• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Malware blackmail is real

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Red Squirrel

No Lifer
May 24, 2003
56,299
7,595
126
www.uovalor.com
When it comes to hacking, the type of password or how you store it, or whether or not you use 2FA does not always matter. The whole idea behind hacking is to exploit the system by finding a flaw in it to bypass authentication. For example if the mail server has a flaw that you send a specific packet that lets you inject stuff into memory, then you can make it do something it was never designed to do such as run arbitrary code. Or if something like heartbleed is not patched etc. That is typically how a server gets hacked. Of course if you use weak passwords then the hackers don't even need to go that far as brute force will eventually let them in through SSH. Then they just dump whatever data that server had on it.

I use a different password for every service and use a password manager though so if one site gets hacked ideally that password that leaked is not being used for anything else. I do use a web based password manager though, I wanted something self hosted that will work on any machine that is on my network without having to install anything.

I probably should switch to 2FA for sites that implement it, but I just hate that every site uses their own proprietary system (ex: some may use authy, some might use google, some might use their own etc so you end up with all these apps) that requires some app, and it's stuck to my phone. What if I lose my phone, or want to change my phone? The authenticator app is basically a black box I have no control over or a way to back up. Well some might but not all will. Depends on the site and what their app is like. They really need to come up with a better standard for that. It should be some kind of key pair thing where you generate a private/public key and you give them the public key. Then you can use an app or even hardware token that stores the private key, but make it a standard so from a client point of view I can have all my sites in one place instead of needing an app for each one. And most importantly a way to back it all up.
 

lxskllr

No Lifer
Nov 30, 2004
53,818
3,955
126
It should be some kind of key pair thing where you generate a private/public key and you give them the public key. Then you can use an app or even hardware token that stores the private key, but make it a standard so from a client point of view I can have all my sites in one place instead of needing an app for each one. And most importantly a way to back it all up.
Yup. This problem was 90% solved decades ago with gpg. All that's needed is a friendly interface for people to use.
 

Ichinisan

Lifer
Oct 9, 2002
28,168
1,173
136
Halfway through the OP, I groaned and rolled my eyes. Who HASN'T seen these?

It's just scammers capitalizing on the fact that a password of yours has been in one or more of those leaked lists. There's practically no one that hasn't been affected by one of those leaks.

Now the claim that they have webcam footage of you jacking it is just a lie. It's how they manipulate suckers.

Use a different password for every site.

Change your passwords when you are part of a known leak.

Ignore these bullshit scammers.

That's really all you can do.
 

ASK THE COMMUNITY