Security and FUD/Misinformation
-
Bitwarden design flaw: Server side iterations | Almost Secure
In the aftermath of the LastPass breach it became increasingly clear that LastPass didn’t protect their users as well as they should have. When people started looking for alternatives, two favorites emerged: 1Password and Bitwarden. But do these do a better job at protecting sensitive data?
For 1Password, this question could be answered fairly easily. The secret key functionality decreases usability, requiring the secret key to be moved to each new device used with the account. But the fact that this random value is required to decrypt the data means that the encrypted data on 1Password servers is almost useless to potential attackers. It cannot be decrypted even for weak master passwords.
As to Bitwarden, the media mostly repeated their claim that the data is protected with 200,001 PBKDF2 iterations: 100,001 iterations on the client side and another 100,000 on the server. This being twice the default protection offered by LastPass, it doesn’t sound too bad. Except: as it turns out, the server-side iterations are designed in such a way that they don’t offer any security benefit. What remains are 100,000 iterations performed on the client side, essentially the same protection level as for LastPass.
-
No-Fly List Exposed - Schneier on Security
I can’t remember the last time I thought about the US no-fly list: the list of people so dangerous they should never be allowed to fly on an airplane, yet so innocent that we can’t arrest them. Back when I thought about it a lot, I realized that the TSA’s practice of giving it to every airline meant that it was not well protected, and it certainly ended up in the hands of every major government that wanted it.
The list is back in the news today, having been left exposed on an insecure airline computer. (The airline is CommuteAir, a company so obscure that I’ve never heard of it before.)
This is, of course, the problem with having to give a copy of your secret list to lots of people.
-
Build security with the assumption it will be used against your friends [Ed: UEFI 'secure' boot is already used against us and we know who built this thing into Linux: the author of this post]
But most importantly: build security features as if they'll be used against you.
-
Linux Malware Rates Rise to Record Levels Amid Hacker Inconsistency [Ed: Jack M. Germain at LinuxInsider relays anti-Linux talking points from a firm looking to sell itself using FUD tactics. Germain used to do vastly better work before he became LF parrot.]
... based on an analysis by researchers at Atlas VPN...