tired legs. bit humid probably because it is now pouring 3 hours later.
#running
tired legs… bit humid probably because it is now pouring three hours later.
#running
tired legs… bit humid probably because it is now pouring three hours later.
#running
tired legs… bit humid probably because it is now pouring three hours later.
#running
Badges da Festa do Software Livre e do Team Community Global Gathering
Badges da Festa do Software Livre e do Team Community Global Gathering
We had waffles with apple sauce for lunch at a closed ski hut out in nature. It was very peaceful, nobody around, just birds and critters. After resting a bit we tried out the scout camera. Today's mission was to get a bit familiar with that equipment. All the pictures were taken with that DSLR, a Nikon D5200 with a 18-105mm lense. Quite a heavy rig compared to my small digicam. Looking at the pics on a big screen, we gotta keep practicing. This lense is certainly not made for macro shots. We have another one that's probably suited for that, but I didn't want to bring the whole bag. And more zoom would also be nice for all the birds. But we don't have a larger zoom lense.
[](https://lyse.isobeef.org/fahrradrunde-weiler-ob-helfenstein-2023-09-17/58.jpg)
Finally, we encountered an old train from the Märklintage (Märklin days). This weekend they pulled out old locomotives and wagons and had extra tours between Göppingen (where Märklin, the model train manufacturer, has its headquarter) and Geislingen/Steige. Tons of people all along the tracks everywhere.
[](https://lyse.isobeef.org/fahrradrunde-weiler-ob-helfenstein-2023-09-17/65.jpg)
drank too much, slept too little. kept the pace where i wanted to when i headed out so that is something. found a nice little area with hills so will definitely be returning.
#running
drank too much, slept too little. kept the pace where i wanted to when i headed out so that is something. found a nice little area with hills so will definitely be returning.
#running
drank too much, slept too little. kept the pace where i wanted to when i headed out so that is something. found a nice little area with hills so will definitely be returning.
#running
drank too much, slept too little. kept the pace where i wanted to when i headed out so that is something. found a nice little area with hills so will definitely be returning.
#running
> Also kind of curious how syncing to Google servers made this attack worse? Not that clear from the article 🤔
As I understand it: The attacker was able to compromise the Google account of that employee. That would have been pretty been in and of itself. Due to this horseshit “sync” feature, though, the attacker was also able grab all those TOTP seeds that can be used to log in to other sites.
What’s unclear to me is how the attacker got to the *first* factor (probably a normal password). That was probably fished separately? And/Or that employee used the same password everywhere? 🤔
> Also kind of curious how syncing to Google servers made this attack worse? Not that clear from the article 🤔
As I understand it: The attacker was able to compromise the Google account of that employee. That would have been pretty been in and of itself. Due to this horseshit “sync” feature, though, the attacker was also able grab all those TOTP seeds that can be used to log in to other sites.
What’s unclear to me is how the attacker got to the *first* factor (probably a normal password). That was probably fished separately? And/Or that employee used the same password everywhere? 🤔
> Also kind of curious how syncing to Google servers made this attack worse? Not that clear from the article 🤔
As I understand it: The attacker was able to compromise the Google account of that employee. That would have been pretty been in and of itself. Due to this horseshit “sync” feature, though, the attacker was also able grab all those TOTP seeds that can be used to log in to other sites.
What’s unclear to me is how the attacker got to the *first* factor (probably a normal password). That was probably fished separately? And/Or that employee used the same password everywhere? 🤔
> Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that’s been vetted.
I've been using Google Authenticator for years, but it never had this "sync" feature until recently 🤦♂️
> Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that’s been vetted.
I've been using Google Authenticator for years, but it never had this "sync" feature until recently 🤦♂️
> Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that’s been vetted.
I've been using Google Authenticator for years, but it never had this "sync" feature until recently 🤦♂️
When I went to the scout meeting this evening, I first saw a colorful sky, then a shooting star above our camp fire and finally a fairly new starlink chain of about 15 satellites or I don't know how many. There is only photographic evidence of one of these events.
🤦♂
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookie mistakes they're making, *at scale*.
> Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option.
Like, never ever put your multi-factor tokens into a single cloud storage location! The whole point of this being "multi" factor is that there is a separate, independent physical factor involved in the authentication process. If the authenticator app on your phone puts the tokens in the cloud, then it reduces the security that comes from having a second factor. This is basic stuff.
Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that's been vetted.
🤦♂
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookie mistakes Google's making, *at scale*.
> Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option.
Like, never ever put your multi-factor tokens into a single cloud storage location! The whole point of this being "multi" factor is that there is a separate, independent physical factor involved in the authentication process. If the authenticator app on your phone puts the tokens in the cloud, then it reduces the security that comes from having a second factor. This is basic stuff.
Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that's been vetted.
🤦♂
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookies errors they're making, *at scale*.
> Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option.
#running
#running