I want to give a shout out to exposure notifications, the API Apple and Google created at the beginning of the pandemic. Well scoped. In close collaboration with domain experts. Privacy protecting. Measurably helped, maybe not as much as hoped, but still. And now being responsibly shut down, as promised.

We should praise folks when tech is done right. I want to see more of this responsible deployment of tech.

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

Klimaschutz als "linkes Projekt" markieren.

Programm zur Umstellung auf andere Heizformen als "Heizungsverbot" diffamieren.

Sitzblockaden von Klimaschützern als "physische Gewalt" bezeichnen.

Die fossilen Streitkräfte ziehen wirklich alle Register der Desinformation.

Auf alte Muster ist Verlass:

"Der Bundestag und die damals amtierende sowie die nachfolgenden Bundesregierungen haben das in der [1983 erstellten] Studie zusammengetragene Wissen und die darauf gestützten Empfehlungen missachtet. #Klimaschutz taucht zwar seit 1990 in Form von Absichtserklärungen auf – doch die wurden regelmäßig ausgeblendet, wenn sie den Entwicklungspfad der fossilen Energiewirtschaft hätten beeinträchtigen können."

https://taz.de/CO2-und-fossile-Energien/!5927256/

In this article I show the power of combining YubiKeys, Ansible, and 1Password for securing SSH access and managing secrets. Although this solution was implemented as a homelab project, it is 100% applicable to startups and small companies. By leveraging the unique features of YubiKeys, we can enhance the security of our systems and protect against identity theft. Additionally, by using Ansible for automation and 1Password for secret management, we can simplify and scale our operations while maintaining a high level of security.

https://www.linkedin.com/pulse/securing-your-homelab-ssh-access-secrets-management-yubikeys-alevski

#security #cybersecurity #passwordsecurity #ssh #infosec #hacking #homelab #devops #sysadmin #yubikey