Just looked. From what I read the phishing attack would really only work for accounts that someone would have to goto a web page for login (which could be faked) and get the details. But for ssh login there is not the same risk.
Thanks
> On Feb 26, 2020, at 11:34 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> The phished credentials are generally used immediately to take over the account.
>
> --
> Jeffrey Paul
> sneak(a)sneak.berlin
>
>> On Wed, Feb 26, 2020, at 10:26 AM, deepend wrote:
>> Would be interested in hearing more information on how someone is
>> phishing a code that is only valid for like 30 seconds? Is there more
>> to that story then just phishing?
>>
>> Thanks
>>
>>
>>>> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>>>
>>> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>>>
>>> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>>>
>>> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>>>
>>> Best,
>>> -sneak
>>>
>>> --
>>> Jeffrey Paul
>>> +1 312 361 0355 (voice, sms, Signal)
>>> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>>>
>>>
>>>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>>>
>>>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>>>> some websites say it came in 8.2. Not sure who to believe.
>>>>>
>>>>> Tilde club currently runs Fedora 30.
>>>>
>>>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>>>> available :/
>>>
>>
I understand that. But I what way is someone phishing a code that is available for 30 seconds? That would still allow it to be useable
Sent from my iPhone
> On Feb 26, 2020, at 11:34 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> The phished credentials are generally used immediately to take over the account.
>
> --
> Jeffrey Paul
> sneak(a)sneak.berlin
>
>> On Wed, Feb 26, 2020, at 10:26 AM, deepend wrote:
>> Would be interested in hearing more information on how someone is
>> phishing a code that is only valid for like 30 seconds? Is there more
>> to that story then just phishing?
>>
>> Thanks
>>
>>
>>>> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>>>
>>> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>>>
>>> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>>>
>>> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>>>
>>> Best,
>>> -sneak
>>>
>>> --
>>> Jeffrey Paul
>>> +1 312 361 0355 (voice, sms, Signal)
>>> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>>>
>>>
>>>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>>>
>>>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>>>> some websites say it came in 8.2. Not sure who to believe.
>>>>>
>>>>> Tilde club currently runs Fedora 30.
>>>>
>>>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>>>> available :/
>>>
>>
Would be interested in hearing more information on how someone is phishing a code that is only valid for like 30 seconds? Is there more to that story then just phishing?
Thanks
> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>
> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>
> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>
> Best,
> -sneak
>
> --
> Jeffrey Paul
> +1 312 361 0355 (voice, sms, Signal)
> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>
>
>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>
>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>> some websites say it came in 8.2. Not sure who to believe.
>>>
>>> Tilde club currently runs Fedora 30.
>>
>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>> available :/
>
Hey ~clubbers.
I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
Hello Everyone!
I will first like to welcome everyone that has joined since we brought tilde.club back from idle. As well would like to welcome back many users that have returned.
We have been working hard in the background to keep things going in a positive direction and hopefully users like the direction things are going. (Feedback is always good and welcome if any of you have thoughts on this)
This was mostly a post to let you know that for awhile now we have had a mastodon account and up to this point it has been fairly quiet. I am going to start posting more information and updates regarding the state of tilde.club and things we add or improve. If you would like to follow and keep informed please go to
https://tilde.zone/@tildeclub
Otherwise I will also try to post on the mailing list for those who don’t want mastodon.
Hope to see you all on the server and continue this journey forward.
Thanks
~deepend
Dear ~club:
Just to give myself some breathing room, I'm going to reduce these
workshops to one ever two weeks. I hope at least some of you are enjoying
them. They're moderately fun to write, in any case.
I have a different sort of idea for this workshop. Rather than all going
off and doing our own thing on our own pages, let's use this mailing list
to work collaboratively on something.
Yesterday's xkcd[0] was about putting some effort into a response to a pun
or similarly repellent joke by forming a sentence out of place names and
linking them together with driving directions. (And if you think that was
easy to explain in text, then you're wrong.) I think this is a great idea,
but I don't happen to have a list of word-to-place-names ready at hand.
How am I supposed to make witty comebacks without a list?
(Incidentally, you might call this list that links words to place names
a... map.)
My first thought was to try to come up with this list myself, but that's a
lot of work. Then I thought that lots of other readers of xkcd might want
a list, too. Why not distribute the work amongst us so that we all may
benefit? I'm sure there are already groups out there who are doing this
exact thing, but I say we give it a shot anyway.
~club, your challenge this bi-week is to reply to this message with some
common words or phrases expressed as place names. I'll start:
friend ---> Friend, Nebraska[1]
I'll keep track of the mappings we come up with---feel free to do the
same---and I'll post them on my tilde.club page. Also: bonus points if
you've been to any of the places you reply with or know something neat
about them!
If you're looking for ideas on what words to use, consider drawing from
the most common English words[2]. They'll be the most useful.
Good luck, ~club, and happy mapping,
Bradley
[0]: https://xkcd.com/2260/
[1]: https://en.wikipedia.org/wiki/Friend,_Nebraska
[2]: https://en.wikipedia.org/wiki/Most_common_words_in_English
Dear ~club:
I hope you had fun folding---or at least trying to fold---a paper crane.
As I mentioned last week, it's a surprisingly calming activity, and I
recommend it if pixels (or any other things) are getting you down. You can
take a look at my first somewhat successful attempt [here][0]. (The
numeral "1" printed on its wing means that it's my first passable crane.)
That was a decently interesting excursion in meatspace, but now it's time
to return to a more familiar region. In fact, let's go all the way home
and talk about tilde.club.
I can only assume that if you're reading this, you've been to the
tilde.club website. It stands in striking contrast to the gelatinous
blobules of JavaScript that we call modern websites and acts as a reminder
of the simplicity of the early Web. It's enough to bring a tear to my eye.
But perhaps you, like me, have noticed that the water in your eyes
actually has less to do with nostalgia and more to do with the...
"striking" appearance of the website. It is---and let's be fair about
this---a bit orange.
~club, by special and specific request of the administrators of this
here tilde.club server, your task this week is to redesign the website. At
least one user (~maz)[1] has made a wonderful attempt which features 30%
less eye-searing orange, but don't let that stop you from using other
design features like "other colors" and "non-fixed width fonts".
I have reason to believe that particularly good designs will be considered
as potential replacements for the current one, so take that as motivation,
if you like. Just remember that whatever you design should contain the
same basic information as the current site. Other than that, it's up to
you.
Have fun,
Bradley
[0]: https://tilde.club/~bradley/assets/img/paper-crane.jpg
[1]: https://tilde.club/~maz/tilde.club/
Dear ~club:
I do hope you had some fun setting up or updating your blog. I wrote a
little thing myself to satisfy the criteria of this challenge, which you
can find [here][1]. If you want to, go ahead and reply with your own shiny
new blog or post on the previous thread. I didn't get a chance to see many
of them, and I'd like to check them out if I can.
Let's try something different. Up to now, pretty much all of the
challenges I've presented here have been to do a thing right here on
tilde.club. I have quite a few more of this kind listed in a file in my ~,
so don't you worry about that, but this week I want to go rogue and
challenge you to do something in meatspace.
Some weeks ago---quite on a whim---I decided to learn how to fold a paper
crane. Or, at least I *tried* to learn. I still haven't quite succeeded,
although the attempts I've made to date have come closer and closer to the
proper article. Anyway, I've been enjoying the sensation of folding and
the pride of completing something I didn't know how to do. These aren't
new sensations, really, but they're novel for me since they came from
something so simple and analog.
~club, I challenge you to fold a paper crane, or if you prefer, just
do an origami. When you're finished---or have had enough---post a photo of
what you made to your tilde.club page, or drop a link or path in IRC.
(Photos of failed attempts and franken-paper are welcomed and encouraged.)
[This site][2] was a good resource for me, but feel free to go above and
beyond (or stay below and well-within, if you like). Just have fun, and
let us all know how it goes.
Get foldin',
Bradley
[1]: https://tilde.club/~bradley/2020/01/09/rodents-snakes-and-adhesive.html
[2]: https://origami.me
Dear ~club:
Don't forget: the next biweekly IRC party is tomorrow night EST, or about
a day from now. Let's try to kick things off around 5:00, and we'll see
how far we get.
To quote Ben:
> You should be able to run "chat" from your shell to open weechat and
> connect to our network. You can reach our network on localhost port 6667
> from tilde.club itself or by connecting to irc.tilde.chat on port 6697
> with ssl externally.
>
> There's also a webchat at https://web.tilde.chat/
>
> Join the #club channel!
>
> Info on our wiki: http://tilde.club/wiki/chat.html#irc
Bring your finest keystrokes and casseroles to share. See you tomorrow
night!
Bradley
