BootAble – FreeDOS boot testing freeware
To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.
GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.
The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.
You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.
(You may permanently close this reminder with the 'X' in the upper right.)
To receive notifications of future blog updates, move up one level by clicking this link, then click the Watch/Unwatch button above/right. |
Yes, in fact you can use that trick for any section of the system. Basically edit the URL to add a index.rss at the end and see if you get offered a download. If it works, you've just generated your very own RSS feed for that URL.for people that like RSS
It definitely works fine on Windows. What is the platform of you r choice?Looking forward to your blog, Steve. I’ve subscribed to it via RSS.
I‘ve played around with Steve’s SQRL app for Windows to see how it works. But I have yet to integrate SQRL into my life. I would love to use SQRL on this blog, if the SQRL app platform of my choice is ready.
It definitely works fine on Windows. What is the platform of you r choice?
maybe there needs to be a way to fund development of SQRL apps
There is an iOS version in Testflight. If you look in the SQRL forum there should be a link to Jeff Arthur who wrote it.I use iPadOS/iOS.
Unfortunately the iOS app isn't quite in the state as other apps. Last I knew, @Jeff Arthur uses his signature on the SRQL site to keep people up to date on where things are. Because of Apple's control, you need to have pre-release apps in a "special" state where you get an invite, in essence.iOS link
I have been using LastPass ever since you reviewed it a while back but in recent times I have been concerned about it's stakeholders and the changing of the guard. Do you still use it? If not, what do you use? These are the kinds of questions that could be answered by a 'living' document that you keep updated and your followers could use as a reference.
I switched to Bitwarden about a year ago and then discovered and switched to Strongbox (https://strongboxsafe.com/personal/). It is macOS and iOS only so won't find favour with Steve or Leo but it is built on the KeePass database, is open source and is firmly TNO as by default the database is not stored in a public cloud. Personally I do store it in an iCloud folder so that I can sync passwords between my Mac and iPhone and but then I'm ok with that. But if you don't trust Apple's cloud then you could use Syncthing for decentralised syncing - another of Steve's favourites.Like you, I have been a long time user of LastPass but for the same reasons, decided to move elsewhere about 2 years ago.
I decided on Bitwarden, an open source password manager with desktop, web browser & mobile versions.
I have to say I was confused why the SQRL forums are completely separate from these, requiring me to register here (which felt like re-registering) instead of existing as a subforum category. It just seems a duplication of effort.Okay, we have SQRL forums for a reason, and that reason is not to pollute these forums with SQRL related posts. Please take this discussion to the SQRL forums at https://sqrl.grc.com/
@Steve, please correct me if I am wrong but, I believe that is because this is the forum for all things GRC whereas SQRL is not a GRC product. SQRL is an autonomous project with its roots in GRC. And its forum is graciously hosted by GRC. But it should exist outside of GRC. Though I suppose one could mount an argument that, perhaps, the GRC SQRL Client should be represented here.I have to say I was confused why the SQRL forums are completely separate from these, requiring me to register here (which felt like re-registering) instead of existing as a subforum category. It just seems a duplication of effort.
Sounds like this could be crowdsourced by having the community contribute to, for example, github hosted documents that we each work on our own forks of, sending pull requests of our edits/new content for Steve (or/plus trusted people he nominates) to approve? One user-friendly interface for that is Gitkraken (link skips to Pull Requests 24 minutes in) -Todd...
Time has shown that I'm no good at maintaining living documents. I'm FAR better at storing dead documents. Just look at my site! But, seriously... What you're suggesting is a thankless effort.
@Happenstrance : Dave's reply was as good as I could have given.I have to say I was confused why the SQRL forums are completely separate from these, requiring me to register here (which felt like re-registering) instead of existing as a subforum category. It just seems a duplication of effort.
LOL! Ok, fair enough. Maybe you and Leo can discuss the state of password managers in an upcoming Security Now episode.
And it would not be a thankless endeavor! I got 5 bucks I can Paypal you right now!!
I think that's right. I'm still using LastPass, so I'm able to tell the truth when I mention it in passing. If I had switched to another password manager I would studiously say nothing. Would that be a lie of omission? I suppose so, since if LastPass were not a sponsor I would likely not have omitted a reference to whatever other solution I was using. So I'm glad that I've not been placed into that situation.I love TWiT and Security Now, but I don't think it would be possible for an unbiased review of password managers given the licensing deal for naming rights to the studio and one of the biggest sponsors being LastPass. I simply would not want to ask them to do that as I wouldn't want to put them in that position.
I love TWiT and Security Now, but I don't think it would be possible for an unbiased review of password managers given the licensing deal for naming rights to the studio and one of the biggest sponsors being LastPass. I simply would not want to ask them to do that as I wouldn't want to put them in that position.
Thank you, this makes total sense now. Also, did a new link just appear at the top of these forums to SQRL FORUMS and in the same spot at those forums back to these ones? That's very cool@Happenstrance : Dave's reply was as good as I could have given.
From the first moment and mention of SQRL on the podcast, I've made it clear that SQRL is explicitly and deliberately not a GRC property in any way. And while the original kernel of the idea was mine, and I managed the project, it was truly a community effort. The only chance anything like this might have to succeed would be by being perceived as in no way owned or controlled by any single entity. No one can own usernames and passwords, and no one can own SQRL.
My plan for THESE forums (and thus the more generic name) is that they will grow to become GRC's primary real time interactive interface with the world. So I wanted to keep it clearly separate from the SQRL community.
So we have a LastPass canary. ;-)I think that's right. I'm still using LastPass, so I'm able to tell the truth when I mention it in passing. If I had switched to another password manager I would studiously say nothing. Would that be a lie of omission? I suppose so, since if LastPass were not a sponsor I would likely not have omitted a reference to whatever other solution I was using. So I'm glad that I've not been placed into that situation.
Thanks for highlighting Bitwarden, I've been happily using Lastpass, but now wanting more control of ownership. I found what seems like an unbiased comparison of the two if anyone is interested : https://www.itproportal.com/news/lastpass-vs-bitwarden/Hi Todd
Like you, I have been a long time user of LastPass but for the same reasons, decided to move elsewhere about 2 years ago.
I decided on Bitwarden, an open source password manager with desktop, web browser & mobile versions.
Bitwarden has a clean interface and is simple and easy to navigate. It has a free forever version for up to 2 users or premium versions for teams & enterprise.
I have been really pleased with the switch to Bitwarden.
Bitwarden is committed to regular cadence of security audits of their source code & platforms, the latest one completing in July 2020.
There are plenty of very positive reviews on password manager review sites. Worth checking out Bitwarden's website for more details.
Good feedback, but would be better supplied to the SQRL forums (these are the GRC Forums, the SQRL forums are intentionally separated... because @Steve doesn't claim "ownership" of SQRL.) Head over to https://sqrl.grc.com/ and follow the same process to sign up for those forums.wisdom of using SQRL
Hey @danlock, I've been using Password Safe for several years because it's available on all sorts of platforms. I keep the .pwsafe3 file in a Dropbox account to keep it sync'ed across multiple devices. You mention sync'ing to and from an online source - I assume you use something similar?What follows is NOT an objective review... merely personal experience:
As great as LastPass is (and all that jazz), I use Password Safe (Bruce Schneier's password manager, maintained and updated by others for Windows (Rony Shapiro)/Android (Jeff Harris)/iOS/Mac/Linux). I have access from nearly every device I own, and that means that I never have to remember anything other than my complex single password.
Here's the main site. Source code and binaries are available from github, fosshub, sourceforge, etc.
The encrypted file syncs to and from an online source, so I don't have to worry about my passwords anywhere, anytime, on any device, after I install pwsafe on that device, because it will download the newest file and save a local copy, overwriting any database present and, optionally, keeping backups of older versions of the local encrypted .pwsafe3 file.
It's Yubikey-compatible if you desire further authentication, and the length of time used to decrypt the database is configurable, as is the amount of time it remains unlocked before automatically wiping itself from RAM (essentially leaving nothing behind but the encrypted file with its built-in integrity checks). There are no back doors. No swapping to disk. No storage of an unaltered (hashed?) password anywhere.
It's extremely versatile for password generation using specifics, also, and if the OS you are using has a clipboard which is dodgy (as Android can be), use the program's own keyboard to open the file. Dragging-and-dropping usernames, passwords, email addresses, other info, etc. into browser fields is simple, and it contains an optional autotype option that will log you in automatically after you've unlocked your database and selected the name you've given whatever site you want to access.
Go LastPass! Go Password Safe! Go SQRL! Go—I don't think I'm prepared to trust anything else right now.
I looked into this with password safe once, but what they did isn't great, unless it has eventually evolved. The original Yubikey protocol REQUIRED access to the online server, and since the data is local, introducing a 3rd party loop between you and your local file is meaningless (it could be proxied out easily.) So what I think they did was just allow you to store your password into the 2nd bank of the key... which is fine to save you from typing the password manually, but isn't much of a security boost.It's Yubikey-compatible if you desire further authentication
Yes. It sounds like you use it in much the same way I do!Hey @danlock, I've been using Password Safe for several years because it's available on all sorts of platforms. I keep the .pwsafe3 file in a Dropbox account to keep it sync'ed across multiple devices. You mention sync'ing to and from an online source - I assume you use something similar?
I tried to figure out how to use my existing SQRL account on my iPhone, but still haven't grok'd how this is done. For now I have SQRL running on my desktop and one of my many laptops and I use one device or the other when I need to access a SQRL enabled entity.Just created my SQRL identity from scratch using Jeff Arthur‘s iOS app through TestFlight pretty much no problem (I’m already familiar with TestFlight) after hearing Steve Gibson’s invite on Security Now via Leo Laporte’s TWiT Network, then used that SQRL identity to make the forum account I‘m posting this with Thank you, Leo, Steve, and Jeff
I am Watching the blog, as well, although am not finding where/how to bookmark it on my forums account, unless it’s in the ellipsis drop-down from the icon at the top-right of the postings list, under More Options, which is unresponsive for me (iPad OS 13.7 Safari).
I was also unable to login to the SQRL forums themselves linked at the top of this page as the last of the tabs, even after completing the same process involving a bounce into the sqrl app as worked for here, so that’s pretty confusing to me (I understand each site needs you to log in separately, it’s the fact that the process wasn’t working but did here that gets me). Maybe it’s because my password was too whack (I made extensive use of special characters and I made it ridiculously long) since it eventually told me it was wrong when I tried to input it even though it was exactly the same as when I made it just a few minutes prior. When I re-factored my SQRL identity, then the process _did_ work for the SQRL forums yet I’m still logged in here, which suggests that there needs to be a forced logout of all associated IDs/sessions added into the SQRL system enforced upon integrated sites for whenever a SQRL ID is refactored, otherwise the fact that I opted to stay logged into these forums allows my expired/refactored ID session to persist here (unless SQRL is actually freshly authenticating every session on the back-end to facilitate my “stay logged in“ preference).
I looked into this with password safe once, but what they did isn't great, unless it has eventually evolved. The original Yubikey protocol REQUIRED access to the online server, and since the data is local, introducing a 3rd party loop between you and your local file is meaningless (it could be proxied out easily.) So what I think they did was just allow you to store your password into the 2nd bank of the key... which is fine to save you from typing the password manually, but isn't much of a security boost.
I tried to figure out how to use my existing SQRL account on my iPhone, but still haven't grok'd how this is done. For now I have SQRL running on my desktop and one of my many laptops and I use one device or the other when I need to access a SQRL enabled entity.
I tried to figure out how to use my existing SQRL account on my iPhone, but still haven't grok'd how this is done. For now I have SQRL running on my desktop and one of my many laptops and I use one device or the other when I need to access a SQRL enabled entity.
I don’t know SQRL’s underpinnings well enough to suspect the app versus the protocol, but having refactored my identity allowing me to register with the SQRL forums proper yet still keeping me logged into these GRC forums worries me. Hopefully the app just has its sign-in w/ existing profile a little hoarked, and I guess SQRL’s self-issued authentication means sites don’t have to care if it’s been refactored (though shouldn’t they _have_ to?).
Your identity on the site is still your public key, that has not changed. All you have done is changed the lock on the key.
expected to be used very rarely, is an ability to generate a new public/private key pair, and update any websites securely, to the new public key.
The use case for this was if your local client password had been compromised and you suspected that your ID had been misused on a web site.
I too am confused by your use of the term refactoring. But, that aside... You used your single SQRL identity to create different logins for two different web sites (sqrl.grc.com and forums.grc.com). In both cases, an absolutely unique login identity was created from your SQRL identity for use with each site. Those two logins are completely unrelated. Nobody, but you, has the slightest clue that those two login ids are in any way related. Which is the entire point. As someone else mentioned in a reply to one of your later posts, whatever you do with the password used to protect that SQRL identity in your SQRL client would be entirely between you and that client. It would not change anything about the identity itself nor any of the login ids that were created using it. In fact, no website would ever know you changed your SQRL password or switched to or from using biometrics instead.I don’t know SQRL’s underpinnings well enough to suspect the app versus the protocol, but having refactored my identity allowing me to register with the SQRL forums proper yet still keeping me logged into these GRC forums worries me. Hopefully the app just has its sign-in w/ existing profile a little hoarked, and I guess SQRL’s self-issued authentication means sites don’t have to care if it’s been refactored (though shouldn’t they _have_ to?).
an absolutely unique login identity was created from your SQRL identity for use with each site. … In fact, no website would ever know you changed your SQRL password or switched to or from using biometrics instead.
no part of SQRL would ever know that you had returned and had been admitted based on the cookie.
Based off the diagram in the TWiT event presentation (attached), the unlock key is the one thing that always survives any other changes, so that’s why I used the term “refactor” or “reroll”, in contrast to creating an entirely new identity. So, the SQRL protocol and clients are all that’s responsible for parsing out a single SQRL ID from the user’s perspective into multiple unique token IDs for use with individual site accounts?
I guess the implication of what you’re saying is also that unless a site gets more info from you like your email to associate with a given SQRL ID you login with, the site basically only knows which unique SQRL ID logged in but not even whether or not it was the same one as last time? A site where a cookie _doesn’t_ keep you logged in would still see the same SQRL IDs across your account sessions with them, but if you “refactor” then unless you choose to disclose more beyond what SQRL provides, they’d know nothing other than those IDs having all been used under that one account with that site and not even that they were “rolled” from the same SQRL ID by the same user?
SQRL doesn’t require a fresh validation of the account each time? Or it’s just a matter of your own choice with settings at a given site (e.g. a checkbox to stay logged in)? Perhaps SQRL could add an option to reject cookies that involve it without having to have us block all cookies, so that unrelated cookies‘ function is undisturbed but SQRL-involved actions always freshly validate. The reason I’d even want fresh validation is in case token IDs (vs. SQRL IDs proper from the user’s perspective) do, in fact, yield any inferences about which SQRL ID they came from as a pattern over time. I apologize if these concerns are redundant, but I’m trying to learn how to talk about it in contrast to PGP.
Correct.Based off the diagram in the TWiT event presentation (attached), the unlock key is the one thing that always survives any other changes, so that’s why I used the term “refactor” or “reroll”, in contrast to creating an entirely new identity. So, the SQRL protocol and clients are all that’s responsible for parsing out a single SQRL ID from the user’s perspective into multiple unique token IDs for use with individual site accounts?
I'm not sure I see the need for that, but, anyone writing a client is free to do as they please. Though adhering to the S3 storage format defined provides interoperability and, theoretically, adequate local security, especially given other features such as recovery, locking, and re-keying.Eventually I hope this will be broken out even further into tokenized blocks that only users’ clients can ever piece back together and can live in disparate encrypted blobs not just for basic file-level storage like today’s distributed cloud-storage apps but also for providing that level of obfuscation and protection for transactional and metadata.
No, it will always get the same one as last time. There just is nothing to ever tie different logins together. Essentially it says:I guess the implication of what you’re saying is also that unless a site gets more info from you like your email to associate with a given SQRL ID you login with, the site basically only knows which unique SQRL ID logged in but not even whether or not it was the same one as last time?
The latter. It is up to the site if they want to keep a cookie and let you in based on the cookie. In the scenario where this forum let you back in again without a challenge, that is because it chose to do so and the SQRL code on the server was never even asked for an opinion on it. If it HAD been asked, you would have been asked to go through the SQRL process.SQRL doesn’t require a fresh validation of the account each time? Or it’s just a matter of your own choice with settings at a given site (e.g. a checkbox to stay logged in)?
Again, unless the server asks SQRL to do its thing, not one instruction of SQRL code is involved on the server. And, likewise, unless you clicked on a SQRL link or scanned a SQRL QRCode in your browser, not one instruction of SQRL code is involved on your computer. Both ends are completely out of the way unless asked.Perhaps SQRL could add an option to reject cookies that involve it without having to
They absolutely cannot. First, if you had an account "Phil" at site site.com and they added SQRL and let you switch over to using SQRL, the exchange would essentially be "Phil, who is already logged in old-school now wants to ALSO be known as SQRL 89754621". Then, when you come back and use SQRL login to sayThe reason I’d even want fresh validation is in case token IDs (vs. SQRL IDs proper from the user’s perspective) do, in fact, yield any inferences about which SQRL ID they came from as a pattern over time.
Ask away!!I apologize if these concerns are redundant, but I’m trying to learn how to talk about it in contrast to PGP.
Steve mentioned this on SN. Thank you for the reminder. I plugged it into my NextCloud News app and it worked flawlessly.Great new site Steve, thanks!
For an alternative to "watching", for people that like RSS, you can use https://forums.grc.com/forums/blog/index.rss to just watch the blog portion of the site (the rss button at the bottom is for everything.
The term "SQRL" stands for Secure Quick Reliable Login. ALL it does it handle authentication for the purpose of login, and currently only over HTTP. It is important to compartmentalize that concept. It is simply a secure alternative to a user id and password that, most importantly, gives no secrets for a website to keep. If there is no password, there is no password for a hacker to steal when they hack a web site. All they hold is a public key that is of no use to anyone else. BUT, there is nothing about SQRL, itself, that prevents, or even discourages, web site owners from requiring whatever information they choose and doing whatever they want with it.Wow. Outstanding replies, Dave and AlanD! Thank you! So, I guess what I didn’t quite realize is SQRL as currently implemented really isn’t desigend to address a full privacy rubric in the vein of, say, Apple’s Keychain, PGP, or even a client like Signal or Telegram, but it still does seem to me as though it’s tantalizingly close to being capable of that. The primary purpose of SQRL, then, lies in the fact that it cuts out the direct recipients of user data from the potential profit-chain of selling such info for data brokers to construct dossiers of user activity for advertisers and/or governments, yes? That’s a wonderful and worthy thing, I’m just also anxious to find a way of similarly freezing out the rest of the transport chain such as routers, switches, and cloud storage providers by taking the SQRL ”kernel” (pardon the pun) idea of a bespoke token per site, and making it per-instance, per-party/device coupled with client-brokered obfuscation amongst many providers spliced into data-particles that are incoherent without the client’s privately retrieving then stitching them back together for the user. The key utility SQRL seems it could offer in such a regime is a frictionless plinth upon which the user may transact across vendors, while avoiding the brittleness of PGP if an ID ever must be refactored.
gives no secrets for a website to keep
become the SQRL discussion forum somehow
Some of it is good information explained in lay terms. I wonder if any of the responses to @philodygmn it would be worth @Steve capturing and/or moving over to the SQRL forum.This has become the SQRL discussion forum somehow, despite the fact that such a forum already exists and deserves these discussions (where they will not be subject to being considered "off topic" and thus eventually purged.) Based on that fact, I kindly request you take this discussion there.
I didn't want to clutter up the corporate GibsonResearch Twitter account with lots of personal stuff. That's what this one is for.
It's disappointing to hear that the Yubikey/PasswordSafe interface worked that way. I don't own a YubiKey, so I haven't been able to try it. I don't know whether it has changed.
(After doing a quick search...)
The program history claims it was added to the main PS program in v3.32 in 2013 (having been previously usable via a separate branch in 2009), and mentions "yubikey" (search was not case-sensitive) only a few times since then. No update during 2020 contains "yubikey" and the mentions over the intervening years are pretty sparse (v3.34 [2014], v3.34.1 [2014], v3.35 [2014], v3.37 [2015], v3.47.0 [2018]). AFAIK, the current Windows version is v3.53.0, released on 2020-09-08.
Yubico indicates that "Password Safe uses YubiKey’s HMAC-SHA1 challenge response mode" and "[b]oth a master password and a YubiKey are needed to enable access to your Password Safe file[. . .]"
Likely due to my inexperience with YubiKeys, I don't know whether that differs from the method you described.
I've no argument with promoting better understanding of the hardware. Of course, not all users are interested in that, which is also fine.
Another possible advantage of have PasswordSafe generate the key is so that it can be securely stored in the database itself, which allows easy configuration of a backup Yubikey. Of course, this can also be done via the Yubico util, or manually, if you write down the key.
Oops! We ran into some problems.
Your content can not be submitted. This is likely because your content is spam-like or contains inappropriate elements. Please change your content or try again later. If you still have problems, please contact an administrator.