Sponsors difference of opinion

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


DarthKegRaider

New member
Jan 24, 2021
2
0
Hi Steve,

I was listening to the latest SecurityNow podcast and heard an advert by Leo about Gramarly. I recall using it several years ago, but forgot about it during a phone upgrade. Now Kolide, another sponsor frequently on your channel seem to label Gramarly as suspicious.


You as a security professional, who are we to believe?

Troy
 
Like many things in life, it's a trade-off. Is there enough risk to you, in your specific situation, that a 3rd party will capture your data and abuse it, versus the benefits you would receive if you appeared more clear, concise and cogent by using the tool. This may be akin to using a password manager that stores its data in the cloud, or having a 2nd factor password sent via SMS. It has an improvement in one are and a detriment in another. Only the end user can decided if their needs being met are a greater motivator than the risk being incurred.
 
I believe Grammarly and others like them have gone all politically correct and will chide you if you talk about certain taboo contents or use certain taboo words. I also believe some of their TOS gives them some copyright interest in your work or some ability to snoop on it. Same with Google docs. Definitely not for me. What I write is none of their stinkin' business. I'll stick with a local copy of a word processor and a local copy of my document, POSSIBLY stored in an online drive in encrypted format.

Also, while I haven't commented on the other thread about password managers, a password manager with online sync need not be a security threat. If the database is properly encrypted with your password, salt, and multi cycle decryption (can't remember the name of the process), then the only person that can decrypt your password database is you with your browser or app. If you use 2fa, even if your master password gets out into the wild, it won't be possible for someone to login as you. I think somewhere in the settings for Lastpass, there's an option to allow you to still login if the cloud sync is down. I'd keep that on. Having said that, I should test the feature on all my platforms.

May your bits be stable and your interfaces be fast. :cool: Ron
 
If you use 2fa
To be clear, a second factor that is not factored into your password, is irrelevant to the strength of the data encrypted with the password. If your attacker gets your password database and implemented their own password collection and decryption code, they can just not ask for the second factor and that's that. The trick, if any, is whether the site that doles out the encrypted data will do so without the second factor being supplied because that check might be in their online server. If they were able to get your first level password they probably also were able to get the encrypted data and don't need your second factor.
 
@PHolder you have a point.

I was able to remember enough of the name of the multi cycle decryption to look it up. PBKDF2 https://en.wikipedia.org/wiki/Pbkdf2

I'm no expert, but here's what I understand the threat surface to look like. Experts out there can correct me if needed.

1) Attacker has master password only and maybe my LastPass email. They get my master password. That's going to be really hard as I only use it for the password manager and keep it in my head. A virus in my PC could possibly grab it. If they try to login into LP as an example, they won't get in without the 2FA. Hopefully, the LP servers won't provide the password database.

2) Attacker has my password database only. Maybe they steal my PC (assuming it's not logged in) or hack into LP servers. The complexity of my password, combined with a large PBKDF2 quota, will make it highly unlikely that they can crack the password database. If I know it was stolen, I'll change the master password with LP and re-encrypt the database. That's won't affect the database the attackers have in hand. I would also change every password on every site in the database and update the LP records. Secure notes and such could be compromised if they ever crack the database.

3) Attacker has my password database and my master password. In that case, I guess I'm toast. But, I think that would be pretty hard to accomplish.

It would be interesting to know if 2FA is incorporated at all into the encryption, but I doubt it.

May your bits be stable and your interfaces be fast. :cool: Ron
 
A virus in my PC could possibly grab it.
If they're on your PC you're absolutely hosed. They can keylog/get your password, they can also copy the LastPass offline data cache on your PC and exfiltrate that too.

hack into LP servers
If they hack the server, they can collect your password (or the necessary hash of it) when you authenticate, and they will also be able to get your encrypted password data.

Either way, the 2nd factor is for mere security theatre.
 
2nd factor is for mere security theatre
I see what you're saying but I don't totally agree with this statement. 2fa will prevent someone from logging into the LP servers even if they have my email and master password. That has utility. I try my best to keep hackers out of my PC. And, I have no control over whether they hack the LP servers. Hopefully LP and BW are on that case. But, at least maybe they won't be able to get in through the front door.

I thought these systems were set up such that LP or BW cannot decrypt your database, but that's it's done only in the browser or app.

May your bits be stable and your interfaces be fast. :cool: Ron
 
I love the idea of having my writing reviewed. However, grammarly is a key logger within your browser by definition, though maybe not by intent. So everything you type is checked and sent to their server(?). I removed the plugins, and when I want to check something I open their page.

If you think you can trust a company, especially over a long period, remember google and their do no evil.