Encrypt all the things!

I'm not an admin for it but it does allow shared vaults, you can choose who has access to which vaults. I use my personal vault for my own work passwords.

No idea about audit logs or the API.

I rate it and it certainly beats the word doc we had in SharePoint

the word doc we had in SharePoint

I feel that. The previous geniuses at my workplace migrated from one password manager to another but left the export of all the passwords in plaintext in Sharepoint.

hackerman.jpg

Wondering if anyone can help with something weird I've come across. Very long story a little bit shorter:

We currently have scheduled tasks in conjunction with PowerShell scripts utilizing Posh-SSH to ship files to and from vendors. Its becoming quite difficult to manage and monitor, so we're looking at alternatives. Something we're looking at, as it ticks all of our boxes is: https://www.goanywhere.com/

Most of our large vendors, such as JPMorgan Chase, use SSH keys, for obvious reasons.

This software, GoAnywhere, supposedly only accepts .pvk keys for connecting to SFTP sites. Now, I can find so little real documentation about .pvk that I'm almost immediately inclined to stop looking at GoAnywhere at all.

What I do know is that .pvk keys and SSH keys are used for two completely different things. SSH for secure shell access - obviously and .pvk are used for code signing in Windows,

Am I being unreasonable in kicking this platform to the curb because of this? We've had a demo open with them for almost two weeks now and they have so far been unable to provide us any real documentation in why they use .pvk, how to get keys into .pvk properly, without jumping through multiple conversion hoops and so on. Their initial suggestion was to rename examplekey.ssh to examplefile.pvk. Facepalm. When we asked if they have a resource who can assist they said: This is normally not something we do on the Sales side because most IT shops have this process ironed out. Which I thought was such a strange response because nobody is out here using .pvk keys for SSH connections.

Does anyone have any suggestions for file moving software that works with standard SSH keys? Be it .ssh, .ppk or whatever else.

PVK is just a proprietary file format for storing RSA private keys. There's nothing inherently wrong with that being the basis of encryption - it depends on how they use it. If GoAnywhere is using them to create SFTP connections then it's using the SSH protocol and that's the important thing.

That settled, do you have a reason to think GoAnywhere is storing those keys in an insecure manner? That would be an issue.

Cool, thanks Bruce. That's reassuring. Will look further into converting our ssh keys.

Well, do you have a reason to think GoAnywhere is storing those keys in an insecure manner? That would be an issue.

No, the application is installed on-prem so GoAnywhere aren't storing the keys themselves. My main concern honestly is the seeming lack of know-how at their end about how their own product works. The Sales Engineer we're dealing with said verbatim:

I confirmed GoAnywhere creates PKCS#8 keys when it exports, so probably what it wants on import, fair to say. I am suspecting those are in PKCS#5 format commonly used by FileZilla and many older clients.

Maybe I'm being too harsh, but I don't love the 'probably' in this.

do you have a reason to think GoAnywhere is storing those keys in an insecure manner?

"Their initial suggestion was to rename examplekey.ssh to examplefile.pvk"

He does have "sales" in his title though. Do they have any real engineers you can talk to?

The fact you're even asking this on here would've been enough for me to burn them already.

My NordVPN subscription has expired. Should I just renew with them or is there a better deal out there? It doesn't get too heavy use but mobile and desktop is needed plus a chrome app would be nice. Cheers

Anybody finding NordVPN is making some random and wrong choices about which sites to red flag as insecure, saw this from their support team in a forum:

Sometimes, servers present chains of certificates, each certifying the authenticity of the next one in the chain. In a situation where a user's computer trusts the root certificate but doesn’t trust the intermediate certificate in the chain, the full chain needs to be verified against the certificate store.

Our Threat Protection feature had a bug in the certificate verification algorithm where we didn’t support this scenario. We were only checking the certificate on the website itself, not going through the entire chain. Since the intermediate certificate, which we checked, was not trusted by Windows, it was flagged as a potentially bad one by Threat Protection. Meanwhile, the root certificate was verified and trusted by Windows but unchecked by Threat Protection.
Now, we will properly assemble the full chain from certificates presented by the server and verify the entire chain against the operating system certificate store.

This fix is set to roll out with the next version of the NordVPN Windows application - 7.16.

"Format not supported" when trying to use Authy in place of MS Authenticator.

Authy doesn't work with Microshaft stuff then?

This looks like it's only hotmail or live.com
https://authy.com/guides/microsoft/

https://mysignins.microsoft.com/security-info only seems to support the shitty MS Authenticator.

I use Authy for corporate O365 and personal Onedrive.

Maybe they've disabled the use of alternate shit? I dunno, I see no way of making it work.

If I go on Add sign-in method I can add an Authenticator app. If I choose I want to use a different authenticator app then I get a QR code up to add it to authy or whatever.

2 Attachments

Microsoft have 2 forms of TOTP, a simple one (which will work with Authy, Aegis, BitWarden, etc) and then one that they call PhoneFactor ( https://en.wikipedia.org/wiki/PhoneFactor ).

Depending on what you're accessing and the policies that were set up for it, you might be given a PhoneFactor TOTP which is the one that basically requires their authenticator app.

So you might be stuck, but who knows.

Add sign in method
Authenticator app
then I get the same screen as you but without the bit that says "I want to use a different authenticator app"

Yeah, it's the PhoneFucktor thing.

Is there a VPN that protects against ISP monitoring, doesn't monitor themselves... AND doesn't break local network connections?

The ones I'm using:

• Google One VPN - essentially an OpenVPN (default on Windows) or Wireguard (default on Mac and Linux, optional on Windows) tunnel to a layer of anonymised servers. Google primarily offer this as a subscriber perk (and a defence against DNS adblock) and it can be the cheapest VPN due to the lowest price of £1.59 per month (which I'm on)... but... it breaks the Stream Deck as that uses local 192.168.3.x addresses to control some of the lighting and Google is trying to send all HTTP(S) traffic out over the internet!? Local SMB to my NAS still work though.
  
• Mullvad - essentially OpenVPN, breaks SMB to local network in addition to breaking the Stream Deck, so even more useless.
  
• CloudFlare 1.1.1.1 - full Wireguard (even on Windows) and whilst SMB works again, the Stream Deck does not.
  
  

In essence, none of them fully honour the private address space https://www.arin.net/reference/research/statistics/address_filters/

What I would like is either a way to configure any of the above, or just a VPN that does a good job of this. Note that all of the above seem OK with 192.168.1.x, but not with 192.168.3.x so they all seem to autodetect the network that is in use but they still try to route other private networks.

Edit: This is on Windows 11 btw... and my assumption was that all of the VPNs would be fine, the reality is that none work as expected. I am using multiple VLANs, but local traffic should still work regardless of that as it's still in a range that should be sent local.

Iirc, you can connect to some VPNs using SSH tunneling / openvpn - way more involved than just installing something, but magnitudes greater levels of control.

I've gone and read source code... the Google One VPN is correctly excluding the local ranges: https://github.com/google/vpn-libraries/blob/275344f33129390eae827f2598bc3d14422d70c1/android/src/main/java/com/google/android/libraries/privacy/ppn/internal/service/RouteManager.java#L46

192.168.0.0/16 is excluded, which is everything from 192.168.0.0 to 192.168.255.255.

There must be something going on that I cannot see... all VPNs I've tried are affected, so perhaps it's me, perhaps something is wrong with how Windows is doing this?

I vaguely remember giving up with the Mullvad client when trying to exclude local addresses. To get to my pihole or router or whatever I just disabled Mullvad client. They have an exclude local resources option but it didn't seem to do what I expected. #csb

Sorry, don't know enough about Windows networking to solve your issue. I'll blame Windows Firewall though just for lolz

Mullvad has an option in their client to allow local network sharing, Settings>VPN Settings>Local Network Sharing. Works fine for me, printing and accessing NAS etc.
I think you can set it up similarly using OpenVPN or Wireguard if you want.

I was totally unaware that Google had a VPN (which I'm paying for as part of extra storage) when I signed up to another service recently.

Doesn't look like they have a chrome add-in though which is surprising.

The Google One VPN is phenomenal at speed... I have a 1Gbps connection and can get about 800Mbps from the download and 90Mbps upload using their VPN... which is basically just the overhead of the CPU doing the decryption / encryption.

By far it outperforms Cloudflare, Mullvad, NordVPN on speed... and their implementation is anonymised (at the ISP / State Actor threat model level).

The problem is only that the UI is extremely crappy and you basically have to use it. It's made for Android primarily, but there are apps for all operating systems.