IIRC macOS got rid of privileged ports for these reasons. Dunno about iOS... But in any case what cell provider is going to let you handle inbound traffic? Most of the wifi networks you are on are NAT'd, etc. At best you'd probably want an outbound persistent tunnel that is "terminated" by a relay elsewhere. At that point you might as well just have the relay host the thing.
Sadly, cell provider puts me behind an IPv4 CGNAT, they didn't even bother to hand out IPv6 addresses at least. I picked them out because they were cheap more than anything, so I only have myself to blame.
I have previously used carriers that did expose (IPv6) addresses, though. Port 25/53/etc were blocked but I could host a web server on there if I wanted to drain the 2GB of mobile data I had at the time.
NAT isn't a problem with IPv6 support. Of course there's the network firewall, but adding a rule to accept ports 1714-1764 isn't that hard.
Right now I've solved the problem with a VPN tunnel, but that's not really that permanent a solution.
You're not getting inbound connections on IPv4 without a fight, although, I remember when you used to be able to pay mobile carriers to get a public IPv4 address that might have also been static(!) for VPN purposes. But it's not uncommon for carriers to give you a whole /64 on IPv6, and for that to be full proper connectivity (maybe they block smtp and smb, that's very common).
Yeah, IPv6 isn't everywhere, but if you have it on your phone and everywhere you want to access you phone from...
An "attack vector" is not necessarily a TTP used by threat actors, it is a way in. Whether it is used or unused, an attack vector is an attack vector.
Yes, they've documented threat actors actively using it. And SSPR used against several other services before this one. But the claim is in the lede sentence: "novel attack vector".
I think you're taking their choice of a single word a bit too seriously, and dare I say, personally. I don't think they're claiming to be the first to have ever discovered this attack vector, nor are they trying to steal credit from you. And while "novel" might not be the best word choice, in common parlance it need not mean "unique," and can just as well mean "unusual." In fact the dictionary definition of "novel" literally includes "unusual" ("new or unusual in an interesting way").
Yea, agree with this guy. Anyways I took "novel attack vector" to just mean "first time we've heard of using SSPR against AD". They even used the existing acronym "SSPR", so they're not claiming to have discovered the attack vector or anything.
While you can't memorize it (memorizing a fair amount of entropy would take an intelligent human quite some time), you can of course store them offline (it's just a key). Today's initial implementation on macOS restricts exporting, but that is supposed to be added according to reliable Apple devs: https://hachyderm.io/@rmondello/110329118270492669
> memorizing a fair amount of entropy would take an intelligent human quite some time
Everyone who has seen it remembers correct horse battery staple and intelligent humans find it relative straightforward to reroll diceware until they can imagine a story for the words they see.
Permute case, use symbols and digits as word dividers, and most HN readers can remember 'uncrackable' amounts of entropy.
A long time ago I wrote a variant of this - the signup page would generate a token, place it in a hidden password field, submit a hidden form, and instruct the user to click the "Save password" dialog in their browser. One advantage of this was e.g. Chrome would sync the password immediately across all your devices (in some ways this was a privacy violation, although one that the user had to explicitly opt themselves into). New sessions (e.g., if you reset or lost your browser's stored passwords) still happened via email verification, though.
This is interesting. I'm not sure how I feel about it from the perspective of the user understanding what they're consenting to, but it's secure and the flow is simple.
I don't support passwords on any of my services. Emailed magic links and SSO are the encouraged methods, even with all the tradeoffs. I've considered allowing users to generate tokens similar to OP, but some percentage of them will be emailed around and pasted into phishing sites etc.
But something like this could work as an option, especially if it could integrate with a couple popular password managers as well. Not sure if that's even possible.
> doing basic entropy checks on a user-provided password pretty much solves the issue anyways.
No it does not. Users will find one high-enough-entropy variant of their password, and reuse it across all sites for life.
> Authentication is pretty much a solved problem
Hrm. It might be solved for you and users like you - but it depends on your site's demographics: most internet users on the whole will not know anything about encrypted "password lockers" and "physical Webauthn tokens". Browser-managed passkeys, on the other hand, stand some chance of being easy enough to use while enforcing good security and high entropy secrets, but lack widespread adoption so far.
You can use mTLS client certificates (kept in the system key store) in browsers this way; but the UX is pretty hard to get right, and certificates nearly always have to have an expiry date to deal with the compromise-able nature of keys imported into the system key store.
Lots of people end up with AgentForward on by default as a sort of "make it work" fix, and lots of people use `git+ssh` on untrusted servers. Here's an example:
Assuming you do perfect integrity checks of the git repo you're pulling, git uses SSH and obeys ssh config for each hosts under the hood. It's safe to say that if you have forward-agent enabled git is vulnerable.
> Social media networks with over 100,000,000 daily active users should not be considered as "private companies with a right to free speech through censorship". They are effectively public squares that we have all elected and chosen to share. Right and left alike.
Shouldn't this also apply to TV channels? Chat apps like iMessage? Popular newspapers, blogs, and email newsletters? And indeed, why stop at 100M DAUs - why not 10M, or 1M? The problem I expect is this path leads to the death of freedom of the press.
To be fair though, freedom of the press should be limited to things that at the time of publishment/boardcast were believed to be true by reasonable actors.
They shouldn't get carte blanche to claim wild conspiracy theories and to turn people into figurative monsters and then claim 1st amendment rights to protect them from the consequences of their public agitating slander.
On the other hand, reviewing and moderating anything other than their current carte blanche status quo would be an inhuman ordeal, so it's not like I have a more perfect idea to replace it with, just an understanding that there are bad actors using the rules of our American Social Contract as a weapon against the fundamental rights of "life, liberty, and the pursuit of happiness" that the self-same social contract they are exploiting has promised us for our abidance.
I understand where you're coming from, but I'm not sure it matters. If you don't like the bad actors spreading "disinformation" then speak louder. You're 100% right that it's untenable to moderate "the news". We have laws preventing bad faith actors from spreading demonstrably false information that damages somebody. Anything else is just... insignificant to your life, liberty, or pursuit of happiness unless you aren't mature enough to ignore opinions that make you unhappy.
It took me a while to understand what you were talking about at the end there. I think the author is referring to a grammatical period ('sorry' vs 'sorry.'), not the menstrual kind, lol.
