Jump to content

John L. Galt

Experts
  • Content Count

    2,995
  • Joined

  • Last visited

Everything posted by John L. Galt

  1. November makes 9 years I've been using (and abusing / testing / bricking / crackflashing / call it what you will) Android phones. I'm all in on using Google's (admittedly no so free) services. I've distanced myself well from Facebook, will never use their mobile apps again and only log in every once and again to check and see what's going on with my fellow classmates - we just had our 30th reunion last year. So, like once a month, if that, on FB. But I use Google stuff daily. Multiple times a day - and that is without even considering anything I do on the phone....
  2. Links in this forum's parent for each of the Browser Guard addons: https://forums.malwarebytes.com/forum/253-chrome/ https://forums.malwarebytes.com/forum/254-firefox/
  3. So, I swapped my database over to using Argon2, with n=m=32 (the value, obviously dif units), and p=4. On my desktop it takes ~1.6 seconds - but in practice it takes a bit more time, usually above 2 seconds. That phone up there that I mentioned? If it is using the same mechanism to decrypt the database, it takes no longer than my desktop does 😛 And as I am about to upgrade my phone in the next month or so to the Pixel 4, I will probably need to revisit this again - and set it to something large like 5-10 seconds on the desktop and see how long the phone takes 😛
  4. Well familiar with the Gibson one - I've been visiting his site for a very, very long time now (ever since my first ever Click-of-death on an Parallel-port iOmega ZIP drive). Still use a few of his utilities to this day, including DNS Benchmark and securable. And attempting to explain PWs and pw security to my parents was a lost cause - until XKCD tackled it not once but twice (that I used). https://xkcd.com/792/ (with corresponding explanation at https://www.explainxkcd.com/wiki/index.php/792:_Password_Reuse) and https://xkcd.com/936/ (with corresponding explanation at https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) Believe it or not, he does a great job with the second one, but also takes a couple of jabs at both Gibson and Bruce Schneier....or, whoever wrote the wiki explanation article anyway.
  5. He does mention that Windows Latest site is pointing directly at Lenovo machines. Curiously, though, As I run Windows Insider Preview builds, I had something similar happen to me a few builds back - 1 Machine went green, one went black and white (and looked like I was in an intense foggy situation) and one went almost the same lack-of-blue-light levels as Night Sight. At the time it was because the display driver was force installed by that particular build, and all I did to fix was reinstall the normal display driver available for each GA on each machine.
  6. ^^^^^ 100% That whole OP is a great write. I'm pleasantly surprised that the maker of the video went through all of that detail to show a good way to set up the database. He did a great job (aside from not using Argon2, which the link you provided worked well for me in terms of actually making sense (I live for these computational things). That being said, since I *do* use mobile, what I typically did in the past was to use the AES-KDF method for transformation, using the 1 second delay test, and then removing a single digit to make it compatible with my (then less powerful) mobile device. Now, I realize that I need to revisit that and see just how fast my phone can decrypt it using a full 1 second delay - after all, the 1 second delay I'm deriving is on my ancient Core i7 965 EE (yes, first-gen Bloomfield) CPU, and my current phone is a Pixel 2 XL - pretty powerful in terms of a comparison to the phone I had when I first set the delay up (Original Motorola DROID, now a full 8 years old). And as I use Android, I need to see if the KeePass2Android app can decrypt the database if I set the transformation method to Argon instead of AES-KDF. I have my work cut out for me this evening. Thanks again @AdvancedSetup
  7. I'm not going to argue the semantics - I simply meant you have to be aware of wtf is possible wrt your computer use, whether at home or outside of your home. As for security keys: I think there is a bit of misinformation here. The keys are not used in lieu of PWs at sites - they are used for 2FA. On Windows, since I don't have a key to verify, I think that they do replace the PWs (via Windows Hello, just as the PINs do, which Windows 10 encourages all users to create upon installing Windows - so that is on M$ to begin with), and that was the point of the comment I made early on "But I am not fooled". So, for your home computer, obviously you have to have situational awareness of any and all (including insider, not just external) threats if you implement the use of the key with Windows Hello - and a *LOT* of people are already at a compromisable state by using Windows Hello with a PIN (in lieu of a pw) when using a Micro$oft account top log into Windows 10 (and IIRC, this can *als* be set on local login accounts as well, but I haven't ha a local account for a while, due to my continued testing of Insider Preview builds). Yeah, not safe at all. And I will not disagree with that - it really isn't safe - but it is also what is pushed by M$ as the 'alternative' to using PWs. But for actual sites that you visit? No, it's not a "plug in key and get access", it's enter username and PW, then get asked to plug in key to verify access. PWs by themselves are better than the keys by themselves - but put both together as a part of a multi-factor system of authentication and things get better. Of course, the argument can always be made that we need even more - but at what point are you going to stop? 3 layers? 5? At this point, unless you're physically at your bank, you're probably using some sort of digital interface - and as we always remarked over at CoU - If it is digital, it can be hacked.
  8. IN MB4, did you uncheck the supposed malware found, then select Next and which point you can ignore once / ignore always, and *then* run the FP tracker?
  9. Obviously - but that is also called situational awareness - if you live in a situation where someone could get access to your device, then you don't use said device. Or, conversely, you implement additional layers of security - like a power on PW for the machine itself. And your arguments apply just as much to a PW - if said roommates are willing and able to steal your physical key they're probably just as willing and able to record your PW / PIN / pattern, at which point you kinda have to wonder why you have them as roommates to begin with. In a situation where you cannot control who you live with, you implement additional layers of security - whatever those may be.
  10. Double ditto. But, I also run Windows Insiders builds 😛 And I regularly (at least every 6 months, though I've done this 3 times in the last 2 months) cleanly install Windows to help avoid any issues like that myself - if a build starts acting janky, the first thing I do is look for others experiencing the same issues as me. The second thing I do is look for a fix. If a fix cannot be found, I revert to an image backup and try again. If that fails, I revert again and stick to that image. Sometimes, though, even that is not enough - thus the 6-month clean install cycle.
  11. Agreed, but this feature has been requested more than once for previous versions, and again with the current ßeta v4 that is now out for public testing. Let's hope this can be accomplished with the new version.
  12. Do you have the telemetry settings disabled? https://support.malwarebytes.com/docs/DOC-3444
  13. Also, @f14tmocat, if it makes you feel any better, I started a complete scan of all my drives and let it run overnight - it took well over 3 hours, IIRC.... 😛
  14. Oh. I guess I could see that - but if I were to implement this for Windows, I most certainly wouldn't leave the device around to begin with 😛 Ayup - one of the reasons I use KP in the first place. And I refuse to store anything in Excel anymore as I use Microsoft Office 365 - the 'always on' aka always phoning home version.
  15. If you have your license info, you should be fine - the clean tool works on 3.x but I was told (before) not to attempt to use it on 4.x - I don't know if that has changed, so you're better off not using it if that is the latest that you've read. However, if you really want to see if it makes a difference, you might consider imaging your computer and then testing - if it doesn't restore the image and you won't have to worry about all the little tiny things (and will still have access to your 3.x data as well). When I joined the ßeta test, it was from a clean install of Windows, so I didn't have a lot of idiosyncrasies because it was a purely clean install. But, at the same time, I also had no idea what the time differences were because my machines are set to scan overnight when I'm asleep - and I never bothered to look at anything unless something was found when I had 3.x running.
  16. Lol - yeah - hence why I didn't want to use a Yubikey. I had used, a very long time ago, a method to secure my Win2K desktop via a flash drive - had to have it inserted in order to allow Win2k to boot. Alas, like a moron, I accidentally grabbed said key and formatted it when I was in dire need to transfer some data to another computer- and subsequently lost that install on the reboot. It just works. But with a true FIDOE2 key, it's not a piece of paper with a password - it's an authenticated handshake that cannot simply be pulled from the key. I'm in awe of the SoloKey simply because I can build it myself, if I have the gumption to do so - but I most likely would not do so, unless I were to become a reseller or something and mass produced them. All that effeort for a couple of keys is not worth it - but being able to trace down the components and verify them myself, as well as having the firmware actively developed (and to be able to be updated by me - or not updated, if I choose to skip any particular build) rather than relying on a 3rd party to do so is, IMO, a safer bet than just relying on the company. I spent the money for the Titan Security keys, in part, because it was a pair of keys, with multiple functionality (the BT key also handles USB connections via USB micro to USB A cable supplied with the bundle, and the NFC also handles USB (by directly inserting it into a USB type A slot). If I had really done a bit more reading and seen that I had no way to verify the firmware on the devices, much less update them, I would have passed - because Google's Advanced Protection for Google Accounts requires dual keys in order to work. Of course, the fact that they would make Pixel devices (at least Pixel 2 for sure, which I Have) work as one of the keys since it has the Titan chipset in it (which they claim - for all I know it may be software emulation), also work with Advanced Protection was not known at the time I purchased my Titan keys.
  17. Thank you, @f14tomcat. re: fonts - that is something the devs really *do* need to take a look at. And as for the cartoon thing - some like it, some don't and I'm personally indifferent about it. As for the scan times - verify that you are getting faster scan times after the initial scan, it's supposed to be a bit better. I didn't actually keep any of the data I had from previous 3.x builds on any machine, as I ended up clean installing on all machines, particularly since I started with the closed ßeta. And some of the advice being given in these forums, particularly if you're experiencing issues, is to clean install 4 (which will lost all those exceptions items in the Allowed list, so that is something to consider.
  18. I was looking more at SoMed using questions that they specifically knew were used in security. And also sharing your info without letting you know. And also sharing your location without letting you know.
  19. Almost makes you wonder. The banks are being hacked left and right. And yet they are asking for information that they know, as users of social media, that are already asked numerous times over in social media user profiles. If I was a conspiracy theorist, I'd say that banks and other financial institutions specifically set themselves up to be able to be hacked. Which would then lead to all sorts of conundrums that led to more theories as I ran down the rabbit hole, seeing how far I got. But I'm not. The real question: At this point, with the mounting evidence, should I be?
  20. It's the state of IoT (something that has not made it into my house, and never will while I am alive and maintaining my networks). it's actually one of the reasons I'm quasi-hopeful about the Broadcom acquisition of Symantec.....not very hopeful, mind you, but there is a kernel there....
  21. Ha. I like that Pro Tip - Don't go blabbing on your Facebook profile what your mother's maiden name is, what high school you went to, where you met your partner, or anything else you might have once used or might use in the future as an answer to one of those so-called 'security questions' that you're asked as a method of additional authentication for many online services, banks and other services. When we all know that those are the exact questions that FB repeatedly hounds you to answer in order to 'complete' your profile. And, yes, I mean they hound you - ad nauseum. Thankfully, I've made the move to using physical keys where I can, and KeePass for PW and critical file storage (my KP database stores PWs, my PGP sigs, even a couple of license files for programs that I might need at any given time). You need a PW and the key file to access it and they are not shared by the same cloud service. Oh, and for those sites that support 2FA but only through an 'app' (to generate TOTPs), KeePass manages those for me as well - no more separate app on my phone to look up the code. Once I can figure out a way to use the Titan keys for the KeePass database, I'll be really set - 3 factor authentication, one by physical key - you'll be hard pressed to get in to my KP database. I currently have the Google Titan Security key bundle (2 of them, because I kept the original one that had the issue with the BT key, when they sent me my replacement set - they charged me $1 - worth it to have 2 NFC/USB keys to use. The USB ones are in safes now. But I recently read about this, and I'm stoked to get one ASAP - https://solokeys.com/ The coolest thing is that the firmware has had recent changes to it that make it work with Windows Hello - PWs and security codes, begone - no key, no Windows! However, in spite of all of the above spiel - I'm not fooled. Over at Calendar of Updates, we had numerous discussions on the subject of personal security over a decade ago - I stressed then, and still know this to be a fact today - if you want ot be safe online, well, you can't be - there is n 1005 method of staying safe online - except getting offline. As I was fond of saying back then - if it is digital, it can be hacked. Which really means that it's only a matter of time before it is hacked.
  22. Agreed - I've clamored on and off for the ability to import / export exclusions for a long, long time....
  23. All current licenses that have been purchased and activated on your machine will work in MB 4. If you happen to have any issues with your purchased license(s) not working, please contact Malwarebytes Support via your preferred method listed on https://support.malwarebytes.com/community/contactsupport/pages/home-support Or, if you haven't purchased a key, you could end the trial and test it in free mode, which would then have the same types of limitations as the current MB 3 does when used in free mode.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.