared them between Linux and NetBSD. This helped to streamline both versions and bring the NetBSD support to the required Linux level. Plan for the next milestone I've listed the following goals for the next milestone. watchpoints support floating point registers support enhance core(5) and make it work for multiple threads introduce PTSETSTEP and PTCLEARSTEP in ptrace(2) support threads in the NetBSD Process Plugin research F_GETPATH in fcntl(2) Beyond the next milestone is x86 32-bit support. LibreSSL 2.5.2 released (https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.2-relnotes.txt) Added the recallocarray(3) memory allocation function, and converted various places in the library to use it, such as CBB and BUFMEMgrow. recallocarray(3) is similar to reallocarray. Newly allocated memory is cleared similar to calloc(3). Memory that becomes unallocated while shrinking or moving existing allocations is explicitly discarded by unmapping or clearing to 0. Added new root CAs from SECOM Trust Systems / Security Communication of Japan. Added EVP interface for MD5+SHA1 hashes. Fixed DTLS client failures when the server sends a certificate request. Correct handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection. Allow protocols and ciphers to be set on a TLS config object in libtls. Improved nc(1) TLS handshake CPU usage and server-side error reporting. Beastie Bits HardenedBSD Stable v46.16 released (http://hardenedbsd.org/article/op/2017-03-30/stable-release-hardenedbsd-stable-11-stable-v4616) KnoxBUG looking for OpenBSD people in Knoxville TN area (https://www.reddit.com/r/openbsd/comments/5vggn7/knoxbug_looking_for_openbsd_people_in_knoxville/) KnoxBUG Tuesday, April 18, 2017 - 6:00pm : Caleb Cooper: Advanced BASH Scripting](http://knoxbug.org/2017-04-18) e2k17 Nano hackathon report from Bob Beck (http://undeadly.org/cgi?action=article&sid=20170405110059) Noah Chelliah, Host of the Linux Action Show calls Linux a ‘Bad Science Project' and ditches Linux for TrueOS](https://youtu.be/yXB85_olYhQ?t=3238) *** Feedback/Questions James - ZFS Mounting (http://dpaste.com/1H43JGV#wrap) Kevin - Virtualization (http://dpaste.com/18VNAJK#wrap) Ben - Jails (http://dpaste.com/0R7CRZ7#wrap) Florian - ZFS and Migrating Linux userlands (http://dpaste.com/2Z1P23T#wrap) q5sys - question for the community (http://dpaste.com/26M453F#wrap)

Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token. We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3) This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3 Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2    --------- Jay Beale’s Class “aikido on the command line: hardening and containment” JULY 22-23 & JULY 24-25    AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html     --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/   Show Notes:   What does MFA try to solve: Mitigate password reuse Cred theft - Someone stealing credentials from embarassingadultsite.com and turns they work out on a totallyserious.gov RDP server Phishing bad - same as above, except now you convince someone totallyseriousgov.com is legit and they give you credentials   Cred theft: Getting to the point where old mate literally has more password dumps than time https://www.troyhunt.com/i-just-added-another-140-data-breaches-to-have-i-been-pwned/ Honestly not going away, and combined with password reuse makes things pretty bad   Phishing: Happens. META: do we need to back this up with some stats?  https://blog.barkly.com/phishing-statistics-2016   MFA / Bad things happening with that: AU Telecommunications provider sent multifactor SMS to wrong people https://www.itnews.com.au/news/telstra-sending-sms-to-wrong-numbers-after-exchange-fire-449690 RSA was owned years ago - and had to reissue a bunch of tokens http://money.cnn.com/2011/06/08/technology/securid_hack/ https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?_r=0 On the plus side, obviously increased cost to attacker significantly to do that Phishing frameworks are everywhere Misc / Turns out U2F makes phishing kind of dead? (Read first amendment) https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ Appears Backed up by the spec ( ‘Origin’ / https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.pdf)   Phishing/2FA/Solutions? a) What does multifactor actually solve? b) Are we (infosec industry) issuing multifactor solutions to people just so people make money? c)  Do these things give a *false* sense of security? d) What do you think about storing the token on the same box? Especially given an actor on the box is just going to steal creds as they’re entered.   Internal training / is this actually working? Australia Post didn't think so https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987   Counterpoints: It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 ) C: I don’t like running some silly app on my phone C: I also don’t like running around with a physical token C: Embedding a Yubico nano in my usb slot leaves me with one usb port left Also doesn’t solve when someone just steals that token   Does any of it matter: Beyondcorp / "Lets make the machines state be part of the credential" https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf Tl;dr of paper: TPMs, certificates and a lot of health checks - think of NAC on steroids Is there some way we (not google) can make it so a credential is worthless?   Solutions: Duo / “There's an app on my phone and it has context about what wants to do something right now” Probably a step in the right direction Kind of like some Aus banks which SMS you before transferring $X to Y account Okta - (grab links to spec) META // Does this actually solve it? OAUTH - (grab links to spec) Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/ META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower META // Engineering things to short lived secrets is a better idea   I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put: The devices used everywhere are chromebooks run in standard mode rather than developer mode (Whitelisting For Free™) Everything is a web app Everything else can’t run due to app whitelisting built-in The device needs to also authenticate before the user can do anything, and is used as part of the judgement for access control engines Everything cares about the machine the user is using - It’s part of the credential Passwords are no longer important and it’s all single sign on Suddenly credential theft doesn’t matter The device uses certificates to attest to its current state, so stolen passwords without a valid device don’t matter As the device is a glorified web browser, and has app whitelisting, you’re not going to get code execution on it, malware no longer matters Caveat, someone will probably think of some cool technique and that’ll ruin everything See: Problem of induction / “Black swan event”   Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).   Tavis is banging on LastPass again…  https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/   Duo Security // Beyondcorp https://duo.com/blog/beyondcorp-for-the-rest-of-us More info on Beyondcorp https://www.beyondcorp.com   Misc// Hey google wrote a paper on U2F a while back http://fc16.ifca.ai/preproceedings/25_Lang.pdf Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’) https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing https://risky.biz/RB448/

Live from BSides Vancouver 2017 Chester Wisniewski of Sophos interviews Derek Hanson from Yubico about U2F, FIDO and the future of mutlifactor authentication.

Brakeing Down Security had the pleasure of having Patrick Heim join us to discuss a number of topics. We discussed a number of topics: Cloud migrations What stops many traditional #companies from moving into #cloud based operations? What hurdles do they face, and what are some pitfalls that can hamper a successful #migration? We touched briefly on #BYOD and the use of personal devices in a business environment, as well as #Dropbox's deployment of optional #2FA and using #U2F keys for additional #authentication measures. Finally, as an established leader in several major #companies, we pick Mr. #Heim's brain about qualities of a leader. Can you self-diagnose if you'll be a good manager? And what does Mr. Heim look for when hiring qualified candidates. It was a pleasure having Mr. Patrick Heim on and Brakeing Down #Security thanks him for his valuable time. Some #articles we drew upon for questions to ask Mr. Heim: http://blogs.wsj.com/cio/2015/05/01/dropbox-is-not-part-of-security-problem-says-new-security-chief/ http://www.itpro.co.uk/cloud-storage/24894/dropbox-users-may-get-free-storage-if-they-adopt-stronger-security http://www.computerworld.com/article/2489977/security0/boost-your-security-training-with-gamification-really.html http://www.computerworlduk.com/news/cloud-computing/dropbox-working-on-fido-keys-ensure-top-notch-security-3618267/ http://www.darkreading.com/operations/building-a-winning-security-team-from-the-top-down/a/d-id/1322734   Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Tumblr: http://brakeingdownsecurity.tumblr.com/ RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com **NEW** Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 **NEW** Listen to us on Player.FM!! : https://player.fm/series/brakeing-down-security-podcast #iTunes: https://itunes.apple.com/us/podcast/2016-005-dropbox-chief-trust/id799131292?i=361604379&mt=2 Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-005-Dropbox_Chief_of_Security_and_Trust_Patrick_Heim.mp3 Partick Heim image courtesy of darkreading.com