-
12 votes
-
Microsoft lost its keys, and the US government got hacked
25 votes -
Why we don’t recommend Ring cameras: They’re affordable and ubiquitous, but homeowners shouldn’t be able to act as vigilantes
29 votes -
Mastodon social network patches critical flaws allowing server takeover
18 votes -
NeverSSL
12 votes -
Apple fixes zero-days used to deploy Triangulation spyware via iMessage
8 votes -
Criminalization of encryption: The 8 December case
43 votes -
How to keep a secret in Python apps
5 votes -
Security expert defeats Lenovo laptop BIOS password with a screwdriver
13 votes -
The US is openly stockpiling dirt on all its citizens
25 votes -
Google Authenticator now supports Google Account synchronization
After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0. Google Security Blog: Google Authenticator now supports Google Account synchronization This is...
After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0.
Google Security Blog: Google Authenticator now supports Google Account synchronization
This is surprising news to me, because historically Authenticator had no way to backup keys by design. Here's a 2017 quote from a Google engineer who maintains Authenticator:
There is by design NO account backups in any of the apps. [source]
This design choice always made sense to me, as the point of 2FA is that you've got (1) something you know, and (2) something you have. The second factor should be tied to a physical device. If you lose the physical device, the second factor should be gone, and you'll need to use one of those 10-ish backup codes that we all definitely keep somewhere safe. I'm quite befuddled that Google is reversing this design choice and walking back their previously strong, security-centric design for the sake of user convenience in the case of a lost phone. I used to advise my friends and family to choose Google Authenticator over Authy for this specific reason.
If you want further reading, here's a PCWorld article with an altogether different tone than Google's announcement: Google Authenticator’s long-awaited cloud 2FA feature carries hidden risk
11 votes -
Should I be using a passkey?
I saw all the hype about Google's new passkey rollout on Hacker News and Ars Technica in the past month, and have even read an article stating that, paraphrased, "I should start using passkeys...
I saw all the hype about Google's new passkey rollout on Hacker News and Ars Technica in the past month, and have even read an article stating that, paraphrased, "I should start using passkeys immediately, even if the tech is not all the way there yet."
Some questions:
- Are you using passkeys currently? Which provider?
- Is there a fear of vendor lock-in (looking at you, Apple) or ditching the product in the future (looking at you, Google)?
- Any other concerns I should be aware of, e.g. what happens if my phone gets run over by a bulldozer?
25 votes -
Amazon Ring cameras were used to spy on customers
32 votes -
Stop silly security awards
6 votes -
Generate a secure password using lyrics from Kenny Loggins. It's funny and useful!
4 votes -
SolarWinds: The untold story of the boldest supply-chain hack ever
7 votes -
Google's adoption of passkeys (security blog article)
11 votes -
NSO group’s Pegasus spyware returns in 2022 with a trio of iOS 15 and iOS 16 zero-click exploit chains
4 votes -
Upgrade your LUKS key derivation function
7 votes -
Prompt injection: What’s the worst that can happen?
8 votes -
AI can fool voice recognition used to verify identity by Centrelink and Australian tax office
11 votes -
A flock of chickens, held for ransom — Growing cyberattacks on Canada's food system threaten disaster
9 votes -
Belgium launches nationwide safe harbor for ethical hackers
10 votes -
Danish parliament urges lawmakers and employees to remove TikTok on work phones as a cybersecurity measure, saying “there is a risk of espionage”
4 votes -
Reddit was hacked
16 votes -
SolarWinds and market incentives
8 votes -
What we learned from building GovSlack
6 votes -
Anker finally comes clean about its Eufy security cameras
23 votes -
Three lessons from Threema: Analysis of a secure messenger
7 votes -
Comcast Xfinity accounts hacked in widespread 2FA bypass attacks
9 votes -
Anker’s Eufy lied to us about the security of its security cameras. Despite claims of only using local storage, Eufy has been uploading identifiable footage to the cloud.
18 votes -
Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices. CryWiper masquerades as ransomware, but its real purpose is to permanently destroy data.
12 votes -
LastPass recent security incident
7 votes -
Twitter’s SMS two-factor authentication is melting down
21 votes -
Revealed: US Military bought mass monitoring tool that includes internet browsing, email data
11 votes -
During his testimony before the Senate Judiciary Committee, Peiter "Mudge" Zatko claims Twitter only has live production environment that all engineers can access
@Benjamin Powers: Mudge walking through Twitter's construction - they only have live production environment, no test environment.
17 votes -
Prompt injection attacks against GPT-3
14 votes -
Bitwarden raises $100 million from PSG Equity
12 votes -
Cloudflare blocks Kiwi Farms
36 votes -
iOS 12.5.6 rolling out to older iPhone and iPad devices with important security fixes
6 votes -
Erik Prince wants to sell you a “secure” smartphone that’s too good to be true
12 votes -
Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
13 votes -
Plex breach exposes usernames, emails, and encrypted passwords
12 votes -
Finland's parliament hit with cyberattack following US move to admit the country to NATO
7 votes -
Amazon shared Ring security camera and video doorbell footage with police without a warrant
31 votes -
I've locked myself out of my digital life
16 votes -
Security and privacy tips for people seeking an abortion
14 votes -
Researchers devise iPhone malware that runs even when device is turned off
6 votes -
If you could rebuild user authentication on the web from the ground up, what would you do?
lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average...
lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average user, and they have the ability to create catastrophic failstates if used incorrectly. Furthermore, even when they work well, they can still be kind of clunky (different sites use different methods; writing down/printing recovery codes feels like a dated solution alongside other tech-forward things).
Also, outside of this, password requirements are their own bugbear, with nearly every site having different criteria. Even as someone who uses a password generator and manager on the regular, I still have to adjust the password creation criteria to do things like fit character limits or specific requirements (and don't get me started on forced resets!). I totally get why so many people reuse passwords, or have a default one that they sort of modify as needed to fit a given site's needs.
From my (admittedly super limited) perspective of a lay user: usernames, passwords, 2FA and the whole stack seems like something that's suffering under the technical debt of decades' worth of web development and networking. It seems like things have inched forward and many new layers have been added to address emergent problems, but the whole system gives a sort of barely-held-together-by-tape feel.
What if we could use what we know now and redesign things from the ground up? If we could start fresh, today, what might username authentication look like beyond the usual username/password combos that we're so used to?
I'm interested in any ideas -- not necessarily just feasible ones.
Also, despite me being the one prompting this thread, don't feel the need to simplify technical explanations or anything. I'm mostly interested in lurking and seeing what all you very smart techy people have to say about the topic. :)
12 votes -
A series of patent lawsuits is challenging the history of malware detection
7 votes