Jump to content

Bradford Mint

  • Content Count

  • Joined

  • Last visited

Community Reputation

136 Excellent

1 Follower

About Bradford Mint

  • Rank
    Advanced Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Bradford Mint

    Is SL chat now secure from 3rd party?

    Just to point out that I think she said she didn't want to use a VPN. (Plus, the university may not pass the VPN traffic - unknown to us at this point)
  2. Further to this, a finger print is not a password, it is nothing more than a PIN replacement in that just like other biometrics, it serves to unlock access to a credential which CAN be used to authenticate. Cloning a fingerprint has been demonstrated as have other attacks on other biometrics but you still need the device with the actual credential in order to continue. It's not just a case of taking a picture of someones fingerprint off the internet, etching a bit of metal and making a latex print and then immediately getting logged in on your local PC with finger print reader to every system that person has which are actually in secure premises. As you rightly say, the purpose is to alter the current status which is that anyone with the knowledge of just username/password (of which one is public already), can use that information from anywhere in the world.
  3. Nobody has ever said it should be compulsory.
  4. Bradford Mint

    Is SL chat now secure from 3rd party?

    I'm a bit yes and no on this one. They don't need direct access to the machine, only the transmission media and given that the use case is an academic institution, that suggests shared access somewhere along the line. In reality, at the local LAN level, I would expect the switch ports to isolate client traffic so the only people who would be sniffing the aggregate data would be admins or someone who has access to set up port mirroring on the switch. Similarly, any good configuration of a wireless AP in a public area would have AP Client Isolation enabled for the same purpose although wireless presents other opportunities. As for filtering? That's trivial with a network sniffer, just set up a filtering rule to exclude/include traffic as appropriate, no sifting required. You'd do that at the capture level so only cursory additional investigation required later to inspect the actual captured traffic. Whether it's worth it? I'm with you on that one, the OP is just trying to avert any embarrassment that might come up from peers and the simple solution as others have said is "don't use SL on a shared media" or use a VPN. Sufficient solutions exist for this specific issue and while they not be desirable, are easier to implement than trying to get LL to implement a change instead.
  5. Bradford Mint

    Is SL chat now secure from 3rd party?

    To be honest, I thought the viewer was using HTTPS but my chat is secure anyway - I don't login!
  6. Bradford Mint

    Is SL chat now secure from 3rd party?

    That was my thought.
  7. Bradford Mint

    Is SL chat now secure from 3rd party?

    Yes although it also depends on what is to be exfiltrated and how. For example, extracting only crypto key material or credentials or even keystrokes and sending them via LiFi for example would be far more covert than trying to send to China via IP. Supply chain intercept is a real concern, especially where the root of trust has to be implemented in a country that is not trusted and ironically that tends to include the USA too as far as most of Europe goes.
  8. Bradford Mint

    Is SL chat now secure from 3rd party?

    Yeah but the Chinese don't bother to tap in. It's easier for them to just add covert sniffing hardware to the motherboards at the factory.
  9. Huh? I asked questions, nine to be exact, I solicited your responses which you've chosen not to provide. *shrugs*
  10. ok so let me break this down for you:- Changing passwords regularly is against the best practice advised. Yes you read that correctly! Changing a password AFTER the account has had thousands of $ drained, tell me how that works? How has that worked for the victims of other such attacks? As for charging more for merchants, yes that may be a valid argument but how about if I get a $25 per month discount because I don't want fleximesh armatures or experiences? That's surely just as fair? Just because some don't see the need for it, lets look at that one again... If you own a house, do you have house insurance? Why? Has it ever fallen down or been burgled? Have you ever been on a holiday and taken out holiday insurance? Why? My main question here, do you have thousands of $ or other valuable assets in or passing through SL or are you in fact not really a stakeholder in any possible loss situation?
  11. Not at all but in both cases, in the face of evidence to the contrary and best practice, it's just odd to suggest otherwise and that's what I struggle to understand here.
  12. Ah adopting the "because it hasn't happened" is always the best strategy, you're using the clover leaf methodology again. Yeah, my car didn't get stolen when I accidentally left it unlocked in an airport car park, therefore that demonstrates that there's no need to lock a car because it doesn't get stolen. Trying to have a sensible discussion here about account security on a platform that deals in large value assets is like trying to convince flat earthers that the world isn't flat. I'm also pretty sure that most organisations that hadn't previously been breached had quite a wake up call when it finally happened. Do you have any idea just how long this distinguished list of high profile breaches is? The attitudes here are just confusing, it's almost as bad as the flat earth debates.
  13. 2FA should be optional from the platforms perspective if the risk is to the customer. The risk is to the customer and therefore should be available to those who would wish to reduce their risk. Because the risk is not owned by LL, there's no interest. To repeat: For those who pass thousands of $ through SL, additional account security should be an option. (It should be an option for those who don't pass large sums too but just because the majority don't, doesn't negate the desire by those who do!)
  14. A valid question and about as valid as asking "proof that more people would use SL if there was more <insert favourite topic of choice>" but actually irrelevant to those who do have thousands of $ passing through SL where the account security is weak and would prefer something that provided stronger protection of their assets.
  15. And just say that LL suffered a breach and the user database was compromised? How does your common sense and clover leaf help you there? Let me give you some recent examples:- British Airways Experian Facebook You'd think they would be up to scratch with their security maybe? The list of data breaches is ready to find and security is best performed by implement a layered approach instead of treating it like a blind faith.