multi factor – How exactly is U2F more secure than OTP?

I’ve been trying to understand U2F and still don’t see why it’s more secure than ordinary OTP in some instances.

For example if I log into a website with a password and an OTP generated by Google Authenticator (for example) on my phone. How is using a YubiKey with U2F, instead of Google Authenticator more secure?

Is U2F a type of OTP in that it’s a protocol for OTP?

Cheap VPN service for all | 50+ countries| High speed secure connection | Proxies123.com

Hi, WJ members

UnBlockhub solution to privacy and cybersecurity on the Internet is to provide a secure virtual private network tunnel between you and our servers with super strong encryption. This enables you to appear as if your are another system on the Internet and, especially , secures you on public wifi networks. This, with the addition of clearing cookies and any website session data, will effectively protect your identity, privacy, and security online.

50+ countries
P2P torrents supported
No logs
5 devices same time
We support Openvpn UDP/TCP, IKEv2, L2TP/I7Psec, PPTP
1Gbps servers
Unlimited bandwidth
Windows, Android, IOS, Linux,Mac OS supported.

$2.99 per month only

www.unblockhub.com

contact me if you interested.​

sharepoint server – How can I secure _vti_pvt folders?

I am dealing with a security report from an external contractor, in which there is a finding labeled as a medium risk.

It is titled IIS .cnf file leakage.

This is somewhat confusing to me, since the external partner found it on Port 500 UPD. He recommends deleting them if I do not need them, otherwise secure them from anonymous access through the web.

I searched the server for _vti_pvt folders and found one in every SPWebApplication on my IIS.

You can find them on your %SPPath%/VirtualDirectories/(Portnumber)/. For example

C:inetpubwwwrootwss80_vti_pvt*.cnf

I then fired a simple http get request to the public facing domain www.somesharpointportaladdress.com/_vti_pvt/services.cnf and really got a 200 OK response. I can view the file contents in the browser.

My question here is: Is it safe to delete those files? (are they crucial?) If not, what is the best way to secure them from anonymous access?

implementations – Can Just-In-Time compilation be considered a secure feature?

The commonly endorsed, and considered the most reliable, way of evaluating the security of a program is through examining its source code. That is, this method is based on the fundamental assumption: “what you see is what is run”.

But if the program’s memory has both ‘writeable’ and ‘executable’ attributes and the program can compile at run-time and execute arbitrary code, including the code that is not present in the sources – does this commonly used method of evaluating the program’s security still hold?

Don’t we have a tradeoff here – between security and performance? If we could achieve without compilation to machine code, say, 75% of performance that is achieved with JIT – would JIT still be considered a good option?

camera bag – What can I use as a ‘holster’ to keep DSLR handy but secure while hiking?

Well, I actually found this thread looking for a solution for camera-bounce myself, as I usually just thread it through the chest-strap so it’s not hanging off my neck.

But for quick access to lenses, I have two cylindrical top-zip barrel-bags with belt-loops that I attach to the hip-belt of my pack and put them WAY at the back, like hip-panniers. Except when I’m indoors and going through doorways, (when I slide them out front) this distributes the weight a lot better over my center of gravity while I’m walking than pulling me forward. It’s bad enough the backpack and camera do this dance with my front-back center of gravity. The lenses/panniers kind of add some side-to-side stabilization, lol!

And I always keep my telephoto on one side (consistently), wide-angle on the other, and walk-around/mid-range in the camera, or swapped in whatever bag is empty/lens is in the camera. That way I don’t have to think about where things are too much, and I stay organized.

I’ve seen bottom (tripod mount) clips that can either clip your camera to your belt or your shoulder-strap or chest-strap or something… not sure I’d trust that… and my next trip will be “where the sun don’t shine” so I need rain-protection as well, as I’ll be hiking more than shooting this time around. Luckily, I’ll just be doing mostly landscape photography, so I don’t think I’ll need to quickly whip out the camera for a lose-it-moment, so I can probably rig up a fanny-pack or something to sit underneath my backpack, if on my chest or belly doesn’t feel right.

image – How to secure container to prevent sensitive information leak?


Your privacy


By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.




How is a password kept secure before hashing?

I know that once a password is on a server it is hashed and salted. But when it was transferred over the internet it was stored in plain text, right? And also when it is in the memory of the server before it’s been hashed.

engineering – What are the methodologies and approaches followed by large Software Companies such as Google and Microsoft to secure their software

engineering – What are the methodologies and approaches followed by large Software Companies such as Google and Microsoft to secure their software – Software Engineering Stack Exchange

attacks – Is this hypothetical system dealing with sensitive keys secure?

I’m a developer in the cryptocurrency space, dealing with private keys (PK) linked to wallets containing money and I’m interested to see if this system I plan to use is secure or if I’m missing something. I define secure as the chance of the PK being obtained by a bad actor being extremely low/negligible. Is this system secure or is there something I need to do to make this more secure?

Computers:

  1. (PC1) Laptop. Was at one point connected to the internet but will be reformatted, then will probably boot into some Linux distribution through USB like Tails OS and potentially be Air Gapped.
  2. (PC2) Development PC connected to internet. Won’t come into contact with private keys that have any large amount of money, just enough to develop with.
  3. (PC3) Ubuntu server hosted through Digital Ocean and will be locked down through Digital Ocean Cloud Firewall and How To Secure A Linux Server as a guide. Disk and swap partition will be encrypted. Required to be connected to the internet.

The Plan:

On PC 2 I download a chosen Linux system (probably Tails as it leaves no trace on exit) onto a clean USB along with official software for the chosen blockchain used for creating PK’s. PC 1 boots into that Linux system through the USB. PC 1 generates a new PK for a wallet (one that will actually be used and will store money) and that key will be written down on paper. PC 3 is running a program I have written that interacts with the blockchain automatically and to sign transactions for me, it requires the PK of the wallet it’s interacting from. This wallet is the one created before that has the money. The program doesn’t pull the PK from any file, on startup of the program it will ask to type in the PK manually.

Potential Pitfalls:

  • Where I think the biggest point of failure is an attack at the point of entering in the PK in the program startup in PC 3. This is the only point in time the PK is exposed. My plan was to SSH in through PC 2 into PC 3 and start the program that way, but then any keylogger on PC 2 will catch me typing in the PK as well as any other passwords. I was thinking of maybe using PC 1 to SSH in, but that would require it to no longer be airgapped but at the same time if I use Tails OS could I not technically delegate a fresh ‘session’ to creating the airgapped PK then make another session that’s not airgapped to SSH in, but never mix the two activities?
  • PC 2 has malware that gets its way onto the USB and somehow messes with PC 1. Is there anyway I can make the USB transition from non airgapped PC 2 to airgapped PC 1 more secure?
  • Potential for a bad actor to get access to my Digital Ocean account and add their IP to PC 3’s firewall, allowing them to get one layer into PC 3, however they are still stuck behind the other protection methods (SSH key, data encryption, etc…)

Other than someone finding the piece of paper I wrote the PK on, is this system secure or is there something I need to do to make this more secure? Thanks!

attacks – Is this hypothetical system dealing with sensitive keys secure?

I’m a developer in the cryptocurrency space, dealing with private keys (PK) linked to wallets containing money and I’m interested to see if this system I plan to use is secure or if I’m missing something. I define secure as the chance of the PK being obtained by a bad actor being extremely low/negligible.

Computers:

  1. (PC1) Laptop. Was at one point connected to the internet but will be reformatted, then will probably boot into some Linux distribution through USB like Tails OS and potentially be Air Gapped.
  2. (PC2) Development PC connected to internet. Won’t come into contact with private keys that have any large amount of money, just enough to develop with.
  3. (PC3) Ubuntu server hosted through Digital Ocean and will be locked down through Digital Ocean Cloud Firewall and How To Secure A Linux Server as a guide. Disk and swap partition will be encrypted. Required to be connected to the internet.

The Plan:

On PC 2 I download a chosen Linux system (probably Tails as it leaves no trace on exit) onto a clean USB along with official software for the chosen blockchain used for creating PK’s. PC 1 boots into that Linux system through the USB. PC 1 generates a new PK for a wallet (one that will actually be used and will store money) and that key will be written down on paper. PC 3 is running a program I have written that interacts with the blockchain automatically and to sign transactions for me, it requires the PK of the wallet it’s interacting from. This wallet is the one created before that has the money. The program doesn’t pull the PK from any file, on startup of the program it will ask to type in the PK manually.

Potential Pitfalls:

  • Where I think the biggest point of failure is an attack at the point of entering in the PK in the program startup in PC 3. This is the only point in time the PK is exposed. My plan was to SSH in through PC 2 into PC 3 and start the program that way, but then any keylogger on PC 2 will catch me typing in the PK as well as any other passwords. I was thinking of maybe using PC 1 to SSH in, but that would require it to no longer be airgapped but at the same time if I use Tails OS could I not technically delegate a fresh ‘session’ to creating the airgapped PK then make another session that’s not airgapped to SSH in, but never mix the two activities?
  • PC 2 has malware that gets its way onto the USB and somehow messes with PC 1. Is there anyway I can make the USB transition from non airgapped PC 2 to airgapped PC 1 more secure?
  • Potential for a bad actor to get access to my Digital Ocean account and add their IP to PC 3’s firewall, allowing them to get one layer into PC 3, however they are still stuck behind the other protection methods (SSH key, data encryption, etc…)

Other than someone finding the piece of paper I wrote the PK on, is there anything im missing or should be weary of in this system? Thanks!

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123