• henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    97
    arrow-down
    1
    ·
    2 months ago

    You don’t want anything that advertises next generation encryption. You want tried and true encryption. You want boring encryption.

      • Natanael@infosec.pub
        link
        fedilink
        English
        arrow-up
        29
        arrow-down
        1
        ·
        edit-2
        2 months ago

        Then you want them to advertise NIST PQ standards

        … Which is also not necessary for single user password databases anyway

        • coffeetastesbadlikecoffee@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          29
          arrow-down
          1
          ·
          2 months ago

          Yes it is necessary just as my homelab needs to have enterprise hardware and be georedundant. Statements like yours make my very reasonable self hosting purchases hard to financially justify.

          • Natanael@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            6
            ·
            2 months ago

            The standards are royalty free, so I’m not sure what that has to do with anything

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      2
      ·
      2 months ago

      For a personal database that’s unlikely to leave your hardware, sure. For SSH keys or something else that needs to be accessible publicly, post quantum or other “next generation” encryption may be reasonable.

      If you’re sharing KeePass with others, maybe post quantum encryption is something to look for to get a bit of protection going forward.

  • x00z@lemmy.world
    link
    fedilink
    English
    arrow-up
    66
    ·
    2 months ago

    PSA: The amount of stars on GitHub can be botted and is not a good indicator to know if you are dealing with a legitimate repository. Even the commit history can be faked (although that’s less common).

  • jdeath@lemm.ee
    link
    fedilink
    English
    arrow-up
    36
    ·
    2 months ago

    hey guys, AI really is good for something! it helps scammers a ton!

    • filcuk@lemmy.zip
      link
      fedilink
      English
      arrow-up
      11
      ·
      2 months ago

      This is depressing. And what’s worse is that the best way to combat this is probably also AI. We’ll just scam ourselves out of resources by wasting it all on scams and battling scams. What a fitting way to go would that be.

  • DarkCloud@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    3
    ·
    edit-2
    2 months ago

    This is why I never feel safe downloading a program from Github. I need a recognisable domain name website that google or duckduckgo has picked as the product.

    No it’s not perfect, but it feels safer than a random github.

    • A Basil Plant@lemmy.world
      link
      fedilink
      English
      arrow-up
      27
      arrow-down
      1
      ·
      2 months ago

      I need a recognisable domain name website that google or duckduckgo has picked as the product.

      This doesn’t always work. For example, I used to (and still do) see a lot of fake websites when I l type revanced (https://revanced.app/) on duckduckgo, and I’ve nearly fallen for two of the fake ones before (I think two of .com / .org / .to…?)

      Thankfully ublock origin warns users of this:

      Otherwise, I’d have 100% downloaded some malware-loaded crap.

      • Imhotep@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        Just tried a search for Magisk and uBlock indeed does a great job at blocking all the scam websites.

        • JcbAzPx@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          It’s important to note that new scam sites won’t be picked up until someone reports them, so there’s still a chance you’ll be one of the first to a new domain.

    • Imhotep@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      2 months ago

      I need to install Magisk.

      Google:
      1st result: their Github page
      2: magisk-manager.fr.uptodownDOTcom/android
      3: magiskmanagerDOTcom/
      4: magisk-manager.fr.softonicDOTcom/android

      Kagi:
      1st result: their Github page
      2: magiskDOTme/ (icon showing it may be scam)
      3: magiskmanagerDOTcom/ (scam icon)
      4: themagiskDOTcom/ (scam icon)

      No way I’m clicking on anything but the Github page.
      Kagi is somewhat better than Google, but you have to pay attention to the small warning icon.
      I would say bot search engines do a bad job and shouldn’t show those results (or have an option “show me unsafe websites”)

      edit: uptodown and softonic might not be as bad. Still wouldn’t download from them.

  • MystikIncarnate@lemmy.ca
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    2 months ago

    I’m not sure who they were trying to fool? Bluntly, if you’re keeping your passwords in a local repo using strong encryption via something like keepass, you’re generally not the kind of person to see “KeePassXE Pro ultra mega best edition” and blindly download it without vetting the source…

  • Rob Bos@lemmy.ca
    link
    fedilink
    English
    arrow-up
    8
    ·
    2 months ago

    Thank goodness for distro repositories with somewhat-vetted software.

  • mazzilius_marsti@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    2 months ago

    i like Keepass, in fact I’ve been using it fot almost 2 years. Might consider going “GNU Pass” so I have more controls.

    • wischi@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      I used keepass since ages and about two years ago I switched to a self-hosted vaultwarden instance and I still think it was a great choice. So of you have a docker experience and a little VM lying around you could give vaultwarden/Bitwarden a try.