HackerTrans
TopNewTrendsCommentsPastAskShowJobs

artjomb

no profile record

comments

artjomb
·2 anni fa·discuss
Exactly! AD FS is part of Tier 0 in the same way as Active Directory itself and needs to be treated and secured as such. Of course, security goes a long way when it's part of a holistic approach like zero trust.

Mitigation is also not really possible when using SSO. One way would be to require the target service to require a second factor in addition to a valid SAML token, but then each user needs to keep current its second factor, whatever it might be, in each target service. This get unmanageable quite quick not to mention that there are basically no SaaS or self-hosted applications out there that support SSO and a second factor at the same time.
artjomb
·3 anni fa·discuss
Yes, Apple is supporting older devices, but has made my SE 2020 nearly unusable (slow as hell, horrible UI bugs when typing) after updating to iOS 17. Everything worked perfectly until then. It seems as though Apple wants me to buy a more expensive phone. A friend had the exact same problem and now upgraded to a newer model.
artjomb
·3 anni fa·discuss
Exactly, as a user you need to be aware of this addition of risk. Anonymous OSS maintainers are the issue here. When I want to use a project and want to reduce the risk here, I need to vet the maintainers in a similar way I would vet a company I want to invest in.
artjomb
·3 anni fa·discuss
There is a solution: even more telemetry!
artjomb
·3 anni fa·discuss
While I mostly agree with them, I don't regard them as fallacies. Those are different stances on the idealism-realism spectrum.
artjomb
·3 anni fa·discuss
I disagree with the article that server-side iterations in this case are useless. They are used for access control.

Bitwarden's API likely doesn't permit anybody to access the encrypted blobs of anybody. You have to authenticate at the server to be able to access your blob. Since the iterations might be low for producing the master key and therefore the master password hash, the server must treat the master password hash as just another password and therefore iterate the hash quite often (100,000x).

Assuming no malicious insider or an outside attacker gets their hands on the encrypted blobs this is the most important attack prevention.