this post was submitted on 09 Aug 2024
98 points (99.0% liked)

Cybersecurity

5972 readers
463 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] smooth_tea 5 points 5 months ago (1 children)

Your comment is irrelevant to the issue at hand because it's a local attack and your suggested alternative could therefore be just as vulnerable.

Self hosting is cool for 0.0001% of the population, for anyone else it's either too difficult or a hassle. It's also an oversimplification that I have to "trust" the cloud company and imply that a self hosted solution is inherently safe. You run that program on a computer with 100 different apps, each of which is an attack vector and you're just you, without the backup of a small army of developers hunting down issues and independent parties auditing the whole shebang.

The only thing self hosting has going for it is that the target is incredibly small, but this is not as big a factor as you suggest because of the maturity of some of these services who basically just store a blob of data you encrypted locally and access to their servers or even your data is usually without danger.

[–] [email protected] -1 points 5 months ago (1 children)

Ah the Internet classic: calling someone's comment irrelevant, when you clearly haven't even read, or at least not understood it. It isn't that long of a comment. Try reading it again.

Oh whatever, here's another attempt at explaining it: there's a huge difference if my passwords are in a place where people generally keep passwords, or if they are where only my passwords are. If someone has never heard of me, but they attack my cloud-password-solution and get in, they still get my passwords. Someone attacking me personally, if he's truly competent as a hacker, in probably screwed either way. At least he can only attack me, he can't attack "some public thing" and get my stuff "by accident". Think "personal safe in my home" compared to "public bank" (ignoring the fact that a bank is insured and all that for this analogy).

Your second point would be valid if open source didn't exist. First of all I didn't imply that it was inherently safe, I implied that there isn't a single point of trust, which was my would point. Even if you can't read/audit it yourself, there are projects that have public audits by reputable security companies. Plus if there truly were backdoors, assuming a non-tiny user base, someone would've probably noticed.

Then your final point seems to acknowledge the attack surface, but the problem with the "locally encrypted blob" is that this statement from the cloud provider is another thing you just have to believe them on. They might do that, they might not. Many don't even claim that, because people like convenience and want options for password recovery to their password service. those two are mutually exclusive.

[–] smooth_tea 1 points 5 months ago

I'm sure it's a classic because people tend to latch on to any opportunity to start waffling after reading just the title. Ironically, you start your comment telling me I didn't read yours and you end it with admitting that I address exactly that which you go on about. So which is it?

What bothers me most is that your solution is not realistic, you're just proselytizing out of idealism but who is it really aimed at? Who's going to self host a password manager? Uncle Jim and aunt Betty? You know what the average person is capable of? Writing down their passwords on a piece of paper, usually 4 separate ones with different versions for every time they've lost it. At best, they allow a key manager on their device to save a password when they enter it, and if the stars align and all their devices use the same OS and they authenticate, then maybe there is even some synchronization involved. That's a lot of ands and maybes, but you suggest to ignore that and instead use a solution where they not only understand all those steps but also set it up for themselves.

The masses are not going to wake up one day with the know how to do these things, it's not even going to happen gradually. I don't even want to do it, and I was born with a computer and run servers for a living. What is going to happen is that solutions that are easy enough to use will become safe enough in order to minimize the risks. Anything else is a pipe dream.