Mathwiz Posted August 20, 2023 Posted August 20, 2023 Well, there's 2FA, and there's intentionally annoying 2FA. Only form of 2FA I've ever used is the kind where you log in and they send you a OTP, via either text (so you need the cell phone it gets sent to - doesn't have to be a smart phone though) or email (so you need to prove you have access to your email account). Those aren't too bad, and a lot of sites will set a browser cookie so you don't have to do it again, at least for a while. No "special app" needed! But from what you're saying, it sounds like GitHub will require a special app just to generate the OTP. I can't see any reason for such a requirement, other than to discourage folks from logging into GitHub unless they have to! 30 seconds to key the darn thing in sounds awfully tight too. (That may be the reason you need a special app - text or email would often take longer than that.) GitHub isn't a banking or financial site - or even your email account! Why are they doing this?
AstroSkipper Posted August 20, 2023 Posted August 20, 2023 1 hour ago, Mathwiz said: 30 seconds to key the darn thing in sounds awfully tight too. (That may be the reason you need a special app - text or email would often take longer than that.) GitHub isn't a banking or financial site - or even your email account! Why are they doing this? Because the operators of GitHub no longer tick quite right. 3
Mathwiz Posted August 20, 2023 Posted August 20, 2023 (edited) On 5/6/2023 at 4:16 PM, Mathwiz said: This release fixed Chase.com too! I guess define is defined now.... Well, that didn't last long! Built-in SSUAO pretends to be FF 102; guess that's no longer good enough! Edit: FF 113 is the minimum to avoid the warning, but I wonder what new Googlisms (or conceivably Mozilla-isms, but I'm still betting on the former) will be needed in order to access chase.com, once "soon" arrives? Edited August 20, 2023 by Mathwiz
UCyborg Posted August 20, 2023 Posted August 20, 2023 https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/
VistaLover Posted August 20, 2023 Posted August 20, 2023 (edited) 20 hours ago, Mathwiz said: Built-in SSUAO pretends to be FF 102 Is that on your "loved" St55 ? Because St52 (2023-07-31) (32-bit) has below SSUAO: general.useragent.override.chase.com;Mozilla/5.0 (%OS_SLICE% rv:112.0) Gecko/20100101 Firefox/112.0 But , as you wrote in your edit , that's still NOT enough to satisfy chase.com when loading https://secure.chase.com/ I set the Fx version to 115.0, which is the current ESR branch, and that makes their "notice" go away - still, as you say, if "they" actually move on to needing a Fx-113.0+ JS/CSS feature for "their" pages to work, then all bets are off for UXP users ... 20 hours ago, Mathwiz said: FF 102 Kinda OT, but since I see it all the time here by various members , https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-us/firefox/releases/1.0.6 Quote How do I spell Firefox? How do I abbreviate it? Firefox is spelled F-i-r-e-f-o-x - only the first letter capitalized (i.e. not FireFox, not Foxfire, FoxFire or whatever else a number of folk seem to think it to be called.) The preferred abbreviation is "Fx" or "fx". Best greetings Edited August 21, 2023 by VistaLover clarifications/corrections
Mathwiz Posted August 20, 2023 Posted August 20, 2023 4 minutes ago, UCyborg said: https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/ Noticed a couple of things there: first, Quote Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA) by the end of 2023. But later: Quote If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You’ll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. We’ll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com. You’ll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don’t worry: this snooze period only starts once you’ve signed in after the deadline, so if you’re on vacation or out of office, you’ll still get that one week period to set up 2FA when you’re back at your desk. So I guess you were one of the "lucky" ones that got "selected" well before the end of 2023. Second, here's the excuse they gave: Quote Developers’ accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain. I don't think for a minute that Micro$oft cares one bit about "protecting developers." If that were the case, they could've made this optional, perhaps with a banner on your page so visitors would know whether you'd enabled 2FA. No, I think this has to be about protecting Micro$oft. I think they're worried that someone will upload bad software (buggy, or conceivably even malware) to GitHub, the guilty party will claim that their account was hacked, and Micro$oft will get sued for lax security. Making 2FA mandatory is intended to remove the "my account was hacked" excuse. Which, I suppose, is fine; if that's what they feel they have to do to protect themselves from legal liability, so be it. I just wish they'd drop the "we're trying to protect you" malarkey. Third, I see they do support 2FA via SMS, but.... Quote SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B. I don't know why it doesn't provide "the same level" of protection, but that makes me worry that other sites requiring 2FA will soon stop supporting SMS as well, so even non-GitHub users may soon find themselves in the same boat. So thank you for the advice on KeePass. XP/Vista users may soon need it, GitHub or no GitHub! Quote https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-us/firefox/releases/1.0.6 Seriously? I couldn't possibly care less how Mozilla prefers I abbreviate the name of their product. It's clear what "FF" means in context! But at least they didn't suggest "F5x".... 1
VistaLover Posted August 20, 2023 Posted August 20, 2023 37 minutes ago, VistaLover said: Because St52 has below SSUAO: general.useragent.override.chase.com;Mozilla/5.0 (%OS_SLICE% rv:112.0) Gecko/20100101 Firefox/112.0 ... Well, I'm still on St52 (32-bit) buildID=20230731064657 and that's indeed its chase.com SSUAO... Next week's St52 release, with buildID=20230810152826, had the Fx version inside that SSUAO downgrade ( ) to 102.0; this is still true for latest St52 (32-bit), buildID=20230818021145 ... The related commits I researched appear a bit "off" : Official Basilisk: https://repo.palemoon.org/Basilisk-Dev/Basilisk/commit/633ad774201bdb53fe4fa2424da851af77f1bfc8 (112.0 => 102.0, like in "our" St52) Roy's custom UXP branch: [Basilisk] [SSUAO] Update chase.com override https://github.com/roytam1/UXP/commit/85a5c5821499012f92331b97d5ac2b40b5653794 (79.0 => 102.0) ; but where did v79.0 come from? [Pale-Moon] [SSUAO] Update Chase override https://github.com/roytam1/UXP/commit/4bbb81d78ee2f0c6342955cb0b2392a684721653 (112.0 => 102.0) Trying to understand why the "downgrade" was even implemented, I arrived at below official PM Forum thread: https://forum.palemoon.org/viewtopic.php?f=70&t=29704 That's an interesting read (though nerve-testing with regard to the chase.com UA-sniffin' practices ); @Mathwiz found out that now an upgrade to Fx-113.0+ versions is needed (to make the nag banner go away), but does logging in on https://secure.chase.com work as expected with that "upgrade" in place?
roytam1 Posted August 21, 2023 Author Posted August 21, 2023 Notice for Goanna3-based browsers (NM27/KMG): starting with 2023-08-05 build, browser may crash with random memory locations when browsing (for example, archive.org) and you may workaround it by toggling `javascript.options.ion' to `false'. issue for tracking this problem: https://github.com/rmottola/Arctic-Fox/issues/149 1
j7n Posted August 21, 2023 Posted August 21, 2023 13 hours ago, UCyborg said: After making it past the notion that you need bloated Electron app or a smartphone just to generate a code to login... Can you use MOS Authenticator for this? It is a small program that I used on WinXP to access a bank. But it may be a different format of password. http://www.maxoutput.com/authenticator/
VistaLover Posted August 21, 2023 Posted August 21, 2023 20 hours ago, Mathwiz said: But at least they didn't suggest "F5x" ... Probably because numeronyms were not "en vogue" at the time that Mozilla article was written (ca. the time Fx-1.0.6 was released, 2005-07-18; I wasn't even on line back then ) ... 1
UCyborg Posted August 21, 2023 Posted August 21, 2023 Is there a working link to ZIP version of MOS Authenticator?
VistaLover Posted August 21, 2023 Posted August 21, 2023 (edited) 4 hours ago, UCyborg said: Is there a working link to ZIP version of MOS Authenticator? https://www.maxoutput.com/authenticator/MOSAuthenticator_off.zip WFM : Warning: Most AV suites (including mine ) outright BLOCK this program ; I had to whitelist both its download page (for the download to even begin), as well as the binary (Authenticator.exe) itself; therefore, USE AT YOUR OWN RISK ... Regards. Edited August 21, 2023 by VistaLover Update of content 1
mina7601 Posted August 22, 2023 Posted August 22, 2023 1 hour ago, VistaLover said: https://www.maxoutput.com/authenticator/MOSAuthenticator_off.zip Just how pedantic this website really is! Changing the A to lowercase in /authenticator/ makes the link work normally? Very funny and trivial, honestly! But thanks for the link! Nothing personal against you btw, don't worry.
nicolaasjan Posted August 22, 2023 Posted August 22, 2023 5 hours ago, VistaLover said: Warning: Most AV suites (including mine ) outright BLOCK this program 30 security vendors and no sandboxes flagged this file as malicious.
VistaLover Posted August 22, 2023 Posted August 22, 2023 9 hours ago, nicolaasjan said: 30 security vendors and no sandboxes flagged this file as malicious. ... I re-analysed the file (previous score was from 8 months ago ) and now the new score is even "bigger" : "36/70 security vendors and no sandboxes flagged this file as malicious" ... I guess most AV suites treat this as a KeyGen of sort ; the author himself stated in its website: Quote while we try to convince Google that this software isn't malware FWIW, in the latest score, the Google engine simply timed-out ... 1
Recommended Posts