The old solutions to phishing, education and weak 2fa, are in the way of the new and improved solutions, FIDO, passkeys. Nobody wants to admit that the old ways were lacking. They were hipped too hard. It's like when new health guidelines appear and contradict the old ones.
Me! waves hand in the air I admit the old ways were lacking. We just didn't have a lot of better alternatives at the time. SMS 2FA beats no 2FA. TOTP beats SMS 2FA. FIDO/passkeys/etc beat TOTP.
We've made a lot of progress as new methods and technologies have become available.
A 2FA token is simply another "thing you know". A plugged-in USB dongle is actually "something you have". (Although, technically, it's still "something you know" because it has a secret key; it's considerably more difficult to phish this key.)
Right now the most basic USB-C Yubico Key-Dongle goes for around $80 (considering taxes and shipping in Europe). As yubico state themselves, you really need 2 dongles just in case.
Most people are not paying $160 for this, period, when 2FA and passkeys are a "good enough" thing.
Passkeys are more than good enough. Software keys are indistinguishable from hardware keys in the context of credential phishing. Both kinds of keys have the same weaknesses, too, e.g. OAuth phishing (keys do nothing) and DNS hijacking (keys degrade to the same security value as OTP).
Other threat models (malware, physical access) are a different story, of course.
A Pi Pico is around $3, you could see if there are any solutions out there that can turn it into a security key. (though at that point, perhaps just wait for KeePassXC FIDO/U2F support)
Especially when they have a phone that is secured well enough. As long as the EU can keep itself from meddling away the security in their special well intended way, of course.
Do people not track the last used time window of a TOTP and require a newer window for subsequent events? Most libraries I’ve used come with that as part of the interface.
Taking over AOL “int” accounts was actually considered pretty basic at that time. Getting in the lan as he mentioned was the bigger goal but also wasn’t hard to do at all once you had a few “int” logins.
The best was when Gosh took screenshots of the leader of security(whose computer he compromised) berating his reports for lax security, and sent them to all of his reports.
My favorite accounts were “overhead” accounts that lacked ratelimits, was fun to DoS entire rooms of users offline by finding the chat.
> Taking over AOL “int” accounts was actually considered pretty basic at that time.
to the skillful it was considered basic - for sure. there was a lot of collaborative intelligence in the aol "hacking" scene, though. and you could do a lot on an int. even reading internal aol emails often returned a treasure trove of new tools and information
>The best was when Gosh
legend
>was fun to DoS entire rooms of users offline
yeah that could be done to older computers just by scrolling without rate limits as you mentioned. semi-related - i once found a dos in skype that made use of skype4com.dll to change your display name hundreds of times per second. if you had more memory on your computer than your contacts did you could dos hundreds of people at once. i remember it reminding me of some corny aol "hack"
14 comments
[ 3.1 ms ] story [ 30.0 ms ] thread* https://en.wikipedia.org/wiki/S/KEY (RFC 1760)
* https://en.wikipedia.org/wiki/OPIE_Authentication_System
* https://en.wikipedia.org/wiki/OTPW
We've made a lot of progress as new methods and technologies have become available.
https://www.yubico.com/
A 2FA token is simply another "thing you know". A plugged-in USB dongle is actually "something you have". (Although, technically, it's still "something you know" because it has a secret key; it's considerably more difficult to phish this key.)
Most people are not paying $160 for this, period, when 2FA and passkeys are a "good enough" thing.
Other threat models (malware, physical access) are a different story, of course.
The best was when Gosh took screenshots of the leader of security(whose computer he compromised) berating his reports for lax security, and sent them to all of his reports.
My favorite accounts were “overhead” accounts that lacked ratelimits, was fun to DoS entire rooms of users offline by finding the chat.
to the skillful it was considered basic - for sure. there was a lot of collaborative intelligence in the aol "hacking" scene, though. and you could do a lot on an int. even reading internal aol emails often returned a treasure trove of new tools and information
>The best was when Gosh
legend
>was fun to DoS entire rooms of users offline
yeah that could be done to older computers just by scrolling without rate limits as you mentioned. semi-related - i once found a dos in skype that made use of skype4com.dll to change your display name hundreds of times per second. if you had more memory on your computer than your contacts did you could dos hundreds of people at once. i remember it reminding me of some corny aol "hack"