Comment by Tom on Can I prove that I did not receive an email?
@abligh how many hops does your e-mail take? But yes, if the server is in the delivery chain, then you need end-to-end encryption such as S/MIME or PGP. And yes, very few people use that.
View ArticleComment by Tom on Is a sha256 hash of a unix timestamp a strong password
Objection to your 2nd paragraph. Complexity is a misconception created by lack of work on the subject in the 60s, the guy who proposed it has apologized for the mistake, and we're slowly unraveling the...
View ArticleComment by Tom on Is a sha256 hash of a unix timestamp a strong password
@kirbyquerby the whole part is beside the point here, so I'll remove it.
View ArticleComment by Tom on Security and obscurity, anti-bot edition
@KevinKostlan don't allow your users to pick "password" or "12345678" as their password. I mention a blacklist. Compromised passwords are an issue, but the OP doesn't mention them as his threat...
View ArticleComment by Tom on Understanding of HTTP GET request
This is the only correct answer. The part after the domain is passed to the webserver and that decides what to do with it. Everything else is assumptions based on conventions. Most likely, it'll...
View ArticleComment by Tom on Does "risk score" always have to be a numerical value?
@Nelson renaming "medium" to 5 does not magically turn it into a number you can do math with, despite appearances. You're still operating on an ordinal scale.
View ArticleComment by Tom on Does "risk score" always have to be a numerical value?
Implies, but not strongly. MW (merriam-webster.com/dictionary/score) lists GRADE as a synonym, and grades are A-F in some countries.
View ArticleComment by Tom on Does "risk score" always have to be a numerical value?
@schroeder Matthias an me read the same books. One of Hubbard's insights is that when it comes to data that you have more than you think and you need less than you believe. Yes, you need data. But you...
View ArticleComment by Tom on Vulnerable Components CVSS Score
The question is meaningless. CVSS does not claim to support any inheritance or transfer of scores. The only way to make a report would be "a component of this host has a CVE with a CVSS score of n".
View ArticleComment by Tom on Encrypting individual files on OS X
stack exchange works in mysterious ways sometimes. :-)
View ArticleAnswer by Tom for How to donate a computer without jeopardizing personal...
You are looking to protect the data from accidental leakage or from someone with limited IT knowledge, such as an administrator who knows how to look at drive space marked as "free" by the operating...
View ArticleAnswer by Tom for Disadvantages of replacing TCP/IP with blockchain
The disadvantage would be that you replace a working, tested and battle-hardened technology that suits its purpose and has mountains of stuff built on top of it with something that isn't even a...
View ArticleAnswer by Tom for Deep international spy forensics: what hw really needs to...
In practical terms, they would not come with a checklist and destroy individual parts. They would chuck the whole thing into a portable grinder, shovel in the remains again, then press whatever is left...
View ArticleAnswer by Tom for Do machines without any listening services need a firewall...
No perfectly configured, bug-free server needs a firewall, listening services or not. After all, what does the FW actually do? It blocks connections to ports where anyway we aren't listening, and lets...
View ArticleAnswer by Tom for Can proprietary protocols be considered as secured?
"Proprietary" can mean a lot of things.In InfoSec, the important question is how well something has been examined. That is where most proprietary protocols fail. They aren't used widely, have not been...
View ArticleAnswer by Tom for After a password leak, is there a Levenshtein distance from...
From a security perspective, this metric is meaningless.First, a password leak typically leads to a trivial attack in which the attackers will simply attack all accounts in the leak, looking for those...
View ArticleAnswer by Tom for Any reason not to use secure info that is using personal...
There are two problems with obscure personal information for passwords (and password recovery questions).One is that things simply aren't as secret as you think, especially in the hands of regular...
View ArticleAnswer by Tom for My company policy states I must put all passwords in a...
First, it is company policy, so like it or not... (I'm the resident security genius - not my attribution - at my company and I've been railing against our password policy for years, yet nothing changes...
View ArticleAnswer by Tom for Acceptably secure solution for users to log in with a short...
Yes, your method is acceptable, provided that:your codes are generated randomly so they aren't easily guessedeach codes can be used only once, for a limited timeyou limit brute-force attacksIf...
View ArticleAnswer by Tom for Someone knows my IP and is threatening to DDoS me
Not enough information for a qualified answer. I will make some assumptions and spell them out. Basic assumption: You actually care about being DDoS'ed (you earn money doing live streams or...
View ArticleAnswer by Tom for How can someone DDoS me?
There are many different types of DDoS attacks. Many of them have nothing to do with any specific ports. Most of them simply work by saturating your connection with packets. It doesn't matter if those...
View ArticleAnswer by Tom for Why use random characters in passwords?
Most people, including lots of them who write password policies, don't actually understand passwords. Exhibit A: The original author of the "complexity" rules is now sorry for his mistake.We now know...
View ArticleAnswer by Tom for Is at-rest encryption worth it if the key has to be kept...
There's more to disk encryption than just this, but I'll stick close to your question:"readily accessible" does not necessarily mean the same thing for an authorized user and an attacker. For example,...
View ArticleAnswer by Tom for If my machine is infected and I run a Virtual Machine...
I believe you are asking the wrong question.Whether or not your VM is infected is an open question. To answer it, you can inspect the malware, inspect the VM, draw conclusions, make a guess. But you...
View ArticleExpressing the risk of not having a security policy (e.g. ISO 27002, chapter 5)
How do I express non-compliance to ISO 27002 chapter 5 as a risk?The basic principle of an ISMS according to ISO 27001 is a risk-based approach. Following this, every control of Annex A (ISO 27002)...
View ArticleAnswer by Tom for Is it safe to store account credentials in an Excel sheet...
Probably not, but it depends on your threat model.What are you trying to protect AGAINST ?If your main concern is that you forget passwords and that some low-level attacker might get them, then you may...
View ArticleAnswer by Tom for Patching operational technology products in a manufacturing...
OT is a different world.First, what schroeder said. You want to contact the vendor and discuss this with them.You also want to check with plant management regarding any certifications,...
View ArticleAnswer by Tom for Redirect to login page if authorization required --...
What is your threat model?With a blanket approach you won't solve your use case. Correct, if you do as you describe you allow an attacker to enumerate your valid pages, theoretically. Does he have an...
View ArticleAnswer by Tom for Is there a security standard/framework which interpret the...
To the best of my knowledge, no standard explicitly requires the CISO to be independent of influence. You might mix this in your head with the privacy officer in Europe who has such a requirement.In...
View ArticleAnswer by Tom for Realistically, how likely it is to have a computer...
Perhaps this was naivety on my side, but I usually thought thatbrowsing the web is (supposed to be?) a relatively safe thing to do(barring stupidities such as downloading & running cracks). But now...
View ArticleAnswer by Tom for Are JWT refresh tokens in browser really that bad?
After some research and thinking, this is pretty much how I've implemented it.I agree with your reasoning, and the access/refresh token is fairly well established best practice.Your mechanics should...
View ArticleAnswer by Tom for Our fingerprint were leaked from the vulnerable voting...
Yes, you should be worried, but not as much as you think.Your data being available digitally means that it is a lot easier for a possible attacker to abuse it than the many other attack paths, which...
View ArticleAnswer by Tom for bruteforce local software's password
Frame challenge: The reason these tools don't exist is that it is generally easier to do traditional cracking, i.e. finding the place in the code where it tests and branches and replace that with a NOP...
View ArticleAnswer by Tom for I'd like to upload photos anonymously
What is your threat model and who do you want to remain anonymous towards?For ordinary users, removing all the meta-data from a photo (such as the EXIF data) would do the job.For advanced users capable...
View ArticleComment by Tom on Choosing laptop brand for company
@MikeB state-actor placed backdoors are valuable commodities. They won't be used for a run-of-the-mill ransomware campaign. And once they're no longer 0-days, there are usually OS-level workarounds.
View ArticleComment by Tom on How does Facebook Pixel's new first-party cookie work?
similar question elsewhere: stackoverflow.com/questions/71778566/…
View Article
