Latest episode: #327: Untangling XML with Pydantic
with @brianokken and @mkennedy #python
https://pythonbytes.fm/episodes/show/327/untangling-xml-with-pydantic
@pythonbytes @brianokken @mkennedy In regards to the rant about 2FA, checkout LTT's recent video about the rash of YT account takeovers using stolen session cookies. These attacks bypass 2FA, because they impersonate your "trusted" browser.
I would also recommend Shannon Morse's hardware 2FA playlist for a deeper dive. She debunks a lot of the myths you've cited in the past.
https://www.youtube.com/watch?v=xalg8a3eIy4&list=PLeYHKbaShxTH0GV0jMstXygTRowCnAWiJ
@sitwon @pythonbytes @brianokken Thanks for the info. I'm a big fan of Shannon Morse. I've seen that video I think. As for those take overs, yes, that is a problem. But it's not the same problem as protecting you against stolen or guessed / brute forced credentials. If someone has full control of my computer, I'm not sure whether it's cookie take over or just recording my keystrokes and/or automating my computer to do the deed. So while bad, I don't know they are the same problem.
These are two separate complaints I have about your 2FA rants. (#327, #293)
1) You have been dismissive and perpetuated fear and misconceptions about how hardware 2FA works and how safe/easy/effective it is.
2) In #327 specifically you were additionally complaining about short expiration times on session cookies.
2FA and session expiration work together to mitigate the risk of stolen credentials.
It's challenging to have a nuanced convo in this format.
@sitwon Hi, thanks for the feedback. Let's take these as two separate threads...
@mkennedy That's 1) incorrect, and 2) super disingenuous.
1) The Yubikey failure there wasn't a FIDO U2F failure. He was using it as a smartcard for his GPG key and that's what failed. Even if it was the hardware that failed (always possible), you literally cannot enroll a hardware 2FA token without also creating backup codes or having some other alternate.
2) It wouldn't have failed the release, just delayed the signing. They could have released anyway without signing with that specific key.