Category: Security

If you are on macOS the easiest way to check an SHA256 hash is run this command against the file you are checking (SHA256SUMS for example):

shasum --algorithm 256 --check --ignore-missing --warn --strict SHA256SUMS

where the hash file should look something like this

04f15c46e9d82ed36a351c1de1f9c17017c950f6d1b7233e5749440a41f141de *How_to_make_UV-9G_transmit_on_Channel_15_202311.zip

This article explains how to verify it on macOS, Windows, and Linux.

I followed the directions for macOS and Windows and they worked correctly.

I didn’t test it out on Linux.

Ubuntu covers the topic well; namely that in 2023:

• sha256 tools to verify the integrity of a file
• gpg tools to verify the authenticity of a file

The article is in regards to downloading Ubuntu Linux itself but it applies to any file.

You didn’t lie to me, but you got right up to the edge of it:

you support YubiOTP BUT NOT WebAuthn!

Long explanation here.

Easier to switch to a different password manager than battle this endlessly.

Probably, hopefully, if not start complaining!

Here you go: a big list.

If you are on Social Media: Please use multiple YubiKeys.

Via genius Sami Laine:

Here’s what you should do:

• Secure your high-value accounts with strong authentication. These include crypto wallets, key financial sites and email– and if you’re an influencer—Twitter, Instagram and the like. For these, if SMS is the only option, turn it off and use a strong password with a password manager instead.
• For new accounts, always check for stronger two-factor alternatives before deciding if you should use SMS.
• Use a password manager to create strong, unique passwords and to autofill them to protect against phishing attacks.
• Finally, make sure to set up a security code on your cellular account today to reduce the risk of losing your account to SIM swap attacks.

Read: Factors & Dongles & Tokens, Oh My – Strong Auth Terminology in 7 minutes for an enlightening overview of critical terms.

3m if you read fast; 7m if you want to understand.

Read twice if you are serious.

Read and memorize if you are a professional

WebAuthn rocks, but you might feel that nobody uses it.

Fortunately, you are wrong!

Visit 2FA Directory: Global or 2Fa Directory: USA for a list of popular sites and whether or not they support two-factor authentication.

This site is pure gold: it gets you up and running with WebAuthn everywhere possible as quickly as possible. When the provider doesn’t provide it them contact them demanding it.

Here is their codebase: geniuses.

A bunch of them.

Not Firefox for Android though; woe is me.

I can’t say much more than: wow.

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection. – https://github.com/pberba/evilginx2

Seriously great learning resource and kudos to Go Lang!

If you don’t know them, then learn them.

Caffeinate → ruminate → schedule meeting → gesticulate → profit!

Just kidding, it is very valuable.

• WebAuthn
  • Managed by: FIDO2 Project
  • Backward Compatible with: FIDO Universal 2nd Factor (U2F)
  • Replaces:
• Time-based one-time password (TOTP)
  • Extends: HMAC-based one-time password
• Initiative for Open Authentication
  • OATH means Open Authentication
  • Is not OAuth (note the upper versus lower case)
  • Manageds TOTP