Destination Linux 182: Security Keys, Disk Encryption & Two Factor Authentication (2FA)

Originally published at: https://destinationlinux.org/episode-182/

https://youtu.be/DPIq5cRbYqg Coming up on this week’s episode of Destination Linux: Google & Canonical are teaming up to bring Flutter to Linux for a cross-platform game changer. How Important is Disk Encryption & Security Keys – should you be using them or do you just prefer being hacked? We’ve got community feedback, a DRM FREE Game…

2 Likes

Noah was saying “NVR” is dead with Unifi. It’s not true. Unifi Video is dead. NVR is a separate product which is still being manufactured.

Points about proprietary surveillance product etc is still true.

Your security thoughts about MFA, and SMS and authenticator auth is not secure enough. My gosh I think you guys live with tinfoil hat on your head. Yes what you said is probably true and relevant when someone is a high value target or a corporation with millions of dollars at stake.

But for Joe Schmoe out there, the chances his phone’s sim will be targeted and the hacker will also have access to Joe Schmoe password to the particular website is small to nill.

Instead of pushing all this “don’t trust MFA unless hardware based” is just nonsense for most people out there. Instead push people to use secure passwords and change the passwords every 3-6 months. That mixed with MFA with whatever mechanism - is good enough.

1 Like

I get why you would not want to use Google Auth or Authy but what about opensource OTP clients on android like freeotp+, Aegis Authenticator , or on flathub there is also OTPClient.
I think especially because these can be used completely offline as long as the clock is synced they are not a bad option even if they are not as secure as yubikey.

1 Like

Let’s say this is true. The problem is it only takes one Joe Schmoe to target 100s of Joes.

Assuming Joe Schmoe has nothing of value to steal directly, his accounts have long established trust which when combined with traditional attacks like credit fraud, phishing and malware (in something like an office doc or video) makes his account valuable. Every Joe is usually just 1 hop to several richer Joes.

Also as cloud email with no deletion is normative and chat logs are usually permanent, it can leak everything anyone has ever said to Joe online (possibly ever) for purposes of blackmail and more access if he’s sent or received passwords for other accounts similarly lacking in 2FA.

I couldn’t agree with you more, Ulfnic. :grin: :+1:

Attackers definitely mask their activities through their victims and it’s the victim who suffers the worst of it (financial, reputation damage, broken trust, cleaning up the mess, etc.). Hardware tokens are definitely the most secure form of adding 2FA to any account, but they aren’t the “silver bullet” for everything. Great security focuses on many security layers of protection which includes strong/separate passwords for every online account (password manager tool is great for this), 2FA, definitely not running Windows as an OS :stuck_out_tongue_winking_eye:, firewalls, staying up on latest patches, and many other security techniques.

Despite all of the “technology” that you can throw at staying safe online, the weakest link is always the user which is where education and security awareness is the best tool. If you can help users become more security-minded, it will greatly give technology a chance to do its job the way that it was intended. :smile: Anyway…those are my thoughts for now. HA!

I’m with you on this one. I know privacy is a big concern for many ppl but to me a lot of the time the effort involved in making things as close to 100% secure as you can vs the actual real chance of somebody targeting and attacking you in that way, is just not worth it.

It does sometimes feel like being advised to wear a motorcycle helmet and full leathers to go for a bicycle ride. Sure its more protection, but meh I’d rather live and enjoy my life than spend so much time stressing out and worrying over things to that degree.

1 Like

Yes I get it, Joe Schmoe working for corporate big billion $$ company is a lead into the company and that leads to lots more $$. In that case, it’s the company’s job to enforce enough security that the weakest link is still a really hard link to break. Maybe if they are so worried, hardware auth is a good idea.

But personal Joe Schmoe (outside of work). His personal email, and personal phone number and personal bank accounts. Presuming Joe changes his passwords regularly and uses a secure password - he limits his exposure a ton. Put in SMS MFA, and now attacker has a much harder attack vector. The attacker has to 1) Figure out Joe schmoe has an account at the entity in question. 2) Figure out Joe schmoe password. 3) Figure out Joe Schmoe MFA is SMS. 4) Hack telecoms to have Joe’s SMS sent elsewhere. 5) access account. And given my assumption Joe changes his password regurlary - has to do all this before the password change.

So how does BitWarden work? Or rather, why use that instead of Firefox’s built-in generator/saver? I don’t use either right now, I’m very much in the ‘security through obscurity’ boat and have them written/saved in places. But I hate everything 2FA also, and I want to go the route of more complex passwords and different for each site, but don’t want to worry about recording them.

But then, I don’t know how to backup the Firefox or BitWarden ones either and would hate to lose ALL my logins.

I might have missed this in case it was mentioned in the show in then 182 episode, but what about custom made encryption (custom algorithms, combination of passwords + hardware keys)
some apps have that already keepass (can be setup with password+ key or hardware key).
I also had made some custom encryption that creates a new language that the AI/ML bot making it understands and translates the data into the new language with new grammar new words etc giving extra security. This is not new I was able to do it in 2012 with basic software engineering skills in python and basic understanding of formal languages (the math topic for new language creation).
I was always wondering why custom encryption by the users never went mainstream even in Linux.

Regards, Alex

I’ve used BitWarden for a couple of years now and I love it. There’s a few different ways you can use it - a browser plugin, a mobile app, and a desktop app. You set up your “vault” with one secure password and that’s all you need to remember to unlock all of the rest. From then on as long as you’ve unlocked your vault it fills in your credentials on whatever site you go to. It also has a built-in generator for creating secure passwords that you can access through the right-click menu.

As far as backups go - you can download your entire vault in an unencrypted .JSON format to put on an SDcard and throw in a safe somewhere if you so desire. It just won’t stay updated if you change your passwords regularly. Any updates you make to the online vault are propagated to all your other instances of your vault.

OK, awesome. That’s what I was hoping. So I can remember 1 long password to ‘authenticate’ to Bitwarden, then it’ll log me in to whichever website, right?

Are you paying the 10/yr plan or self hosting? And do you have it self-hosted at home or up on something like a DO droplet?

Yeah, the mobile app and the browser plugin will fill in your login information for you (when you’re on a site that has a stored login you’ll see a little notification on the BitWarden icon, click and it autofills). The desktop app is a copy/paste kind of thing as far as I know.

I pay the yearly amount even though I don’t necessarily need the extra features; I just like supporting them. I don’t self-host so I can’t really speak to that.

You trust them-hosting? I mean, that’s my main hangup from using anything really, is trusting the provider with the holding of the keys. I haven’t looked into their privacy policy though either. I would probably do the they-host also, because it seems like the self-hosting may be hard unless you were to do bitwarden_rs.

Yeah, your situation might be different. I trust Bitwarden. They’re an OSS product so I feel like if they were up to anything shady it would show in their code. Your threat vectors might be different, so I understand if you wanted to self-host.

2 Likes

You can also selfhost your vault in Bitwarden. That’s on my to-do-next on my NAS :slightly_smiling_face:

1 Like

for my password I use keepass (it may have browser version don’t know) I open the keepass and from their I open the sites I need, it is kinda like a bookmarks manager.
it is easy to make a keyfile + password (or even hardware key) with cron jobs easy to auto backup even on google drive (for example gnome supports online accounts and files can be backup) with dejadup directly to google drive daily in the background. I use tablet as a phone so I have the keepass DB synced on all, but for android I am sure keepass exits. also GNOME password reads keepass DB.

I personally would not pay even 1$ for someone to keep my database of password when it is easy to setup NextCloud or Just use add on to sync files to google drive, dropbox or onedrive, etc.

Regards, Alex

In my case, I pay for Bitwarden because I want to support the project. I wish more FOSS software had an easy way to contribute.

3 Likes

well I pay to project I don’t actually use to support them and I donated to Linux Mint and now Manjaro regularly and via my company to Fedora and CentOS. I even donate to a cool game Supertuxkart even when I can get all of it for free (just to support the project). Donate to FOSS is cool and I do it also.

When it comes to very sensitive information like password for online accounts, I don’t even trust my own company (where I work for 7 years and the IT admin is a close friend for years) the only data I keep outside of my work network is my personal journal info or data value, password database and the chat app data + software that I use with my GF (clone of a popular messaging app build just for us two).

Contributing to FOSS is cool and respectful and I do it, but I personally would not trust anyone with that type of data and as I said it is really easy to make your own sync and your own data encryption.

Regards, Alex

Tin foil hat or perhaps worked in the industry of telecom for 21 years but hey, you know best.