* Posts by It's just me

13 posts • joined 2 Aug 2018

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

It's just me
Thumb Up

Re: There are 203 passwords in my password manager

I agree. If everyone would implement an open standard such as FIDO U2F or FIDO2 then you could use one Yubikey dongle for all sites. Another open protocol I'm watching which is nearing release is grc.com's SQRL.

Fun fact: GPS uses 10 bits to store the week. That means it runs out... oh heck – April 6, 2019

It's just me

Some manufacturers would just EOL their devices every 2.5 years then, they would love an enforced 2.5 year replacement cycle.

Alleged SIM swapping crypto-crooks cuffed, iOS app snooping, ad-fraud botnets, and more

It's just me

Re: Sms should not be used for 2fa

No! SIM swapping, as referred to in this article, and SS7 exploits among others allow someone else to intercept your 2FA codes.

Where to implant my employee microchip? I have the ideal location

It's just me

Re: Implanting chips in employees

https://www.cnet.com/news/employees-offered-rfid-chip-implants-its-voluntary-for-now/

Just one Corretto, give it to me... AWS brews its own blend of Java with free long-term support

It's just me

Re: Not correct

Quoting the Oracle announcement : "Once a Java SE version reaches “End of Public Updates”, any further updates will be available only to Customers and accessible through My Oracle Support and via corporate auto update where applicable" ... "Oracle will continue to provide Public Updates and auto updates of Java SE 8, until at least the end of December 2020 for Personal Users, and January 2019 for Commercial Users." ... "Java SE 8 Commercial User End of Public Updates - January 2019"

compared to the article's "Amazon will distribute security updates to Corretto 8 at no cost until at least June, 2023"

It's just me

Re: Not correct

It's close enough, My understanding from reading the linked Oracle document is that after Jan 2019 all the users in my company will not be able to get security updates for their java 8 runtimes for free. So Amazon providing their builds for free sounds attractive to me.

Windows 10 Pro goes Home as Microsoft fires up downgrade server

It's just me
Unhappy

Still occurring

I've received several reports from users of persistent "Activate Windows" messages on their systems today.

Has science gone too far? Now boffins dream of shining gigantic laser pointer into space to get aliens' attention

It's just me
Alien

Re: We are here, please exterminate us!

See: Dark Forest theory from the 2nd book in The Three-Body Problem trilogy, by Liu Cixin.

Edit: I see others already mentioned this.

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

It's just me
FAIL

Re: Yes and no.

If you can get it to decrypt then there is no need to mess around with swapping memory chips, just read the data and let it decrypt it as usual. But if it's properly encrypted using a user supplied key then, without the key, physical access doesn't help you at all. The fail here is they didn't use the user supplied key to derive the data encryption key. It's such an obvious security bypass that it smells like a purposefully designed backdoor.

How an over-zealous yank took down the trading floor of a US bank

It's just me

Re: IBM memory and keyboards

Using different metals in the contacts would cause galvanic corrosion which would cause memory errors.

Some credential-stuffing botnets don't care about being noticed any more

It's just me
Boffin

Re: Maybe just

The FIDO2 protocol seems to be a good solution that is just starting to be rolled out.

https://fidoalliance.org/fido2/

I haven't looked too closely at it yet but the SQRL protocol also sounds like a solution.

https://www.grc.com/sqrl/sqrl.htm

Everyone screams patch ASAP – but it takes most organizations a month to update their networks

It's just me

Re: Please enlighten me

Because even though you may not be able to apply the patch immediately, if you understand the details of the vulnerability you may be able to determine that your configuration doesn't have that vulnerability or expose it to attackers or that there is a mitigation that you can quickly put into place that will protect you until you can apply the full patch.

Even if they don't give details, that doesn't stop the hackers from finding out what was fixed, for example, using binary diffs and disassembly.

MS has stopped giving details on their patches and just pushes out a few big ones that may contain dozens of fixes. That hasn't stopped the criminals from releasing exploits soon after.

Cache of the Titans: Let's take a closer look at Google's own two-factor security keys

It's just me
Boffin

Re: But is the code open source?

Hardware and software to make your own U2F token are available at https://github.com/conorpp/u2f-zero

Yubico provides the C source for the server side as well : https://github.com/Yubico/libu2f-host

Biting the hand that feeds IT © 1998–2019