DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th December 2024
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,549
Default Two Factor Authentication via Text Message Compromised

Per the subject line, the FBI has issued a new warning about iPhone/Android text messaging.

I personally never trusted a mobile device funded by companies that data harvest and ended up moving my banking from a bank that would only authenticate via text to one that would also authenticate via email.

Being inately cheap, I have been using the email server that is bundled with my ISP. I know it is encrypted (protocol displayed when logging in via mutt) but I'm wondering if it would be prudent to set up a 3rd party email account with a provider that is more focused on security?

Last edited by shep; 23rd December 2024 at 03:23 AM. Reason: spelling
Reply With Quote
  #2   (View Single Post)  
Old 20th December 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,080
Default

Email uses the Simple Mail Transfer Protocol, SMTP. The SMTP protocol is 43 years old, and predates the Internet or any concept of computer security. While it has had enhancements, and some portions of email transfer can be encrypted, most mail starts and ends as plaintext content. Consider that email is functionally is now dominated by a handful of large providers who provide "free" services in order to mine the contents of our messages for their revenue. The transmission of our messages may be encrypted -- sometimes -- but the transfer agents generally deal with ASCII, MIME, or S/MIME encoded plaintext.

Should you decide to use one of the "security-focused" smaller email providers, you'll need to investigate carefully, as it appears some of these companies' "security" services may be theatrical rather that functional. One of the providers I've seen mentioned in this negative way has a name which rhymes with "snow pond fail".

If you're unfamiliar with SMTP and its use in a modern Internet, I recommend Michael Lucas's book, Run Your Own Mailserver. You don't ever have to implement a mailserver of your own to use the book; you'll learn a whole lot about modern email and how it works -- or, doesn't. It's geared for the admin who doesn't have an email background but wants to know what it takes to run it. Heck, I've been using email since the late '70s and running email servers since the early '80s, and found lots of value in it.
Reply With Quote
  #3   (View Single Post)  
Old 20th December 2024
flatdog flatdog is offline
New User
 
Join Date: Jul 2024
Location: Romania
Posts: 6
Default

Quote:
Originally Posted by jggimi View Post
Email uses the Simple Mail Transfer Protocol, SMTP. The SMTP protocol is 43 years old, and predates the Internet or any concept of computer security. While it has had enhancements, and some portions of email transfer can be encrypted, most mail starts and ends as plaintext content. Consider that email is functionally is now dominated by a handful of large providers who provide "free" services in order to mine the contents of our messages for their revenue. The transmission of our messages may be encrypted -- sometimes -- but the transfer agents generally deal with ASCII, MIME, or S/MIME encoded plaintext.

Should you decide to use one of the "security-focused" smaller email providers, you'll need to investigate carefully, as it appears some of these companies' "security" services may be theatrical rather that functional. One of the providers I've seen mentioned in this negative way has a name which rhymes with "snow pond fail".

If you're unfamiliar with SMTP and its use in a modern Internet, I recommend Michael Lucas's book, Run Your Own Mailserver. You don't ever have to implement a mailserver of your own to use the book; you'll learn a whole lot about modern email and how it works -- or, doesn't. It's geared for the admin who doesn't have an email background but wants to know what it takes to run it. Heck, I've been using email since the late '70s and running email servers since the early '80s, and found lots of value in it.
Any opinions on Tutanota? Should I be worried about Proton? I'm not an expert, and I'd really like to keep my e-mails as safe as possible. Running my own mail server would get me listed on every existing blacklist, so I have to rely on 3-rd party services.
Reply With Quote
  #4   (View Single Post)  
Old 20th December 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,080
Default

Disclaimer: I'm not a consultant on email services. I will not investigate any company's marketing literature, white papers, reviews, news reports, and the like.

You need to perform your own due diligence, because your concept of "security" is probably not the same as shep's, and not the same as mine. "Security" is a meaningless term, because it isn't definable. You just know you have to have it, whatever it is.

So:
  1. Learn how email moves through the Internet. It starts at a sender's mail user agent, and then travels through multiple mail transfer agents to the recipient's mail user agent. Consider how much of that message is required to be in plaintext in order to be transmitted, and therefore how much information can be exfiltrated at any point. In addition, consider where the message content could be altered along its path. I will refer you again to my recommendation for MWL's book, linked above.
  2. Understand your own threat model. What do you want to prevent? What do you want to ensure? What is your scope of privacy requirement?
  3. Review your commercial options against your requirements definition in step 2.
Reply With Quote
  #5   (View Single Post)  
Old 20th December 2024
flatdog flatdog is offline
New User
 
Join Date: Jul 2024
Location: Romania
Posts: 6
Default

Fair enough.
I wasn't asking for tips or free lunch. But after 6 pages (120+ posts) of reading and debate on "the other forum" I realized that only the Big guys are "allowed" to safely provide and run their own mail servers. Thank you for your input, I'll stick with third-party. Less hassle for me.
Reply With Quote
  #6   (View Single Post)  
Old 20th December 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,080
Default

Quote:
Originally Posted by flatdog View Post
...only the Big guys are "allowed" to safely provide and run their own mail servers.
Then there is some sort of misunderstanding. It's a very large playing field, and all of us can participate. It just requires some understanding and provisioning effort to join in. The infrastructure requirement is relatively small: an internet-facing server with static IP address(es), and a domain name.
Reply With Quote
  #7   (View Single Post)  
Old 20th December 2024
flatdog flatdog is offline
New User
 
Join Date: Jul 2024
Location: Romania
Posts: 6
Default

There is no misunderstanding. If I may, I'd point you to a thread (I'm not advertising any forum, just follow the discussion, if you have some time to kill, your choice) https://forums.freebsd.org/threads/r...w-lucas.93777/
Reply With Quote
  #8   (View Single Post)  
Old 20th December 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,080
Default

Thank you for the link. I'm not a FreeBSD user, so I don't participate there.


I have started going through it. I can say my experience differs from the first page full of complainers there -- that's as far as I've gotten today -- perhaps because I use a third-party DNS service where I have control over my own domain records.

My current server provider is openbsd.amsterdam, and I've been very pleased.

My prior server provider was Vultr.com -- and I was pleased with the operational side, I stopped using them due to T&C changes. Operationally, Vultr requires a service ticket to open port 25 for a customer MTA. For me -- other customers may have different experiences -- the IPv4 addresses I was assigned happened to arrive with a previous history of minor reputation issues, solved quickly with the associated block lists.
Reply With Quote
  #9   (View Single Post)  
Old 21st December 2024
pl's Avatar
pl pl is offline
Real Name: /etc/myname: permission denied
Live And Let Unix
 
Join Date: Aug 2024
Location: /etc/fstab
Posts: 23
Default

Quote:
Originally Posted by jggimi View Post
I can say my experience differs from the first page full of complainers there
Same here. I run my own mailserver (Heck, even on my own hardware!) since October '23, and even though I don't have rDNS/PTR set up I'm doing well. I send and receive mail without bigger problems

Quote:
Originally Posted by flatdog
I'll stick with third-party. Less hassle for me.
First time setting up mailserver is great deal of pain indeed, but IMO still better than endless searching for provider that you in the end still can't really trust. I mean, it's still $RANDOM_COMPANY saying the same "Trust me coz I'm better guy", like all the other providers do.

By the way,
Quote:
Originally Posted by shep
I personally never trusted a mobile device funded by companies that data harvest
Dumb phones are still a valid option
Reply With Quote
Old 21st December 2024
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,549
Default

Quote:
Originally Posted by pl View Post
Dumb phones are still a valid option
I still have a land line but it will not receive a text. The Bank I moved away from, in the OP, would only authenticate via text to a mobile phone.

The US Government agencies where you set up an account, at least the NSF, NIH, and SSA/Medicare, will phone with an audible 2FA key.

Last edited by shep; 21st December 2024 at 05:18 PM.
Reply With Quote
Old 22nd December 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,080
Default

I'm going to quote MWL, from an old footnote. It's unrelated but apropos to the idea of end-to-end secure email:
Quote:
Note that I used "sense of privacy" and not actual "privacy."
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Yubikey as a second factor in OpenBSD bceverly OpenBSD Security 1 12th July 2023 10:03 PM
2 factor authentication stanl Off-Topic 0 10th December 2022 05:12 PM
Two Factor Authentication Peter_APIIT OpenBSD Security 7 20th June 2015 02:50 AM
Other SSL CA recently compromised backrow News 0 23rd March 2011 03:46 PM
ZeuS trojan attacks bank's 2-factor authentication J65nko News 0 22nd February 2011 02:38 PM


All times are GMT. The time now is 01:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick