On Sun, 27 Oct 2024 02:12:26 -0400 (EDT) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
Many sites are trying to tighten up security, for good reason.
this is something that has been happening forever :) the largest challenges has always been poor user habits and the many user related failures. Poor site(s) protocols and systems has been the second largest thing and the other reasons all follow these two.
I access GitHub and GitLab using SSH. I think that that is unaffected because SSH Public Key Cryptosystem is secure in a way that password system are not.
imnsho, not so much. There are quite a few differentials but the common ones are that the key sizes are usually much larger, anyway, depending on the attack vector(s), ssh brute force is a sub optimal approach (even if you have access to x MM bot control), social/malw/etc is the more easy way to get keys (but brute is not 'as' ruled out on keys, as many think they are)
But I also want to github them via the HTTPS interface.
GitHub is forcing me to go to TOTP for 2FA next month to access their web interface. (ssh ought to continue working since it's authentication is solid). Sadly, I know little about TOTP. Sites try to make it so easy that it is hard to understand what they want.
it is important for Linux users to understand the reasons properly as the decisions tech peeps are making today will/may/could come back and bite the planet in very bad ways. imnsho, the main reasons are because on most 'secure' sites the 'users' of the 'sites' have issues because of user type issues. very common issues are : users re-use the same password over multiple platforms (sites can change this user habit by setting passwords themselves) users use the same password forever. (sites can change this by self expiring passwords) user accounts become compromised and nobody knows (sites can track user habits and flag exceptions)
There is a strong push to put The Thing (authenticator? Client?) on you mobile phone. I don't really want to because
so.. for a while now (decade or so) mobile phones has been the goto for 2f. then, also a while ago, external, additional and other devices (dongles, key generators, usb devices and more) has also seen lots of growth. as we all know : at the end of all this, there could probably be one, two or maybe three different main tech solutions. but imnsho, this will be bad for society and for many reasons of which, if anyone thinks about that for a second, there are quite a few obvious one's... anyway, so text messages, google auth, yubikey and hundreds of other otp type systems are supposed to work 'with' passwords.... what is starting to happen is that users are slowly 'losing' all control (like a lobster in a pot) as various sites are starting to think that to be 'secure' -> control needs to be removed from 'users'
(1) I take my phone outside my house, and (2) my phone software isn't open source.
indeed. for many though, the 'phone' also has the password(s), the 2f and well everything... - so, effectively ending up with the same thing as just a single password and somewhat pointless.
I want The Thing to run on my Linux desktop.
==> What do you guys do?
I tossed smartphones a few years ago, so my use case is challenging as i will not be using a 'smart phone' again, ever. imo, it is important to understand three things : WHY, HOW and WHAT the why i already mentioned above: users are lazy, pathetic, stupid, ignorant and they do not care. many platforms have more focus on user ease and being 'liked' than providing real security. the how is also easy: all 2f and otp systems work exactly the same way in terms of a third party either generating or transporting a 'secret' between the platform and the user. for the short term, personally, i rely on platforms and sites still supporting text messages, these are becoming fewer though and is beng phased out. it looks as if sites and users WILL be using/trusting an exchange where both the user and the 'site' are both connected to the exchange and a one time secret (number or even key or even password) is displayed to the user while being automagically fed into the platform using encryption) so the what right now is still an ongoing war, which is a good thing as one or two dominating 3rd parties controlling all 2f on the plant would be a very bad thing...
GNOME's "Software" program finds 3 progams:
OTPClient - most used - download size: 348.1 MB! Probably because it is a flatpak - when I run it it says "memlock value to low" <https://github.com/paolostivanin/OTPClient/wiki/Secure-Memory-Limitations> That suggests that you need to have a memlock limit greater than 67108864 KB (larger than 67 GB). That's the amount of memory that programs can lock into RAM. Nonsense: how many machines even have 67 GB of physical RAM, let alone RAM you want to dedicate to an accessory. The diagnostic seems to be a known error with flatpak version <https://github.com/paolostivanin/OTPClient/issues/372> In fact, that points out multiple problems with the flatpak version, which is what I was delivered. ABANDON, with a comment. <https://github.com/paolostivanin/OTPClient/issues/384>
Authenticator - download size: only 32.8 MB
Numberstation - download size: only 28.4 KB Python, I think.
EPIPHANY: I want a CLI-based Thing since I'd like to access it via SSH.
So looking in the GNOME repos was a mistake.
To be continued...
indeed :)
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk