Re: WTF Bites (My longest running banking :wtf: to date)
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
Am I the only person that is this skeptical and pessimistic about such services?
I don't use them, but then again I probably do passwords "wrong" anyways.
-
@Gąska said in Re: WTF Bites (My longest running banking to date):
@djls45 said in Re: WTF Bites (My longest running banking to date):
My credit union is at least as good, and does operate worldwide.
Which one is it?
Navy Federal, but the membership requirements are pretty restrictive. So, probably not that helpful for you... :/
I'm currently in PNC and it doesn't even let me autopay the credit card balance as soon as the statement arrives. And the statement arrives on a different day each month. Currently I have it set up on a fixed date and I just hope it never arrives after 10th.
Is it every 30 days? If so, then the months with 28/29/31 days will slowly shift the statement's calendar release date.
-
@djls45 it's every month but one month it's 5th and the next it's 8th then 6th then 4th then 7th. You never know for sure.
-
@Gąska it's probably the first specific day of the week after some day of the month. For example, the first Wednesday after the 5th or something.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
@izzion you would get no argument from me that they are the lesser of evils when talking about users at large. If you asked me to bet on Jane from payroll inputting her password into a phishing site or a large group that we hope knows what they are doing keeping all of that safe, I would bet on the large group every time.
I use LastPass just because easier. It does 2FA and the authenticator is on a cell phone that doesn't have data. It automatically blocks mobile devices that have not been approved.
This is especially so considering that we have had users that avoided getting phished because their password manager did not prompt them to fill the password.
All my browser force a login to LastPass on startup.
And I've made the compromise of keeping my lastpass password in a draft in my email which stays logged in on startup (but does have 2FA for any new device/browser) but it is well camouflaged and you would have to know things about me. It is 28 characters long.
If someone has gotten that far...anything more is far too inconvenient.
I already hate rebooting because that means getting the password to enter into each browser and confirm on the phone.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
@Gąska it's probably the first specific day of the week after some day of the month. For example, the first Wednesday after the 5th or something.
Then it would increase monotonically over the year then jump back 6 days. But it doesn't. It's the same 4-5 day window but the specific day each time is basically random.
-
@Gąska said in Re: WTF Bites (My longest running banking to date):
@djls45 it's every month but one month it's 5th and the next it's 8th then 6th then 4th then 7th. You never know for sure.
Are those the actual dates for the past few months? I bet we could figure it out.
Oct 5 -> Tuesday
Nov 8 -> Monday, 34 days later
Dec 6 -> Monday, 28 days later
Jan 4 -> Tuesday, 29 days later
Feb 7 -> Monday, 34 days later
-
@Polygeekery I still haven't got such a service. I've been planning on writing my own one though. Because making my own would remove the risk of being caught in a big leak. And cracking a service for a single user seems like a lot of work for not that much gain.
-
@Arantor said in Re: WTF Bites (My longest running banking to date):
@dkf said in Re: WTF Bites (My longest running banking to date):
They're called “marks” or “suckers” in the trade.
And elsewhere they're called NFT purchasers.
Ella Fitzgerald & Louis Armstrong ★ Let's Call The Whole Thing Off - HQ – 04:18
— José Carlos
-
@HardwareGeek said in Re: WTF Bites (My longest running banking to date):
How does it work differently from LastPass, etc.?
It's the difference between an online service and a local file.
-
@dcon said in Re: WTF Bites (My longest running banking to date):
@HardwareGeek said in Re: WTF Bites (My longest running banking to date):
How does it work differently from LastPass, etc.?
It's the difference between an online service and a local file.
Yeah, I'm pretty screwed if lastpass goes down and I need a reboot. Though I can get to my email so I can "forget password" on all the sites.
I think to be safer, I should make my email log back in restart. That password isn't as complicated at my lastpass password but it is a decent password.
<tech noises> I will write something to regularly download the lastpass data into keepAss or something.
Does anyone already have something that does so?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
(am I the only one that sees "Keep Ass"?)
You weren't.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
am I the only one that sees "Keep Ass"?
always only ever read it like that
-
Keepass uses AES-256 as its default encryption package (there are ways to do others if you want). I trust that they have set it up correctly, because it is piss simple to set it up correctly and there are a lot of eyes on the project.
As long as you have a strong password, Keepass isn't getting brute forced in an meaningful time.
-
@Dragoon said in Re: WTF Bites (My longest running banking to date):
Keepass uses AES-256 as its default encryption package (there are ways to do others if you want). I trust that they have set it up correctly, because it is piss simple to set it up correctly and there are a lot of eyes on the project.
As long as you have a strong password, Keepass isn't getting brute forced in an meaningful time.
Yeah, for my own personal home use I use the keeper of backsides. For business use, I need a way to share vaults without sharing credentials, and as such that makes the online services look a lot better, relatively.
-
@Steve_The_Cynic said in Re: WTF Bites (My longest running banking to date):
And it doesn't have to be a generated ID blah blah blah. It could be your fingerprint or your iris scan or whatever. (Biometrics are all "something you have" => I have my finger, I have my iris, I have my retina, etc.)
Yep, absolutely. Didn't feel like typing out all the possible "something you haves" so just mentioned the most common one.
-
@CodeJunkie said in Re: WTF Bites (My longest running banking to date):
@boomzilla said in Re: WTF Bites (My longest running banking to date):
@CodeJunkie it gets reset every time the browser updates. Which these days is at least a couple times per month.
Oh, well, that's just great. Makes sense though.
EDIT: I'm completely sick and tired of web browsers.
Is this why I seem to be forever clicking that stupid "accept cookies" button?
-
@Shoreline said in Re: WTF Bites (My longest running banking to date):
Is this why I seem to be forever clicking that stupid "accept cookies" button?
When I login to the Comcast Business site there is an option to "Remember Me".
As best as I have ever been able to figure out that tickbox does absolutely nothing. It doesn't trigger session persistence, it does not cache my username. I cannot tell any difference between ticking the box or not.
Of course I usually tick the box anyway, because I too am at least partially autonomous when it comes to website logins.
-
@izzion HashiCorp Vault with access by LDAP group, yo.
-
So basically when we have standards, they suck, and when we don't have standards that sucks too. This must be how people become libertarians.
Anyone here Internet Libertarian? Like, you want deregulation?
Or what about Internet Conservative? Where you want the good old days of the internet back?
I'm almost an Internet Centrist. When it comes to doing software development I'm too afraid to breaking shit to make major changes suddenly, but I do want the changes done. But I'm not quite a centrist because I don't have the self-esteem to think myself better than other people for thinking this way.
-
@Shoreline said in Re: WTF Bites (My longest running banking to date):
But I'm not quite a centrist because I don't have the self-esteem to think myself better than other people for thinking this way.
That's not why I think I'm better than other people. I just am.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
session persistence
Oh, another good website , but not banking this time.
Our remote support application has a default session persistence of 3600 seconds. You get logged out after one hour. Not after being idle for an hour. You get fucking logged out after an hour.
It has other dumbshit idiosyncrasies. Like how anytime your IP address changes your session is invalidated and you have to login again. Which kinda sorta seems like a good idea until you think about it. Like when I close my laptop and go to a client location for a meeting or something, session closed, login again. Fair enough.
But, do you have any idea how many times a day we connect to any of several VPNs? Like, a lot. So you are constantly logging back in. Unfortunately we cannot do split tunneling on most of the VPNs we connect to, because raisins.
So one day I go digging through the advanced configuration options as I had gotten really really tired of logging in a dozen or more times every day. Then I found the default value of 3600 seconds. Hmmmmmm, let's bump that up a skosh. What's the worst that could happen?
Now I do not remember which option I tried first, but I tried both setting it to zero seconds and increasing the value. I do remember thinking that one day should be safe, right? Right?
Wrong. 86400 seconds caused what I presume to be an overflow which caused us to immediately go back to the login screen after successfully logging in. Fun fact, you have to login in order to change that option. So, call support, have them reset everything to default and we are back in.
I think that happened first, but I am not 100% on that. But I do know that after a few weeks I got annoyed again and tried setting it to zero to disable token expiration. Want to guess what happened? Yep, same effect as before. Immediate logout after 0 seconds. Another call to support to reset to defaults.
This value in the advanced config is not documented, at all. Well, that is not entirely true. Their documentation tells you what the default value is and that is it. No range of acceptable values. The support guy didn't know either. To top it off, there are other values that you can set in there that accept and are documented to accept values from 0 to disable to 86400 for a full day. But there is fuckall for this except for telling you the default value.
I just quit fucking with it and have made peace with constantly having to login.
-
Did you try 86399 seconds?
-
@Dragoon I'm a bit gunshy now.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
KeePass (am I the only one that sees "Keep Ass"?)
So you're saying it's got your back?
-
@Dragoon said in Re: WTF Bites (My longest running banking to date):
Did you try 86399 seconds?
65535 seconds?
-
@Watson said in Re: WTF Bites (My longest running banking to date):
65535 seconds?
That points out another idiotic thing about the whole system. Why does anyone need that sort of precision level? Granularity of a minute would be way more than enough. Honestly, a dropdown menu of:
- 15 minutes
- 30 minutes
- 1 hour
- 2 hours
- 4 hours
- 8 hours
- 12 hours
- 24 hours
- 1 week
- 1 month
Would be more than sufficient. But I would start it at one day if it were me.
-
I demand millisecond accuracy. You can be logged in for 3593756 milliseconds and not a millisecond more!
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
@Shoreline said in Re: WTF Bites (My longest running banking to date):
Is this why I seem to be forever clicking that stupid "accept cookies" button?
When I login to the Comcast Business site there is an option to "Remember Me".
As best as I have ever been able to figure out that tickbox does absolutely nothing. It doesn't trigger session persistence, it does not cache my username. I cannot tell any difference between ticking the box or not.
Of course I usually tick the box anyway, because I too am at least partially autonomous when it comes to website logins.
There's probably a browser-level setting to let session cookies persist across instances.
Chrome's looks like this:
three-dot menu>Settings>Security and Privacy>Cookies and other site data>Clear cookies and site data when you close all windows
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
@Watson said in Re: WTF Bites (My longest running banking to date):
65535 seconds?
That points out another idiotic thing about the whole system. Why does anyone need that sort of precision level? Granularity of a minute would be way more than enough. Honestly, a dropdown menu of:
- 15 minutes
- 30 minutes
- 1 hour
- 2 hours
- 4 hours
- 8 hours
- 12 hours
- 24 hours
- 1 week
- 1 month
Would be more than sufficient. But I would start it at one day if it were me.
Our VPN kicks off at 9ish hours. It is definitely more than 8 and less than 12.
-
@Karla said in Re: WTF Bites (My longest running banking to date):
Our VPN kicks off at 9ish hours. It is definitely more than 8 and less than 12.
My last job was around 23hrs. No idea what it is here. Because any sudo-type action when on VPN takes about 2 minutes, so fuck VPN. (Only need to be connected to change my password and at least once a month so the OS doesn't get bricked.)
-
@Karla said in Re: WTF Bites (My longest running banking to date):
Our VPN kicks off at 9ish hours. It is definitely more than 8 and less than 12.
Ours kicks us off twice a day, one of which is some time in the 7am-9am timeslot and the other 12 hours later. (Yes, that's only in the home service timezone, but that's not too big a problem usually.) The effect is that I can get a whole day's work in, yet can't really get started too early or carry on too late.
Fortunately I hardly ever need the VPN these days except when connecting to the production systems (because it guards ssh and I need access to our private IP address range when doing that).
-
My current gig has a VPN that cannot reestablish connections. If you put the computer to sleep, the connection is b0rked, and you have to log back in. But because the client ends up in a b0rked state, just logging in doesn't work oh no. The first try fails, and then the second try works. You can immediately tell when a login will fail because it will show progress bars and a text label says which step of the login process it's on right now.
When the login works it instead will just freeze the login window until it succeeds.And the place actually PAYS for this piece of shit software. If you can't even write a proper login modal, I have my doubts about the rest of the stack.
-
@dkf I usually have to log in on Monday if I don't work the weekend. And it's so annoying.
-
We use Cisco AnyConnect Secure Mobility Client. I don't really have any idea how good or bad it is compared to other VPN clients.
We need it to connect to almost everything on the company's servers. The only things that don't need a VPN are the company's public website, a few internal SharePoint pages/lists, and the client-facing instances of our SaaS product.
Our VPN client is apparently set to stay logged in somewhere between 104 and 168 hours. It will automatically reconnect the VPN if the network connection drops and reconnects quickly enough, but it won't if the computer is put to sleep or hibernated or shut down.
-
VPN related WTF:
Our mobile apps have special builds for connecting to the pre-production sandbox testing environments (which, like production, live in AWS but have different domain names per feature branch).
While connected to our VPN (which we only need to do to SSH into the production and staging servers, since those have a whitelist of allowed IP addresses), the mobile clients error out in fetching the list of active sandboxes (which is done by doing a DNS provider API call for the sandbox domain and parsing the response). So to do sandbox testing, we have to not connect to the VPN.
Which is normally OK, since I spend ~0% of my day connected anyway. And connect only as needed.
For the record, we use Tunnelblick (mac only) for our VPN client. And it works normally, as far as I can tell.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
@Karla said in Re: WTF Bites (My longest running banking to date):
Our VPN kicks off at 9ish hours. It is definitely more than 8 and less than 12.
Ours kicks us off twice a day, one of which is some time in the 7am-9am timeslot and the other 12 hours later. (Yes, that's only in the home service timezone, but that's not too big a problem usually.) The effect is that I can get a whole day's work in, yet can't really get started too early or carry on too late.
Fortunately I hardly ever need the VPN these days except when connecting to the production systems (because it guards ssh and I need access to our private IP address range when doing that).
It normally doesn't get in the way because my day is 8 hours (government) only when I work late.
-
@dcon said in Re: WTF Bites (My longest running banking to date):
@Karla said in Re: WTF Bites (My longest running banking to date):
Our VPN kicks off at 9ish hours. It is definitely more than 8 and less than 12.
My last job was around 23hrs. No idea what it is here. Because any sudo-type action when on VPN takes about 2 minutes, so fuck VPN. (Only need to be connected to change my password and at least once a month so the OS doesn't get bricked.)
Ours allows you to stay connected for a week.
-
@djls45 said in Re: WTF Bites (My longest running banking to date):
Navy Federal, but the membership requirements are pretty restrictive. So, probably not that helpful for you... :/
I have an account with them. I told them my grandfather was in the army, which is true, but when I was about to give them his info for verification they told me it wasn't necessary. My word alone was sufficient.
-
@error said in Re: WTF Bites (My longest running banking to date):
@djls45 said in Re: WTF Bites (My longest running banking to date):
Navy Federal, but the membership requirements are pretty restrictive. So, probably not that helpful for you... :/
I have an account with them. I told them my grandfather was in the army, which is true, but when I was about to give them his info for verification they told me it wasn't necessary. My word alone was sufficient.
I wonder if the number of members who have joined or are eligible to join under their rule that family of members can join has grown to the point that their original requirements are effectively obsolete.
What would make this even more "interesting" is if your grandfather was in a non-USA army.
-
@djls45 said in Re: WTF Bites (My longest running banking to date):
What would make this even more "interesting" is if your grandfather was in a non-USA army.
Is this the point where I make the generic "died on the watch tower" joke?
-
-
@boomzilla said in Re: WTF Bites (My longest running banking to date):
@dcon said in Re: WTF Bites (My longest running banking to date):
@Karla said in Re: WTF Bites (My longest running banking to date):
Our VPN kicks off at 9ish hours. It is definitely more than 8 and less than 12.
My last job was around 23hrs. No idea what it is here. Because any sudo-type action when on VPN takes about 2 minutes, so fuck VPN. (Only need to be connected to change my password and at least once a month so the OS doesn't get bricked.)
Ours allows you to stay connected for a week.
Lots of our clients have systems that employees use for remote work. When employees can work from anywhere, and employers are less strict about working hours, people tend to work at odd hours when they have time. With enough employees in a business, that means those systems are in near constant use. Then you also have the phenomenon of people just staying connected even when they are not working.
That makes a problem for us. How to do maintenance to those systems that requires downtime. It used to just be that you could do whatever you wanted to do if you did it remotely and outside of business hours but that is almost never the case these days.
So we used to schedule stuff like that. "We will need to take the VPN server offline for approximately 15-30 minutes on blah blah blah." That sort of thing. Which is a real pain in the ass for something like a quick reboot.
Now I'm not saying that we would ever do such a thing but it is possible that other MSPs with less strict procedures might just go ahead and do the maintenance without having to schedule it days in advance.
-
@Polygeekery yeah, my company is big enough that I'm certain there are multiple systems operating behind some kind of load balancing scheme so that they can work through maintenance stuff like that without having to have any actual downtime. OTOH, yeah, I get notices about stuff like network maintenance at the site where I'm nominally working from.
-
@boomzilla said in Re: WTF Bites (My longest running banking to date):
my company is big enough that I'm certain there are multiple systems operating behind some kind of load balancing scheme so that they can work through maintenance stuff like that without having to have any actual downtime.
You have to get pretty large before such systems start to become cost effective. Hell, it has only been fairly recent that dual WAN load balancing and failover routers have become economically feasible for all SMBs. It was not that long ago that they were megabucks. Even then you still occasionally need to reboot the router. That's on the egress side. Ingress is a lot easier and cheaper to plan for redundancy.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
@boomzilla said in Re: WTF Bites (My longest running banking to date):
my company is big enough that I'm certain there are multiple systems operating behind some kind of load balancing scheme so that they can work through maintenance stuff like that without having to have any actual downtime.
You have to get pretty large before such systems start to become cost effective. Hell, it has only been fairly recent that dual WAN load balancing and failover routers have become economically feasible for all SMBs. It was not that long ago that they were megabucks. Even then you still occasionally need to reboot the router. That's on the egress side. Ingress is a lot easier and cheaper to plan for redundancy.
If nothing else we have VPN servers on both coasts at least two other continents.
-
@error said in Re: WTF Bites (My longest running banking to date):
I have an account with them. I told them my grandfather was in the army, which is true, but when I was about to give them his info for verification they told me it wasn't necessary. My word alone was sufficient.
-
@boomzilla said in Re: WTF Bites (My longest running banking to date):
If nothing else we have VPN servers on both coasts at least two other continents.
We recently (last fri I think) had notice that our VPN server (west coast) was going down for maintenance. And if you needed access during that time, then use the other (east coast) server.
-
@boomzilla said in Re: WTF Bites (My longest running banking to date):
there are multiple systems operating behind some kind of load balancing scheme
That's great… until the load balancer itself needs maintenance.
-
@dkf Active-passive failover on the same IP?