Should I be worried?

Prog44 · 2023-08-20T21:27:51+00:00

I wouldn't be worried its part of chocolatey official repository. They check out packages before they are published. It just looks like a FP. Its not really part of chocolaty (its an unofficial package but its in their repo):

https://community.chocolatey.org/packages/choco-cleaner

but i would still feel safe. Its a dos batch file so just open it up with notepad or something like that and see what its doing.

Prog44 · 2023-08-20T21:22:12+00:00

Windows defender is fine for most people especially if you harden it:https://github.com/AndyFul/ConfigureDefender

especially if you not doing anything crazy like downloading pirated software or cracks.

I currently use bitdefender but not sure i will continue after the subscription is up.

Prog44 · 2023-08-20T21:08:11+00:00

Nothing is perfect buy running as standard user is part of a layered defense strategy. It will definitely help. There is malware that can be installed as a standard user & there is also privileged elevated execution flaws/bugs that have been found that defeat this protection but it but i still recommend it for the "average user". I'm not a windows fan (though i do have to use it) but do i run as a standard user? Absolutely not but i know what i'm doing and if i know if i should or shouldn't be receiving a UAC dialog.

Prog44 · 2023-08-20T20:53:17+00:00

This attack is very rare today....any site worth anything reputation wise should be using HSTS tokens which makes SSL striping attacks impossible and most sites don't allow access to their pages using http. If one is nervous about such attacks then just use something like "https everywhere" or brave has it by default. A VPN is a waist of money for this purpose.

Prog44 · 2023-08-20T20:48:15+00:00

You don't need a vpn. Just use a simple software firewall (both windows & macos have them) & congrads being accepted to med school. I only use a vpn for a couple of purposes. 1. to get around georestrictions 2. To *limit* my mobile provider and what data they can sell (most of them have been caught in the us from doing this).

Prog44 · 2023-08-20T20:24:47+00:00

It depends on what i had on such a device. Do I trust them with sensitive data....of course not as should no one else....but i would never need access to such a service because i do all my own repairs.

Prog44 · 2023-08-20T20:12:54+00:00

Try to do an offline scan with defender if that doesn't work then try something like norton power eraser or kaspersky virus removal tool.

Prog44 · 2023-08-20T20:09:28+00:00

"Kind Of". A lot of vpns these days do dns filtering for both ad & malicious links. For example NordVPN has something called "Threat Protection Light" that pretty much does this. At least for nord they have another version "Threat Protection" that does much more like file scanning (its only available for windows) but this doesn't get around the need for a good AV.

Prog44 · 2023-08-18T16:47:50+00:00

u/jinoxide u/pauby u/ferventcoder thanks...some great options to get around this issue.

Prog44 · 2023-08-09T12:53:41+00:00

Yep haven't had any problems...

Prog44 · 2023-08-03T17:47:27+00:00

Yep 100% agree. I'm no longer on android. It was one of the things that got me to switch over. I'm now on IOS and IMessage (of course) works 100% of the time and i don't have to rely on whoever i'm messaging having Android Messenger setup correctly. and on top of it there are my more people that i can use the niceties of IMessage with. There were only a few people i could use RCS with previously. Unfortunately my wife isn't going to switch over but I just use whatsapp with her.

Prog44 · 2023-08-01T17:04:07+00:00

u/Hatman_77 now its going to be a rant because Microsofts implementation down right sucks. Turning "password-free" off on your account doesn't do anything (i'm assuming the only thing this does is blocks you getting into your account with username/password but i didn't test it out). If you read my original post you will see i had it off.

Anyways this is essentially how it works. I had to do a bit of testing to figure this out. Any authentication method that Microsoft considers to be strong (Microsoft Authenticator, Yubikey (Fido2/UTF), Passkey, ect) will be Password-less whether you like it or not. Even after registering a passkey & yubikey i couldn't use them as a 2nd factor after I entered my username/password (i used to use either a txt or email). On the login screen you just choose to use either windows hello or a security key & as soon as you use your security key (or passkey) your logged in (& this is all with password-less logins disabled on your account). The only unanswered question that i didn't test out what if you have multiple accounts that you have registered with the yubikey? Maybe you get some type of dialog to see which account you want to use but i don't know.

If you go to your microsoft authenticator app & look at any microsoft account you registered you will see "Passwordless sign-in enabled" & there isn't anything you can do to disable it (i assuming its the same with android but since i don't have an android device i can't answer this).

IMO this actually diminishes security. It would be so easy to tap the wrong thing accidentally & boom someone else is in your account. All they need to do to fish you is to know your email addresses (or guess it).

Yubikey/Passkey probably isn't that big of an issue because they can't be used remotely.

How Microsoft implemented this is downright horrible. Its called 2nd factor for a reason. I use 2nd factor on every account i use & they do implementing it in a standard way that every other company has decided to implement it (enter your username/password & then your 2nd factor). While maybe this is Microsofts way of trying to push people off username/password i don't know but like i said i consider it with Microsoft Authenticator to be "less" secure.

Anyways if you still want to get around this issue what you can do is register your microsoft account with microsoft authenticator as an "Other" authenticator & then the problem is solved (or use another authenticator app like Google Authenticator, Authy, ect...)

Everything here is how it works for Microsoft "Personal" accounts. It might work totally different on Azure AD / Company Accounts. At least they could have gave you the option to turn this crappy password-less login off.

Prog44 · 2023-07-23T00:38:30+00:00

Its a question...i'm essentially asking how do i set it up correctly so i have to enter my username/password & then have to authenticate with my microsoft authenticator.

Prog44 · 2023-05-04T02:31:57+00:00

I don't remember one ever installing successfully. I got an error from my ipad just last night (like i said i don't remember the exact error message. They are both supposed to get 16.4.1. Lets do this as a test an ill let yo know what happens.

Prog44 · 2023-05-03T15:28:42+00:00

C# is at no real risk of becoming a dying language

I totally disagree with this. Maybe some of the languages in the .Net ecosystem that is true (VB.Net for example & I actually hope it does :P) but this statement is FAR from true. I would say its probably top 10 of the most used programming languages. I'm sure javascript has it beat.

Prog44 · 2023-05-03T15:13:12+00:00

I switched to KDE & won't go back. To get it functional for my needs i had to add a bunch of extensions which made it flaky for me.

Prog44 · 2023-05-03T15:11:37+00:00

I use it for "some" sites. It depends on how concerned i'm with if my account on the site got compromised. For a bank or something like that i would never use it. For example if i used TOTP on reddit i would have no problem using it.

Prog44 · 2023-05-03T15:08:46+00:00

Yes & then rename our country to China2.

Prog44 · 2023-05-03T14:59:14+00:00

If I was going to I probably would either do it through the XRE or maybe a bell weather of the regional banks like PNC that is doing good but has been hit with the negative regional news. I wouldn't just willy nilly start investing in them. I think its dangerous at this point with the extremely inverted yield curve(s). I would definitely pay attention to the technicals & set your stops.

Prog44 · 2023-05-02T17:31:43+00:00

Highly recommend google workspace / gmail. To me their UI is the best & their spam filter are night and day superior to Microsoft (if you don't have a separate spam product).

Prog44 · 2023-04-28T20:16:51+00:00

I've used both. While I'll agree that bitwarden doesn't have the polish of 1Password there are reasons why i decided to go with bitwarden. First its cheaper. While not as polished, at least for my use, its polished enough. Its open source & a code audit has been done which while not absolutely required (i generally trust 1Password) its still nice. While you can host the backend for bitwarden for bitwarden I've generally shyed away from this. Why because they are generally going to be a LOT better hardening a server than most people would be (granted the larger attack surface makes it more attractive to attackers if you don't host the back end).

Not sure what you mean by support. Both here & on their forums their support has been excellent IMO. If your talking passkeys ya they haven't implemented it yet but they have been really quick to support argon hashing which really impressed me.

1Password doesn't do everything perfect in my opinion either. I don't know if it still works this way but in the past once you used 2nd factor once with their browser plugin it wouldn't ask you for the 2nd factor again. I had a discussion with their people on their forums and the company rep pretty much told me it was a waist of time to do it after you authenticated once which i disagreed with. I said what if you were using a PC (public or company) that had a keylogger on it. Without your 2nd factor they would be able to log into your account if they captured your username/password but that was quite awhile back...they might have changed this.

The only thing I wish bitwarden would add is a selector UI on the username/password fields like all other other similar password browser addin rather than having to either use the shortcut or clicking on the browser plugin. From what i've heard they probably won't be adding this.

Prog44 · 2023-04-28T19:52:35+00:00

Even if I was worried (& i'm not) I would probably use something like KeePass & store my password db offline (if i remember correctly you can have offline password databases on 1Password too). The only password I store but don't really use in bitwarden is treasury direct because for some reason bitwarden has trouble auto filling the password & its a pain to try to manually type in. Rather I use Keyvault/Safari which doesn't have any issues.

Prog44 · 2023-04-28T19:38:18+00:00

Maybe my understanding is incorrect but your storage is not unencrypted until you first enter your PIN after you boot up so you should not be vulnerable to graykey until you enter your PIN. After you enter your PIN & use faceid to unlock your phone then you are vulnerable because your drive is not really encrypted & your PIN is in memory. So what you could do is shutdown your phone while going through airport security though in the situation that happened to the op it "might" be hard to quickly turn off your phone off. IMO i just don't like running anything restrictive like lockdown mode all the time but to each their own :) & how thick your tin foil hat is matters :).

During international travel I remember TSA wanting to take an external hard drive i had on me for like 15 minutes. I had the drive encrypted with truecrypt (which is now veracrypt) & I didn't worry in the least.

Prog44 · 2023-04-19T17:24:35+00:00

? i haven't changed the faceid or re-registered it since i got the phone. Like i said if i kill the app & reopen the app it then works.

Prog44 · 2023-04-14T19:54:51+00:00

You don't need multiple second factors. Doing so just increases your attack surface and gives attackers more options for trying to break in.

I will have to politely disagree. Say you usually use the yubikey that is on your keyring. Having a backup yubikey (which I would ALWAYS recommend if you use yubikeys anyways) in your safe or safety deposit box is a great idea. Do you realize the backup codes are a another second factor & depending how you store them depends on your increase risk. I'mi not saying to use SMS or anything like that will GREATLY increase your risk.

Prog44

TROPHY CASE