Software Endorsements

[wew lad]

https://youtube.com/watch?v=-_TWFbw8XjU

Spoiler: Video Archived

HUGE password manager got compromised [-_TWFbw8XjU].mp4

Fuck. What's this thread's preferred password manager these days?

I looked into this without watching that faggot's video and found the statement released by Bitwarden.

tl;dr Bitwarden-CLI was affected by a supply chain attack where a Github Action in their CI/CD pipeline was compromised using stolen Github tokens, and a version of the bitwarden-cli package was published with a trojan in it. Checkmarx got hit with the same sort of attack, and both attacks tried to steal the same data from users: "GitHub and npm tokens, SSH keys, shell history, cloud credentials, and AI tool configurations for Claude, Cursor, and Aider." No other Bitwarden applications or user vault data were affected.

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

I looked into this without watching that faggot's video and found the statement released by Bitwarden.

tl;dr Bitwarden-CLI was affected by a supply chain attack where a Github Action in their CI/CD pipeline was compromised using stolen Github tokens, and a version of the bitwarden-cli package was published with a trojan in it. Checkmarx got hit with the same sort of attack, and both attacks tried to steal the same data from users: "GitHub and npm tokens, SSH keys, shell history, cloud credentials, and AI tool configurations for Claude, Cursor, and Aider." No other Bitwarden applications or user vault data were affected.

I mean... it's written in Node.

If someone buys out one of the developers for the various dependencies, let's say oh 'big-integer', YOU'RE FUCKED.

 

[Lemmingwiser]

Password managers always seemed like an unnecessary security risk.

Like putting your housekey in or under a flowerpot.

 

[StimulatedOrb]

Password managers always seemed like an unnecessary security risk.

Like putting your housekey in or under a flowerpot.

Nah, most are pretty safe. The previously mentioned bitwarden issue is very niche and doesnt effect the general users of the vault.

If you want to be really secure, keepass is pretty solid as you cannot hack that which is entirely local. Of course you have to manage your own shit, but tradeoffs for even more security.

I have no issue phoning my bank and telling them some retard has stolen my details and bought a brand new guitar, the bloody idiots, anyway, need that money back champ.

 

[Harmless Harm]

Password managers always seemed like an unnecessary security risk.

Like putting your housekey in or under a flowerpot.

Once you get used to using them, you log in faster, worry less, and can easily keep track of all your accounts and emails. You can also set up 2FA TOTP. I use KeePassXC but I would probably recommend Bitwarden to someone who wants more simplicity. And at least for 2FA get something like Aegis if you have an android phone.

 

[Hellwalker]

EventLook is an improved Windows event browser.

Forget about this:

View attachment 8916242

and use this, it's way more convenient:

View attachment 8916249

If we're talking about modern alternatives to ancient Windows programs, then FluentTaskScheduler is a nice, modern frontend for Task Scheduler.

It comes with basically every feature from Task Scheduler, as per the Github page:

I still personally use the ol' taskschd.msc when I need more granular control but FluentTaskScheduler still provides a more straightfoward and comfortable view whenever I desire such.

 

[Ferryman]

Not software per se but a software list: https://terminaltrove.com/ has a huge list of really cool terminal programs if you're a dirty no good fucking rice addict like yours truly.

 

[Sayer of the N-Word]

I've found PDF-Xchange to be excellent. It's essentially the only perpetual-licensed PDF editor left out there that isn't going to rugpull you.

https://www.pdf-xchange.com/product/pdf-xchange-editor

There's a free version but I think the editing features are rather limited in it.

Okay, I bought the deluxe version for the enhanced OCR and it really works great, this is exactly what I was looking for. Thank you!

 

[22 Rimfire]

Password managers always seemed like an unnecessary security risk.

Like putting your housekey in or under a flowerpot.

They aren't created equal. A local password manager with:
- A secure access key known only to you
- Software Auto-update disabled
- Some kind of thought-free replication/backup such as storing the encrypted database in a cloud drive
Is a very solid arrangement.
Cloud hosted*, auto updating, or no security on it's database file and you have as you say, something largely pointless because it's going to fold on you at some point.

Keepass/KeepassXC

Moved to KeePassXC recently from the O.G. and it's been fantastic. Much better browser integration, and being able to move 2FA inside the app for almost** everything has been slightly mind-blowing.

*The key difference between a hosted password manager and a local password manager that you chuck in a cloud drive is where the keys to unlock it are stored. It's OK to have your password DB on a cloud service if it's only ever decrypted on your local device. Best of both worlds.
**I have no idea why Steam insists on being a special fucking snowflake when it comes to 2FA but I can't be bothered with the risk/hassle of manually extracting keys to seed OTP if they're not willing to give them to me directly. Too great a risk of losing the account due to some shenanigans that render my 2fa invalid.

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

Moved to KeePassXC recently from the O.G. and it's been fantastic. Much better browser integration, and being able to move 2FA inside the app for almost** everything has been slightly mind-blowing.

Yeah, I used OTP plugins for Keepass2 for the longest time but XC is just more convienient... primarily, in my case, because it lets you fix your fat-fingered 50 character long passphrase after you get it slightly wrong.

**I have no idea why Steam insists on being a special fucking snowflake when it comes to 2FA but I can't be bothered with the risk/hassle of manually extracting keys to seed OTP if they're not willing to give them to me directly. Too great a risk of losing the account due to some shenanigans that render my 2fa invalid.

This is about the gayest thing that Gabe does lol. I'm sure the reason they do this is just to have it as a placeholder to turn into their own little mobile store at some point. If you have an Android phone, there is a set of scripts for the main consumer OSs to get your authenticator secret key from a backup that seem simple enough that you could probably audit them with some degree of confidence.

https://github.com/downthecrop/Steam-OTP-Extractor

 

[22 Rimfire]

Yeah, I used OTP plugins for Keepass2 for the longest time but XC is just more convienient... primarily, in my case, because it lets you fix your fat-fingered 50 character long passphrase after you get it slightly wrong.

This is about the gayest thing that Gabe does lol. I'm sure the reason they do this is just to have it as a placeholder to turn into their own little mobile store at some point. If you have an Android phone, there is a set of scripts for the main consumer OSs to get your authenticator secret key from a backup that seem simple enough that you could probably audit them with some degree of confidence.

https://github.com/downthecrop/Steam-OTP-Extractor

Yeah, and there's guides for manually extracting the seed/key as well. The issue I have is that it puts you outside of their support scope. Which means if, in future, something changes with the way they do authentication, and as a result of not having a full Steam Authenticator setup running somewhere I could end up locked out of my account.
So I could mitigate that by then keeping a proper Steam Authenticator install running on a mobile device somewhere. But now I'm back to my original problem - I lose/wipe that device, and I've put myself in a position where I can lose my account.
Messy. I may just do it anyway. Not having 2FA enabled on the account seems like a bigger mistake, and email-issued OTP SUCKS.

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

So I could mitigate that by then keeping a proper Steam Authenticator install running on a mobile device somewhere. But now I'm back to my original problem - I lose/wipe that device, and I've put myself in a position where I can lose my account.

I have never used the mobile authenticator- I just installed the old unofficial Steam Desktop Client (the 'real' one, not the hundreds of scam ones that stole your creds lol) and got the secret from that and then uninstalled it after I got annoyed with the email 2FA. But I'm pretty sure that when you set things up, it gives you a bunch of backup codes and a revocation code that you can use if you don't have access to the app. If you don't have those backed up, you might want to reset things up again anyway... given that you could end up inadvertently locked out anyway, if your authenticator app isn't backed up.

 

[ChefBourgeoisie]

Password managers always seemed like an unnecessary security risk.

Like putting your housekey in or under a flowerpot.

Yes, they're unnecessary. I only have 300-400 passwords, each of which must be completely random, in no way related to each other, and that I might go up to 2 years without using... why do I have to be a lazy fuck and not memorize them? They're only 40-100 characters of pure gibberish. That's nothing.

If you want to be really secure, keepass is pretty solid as you cannot hack that which is entirely local.

Once you're running someone else's code, which you didn't build and you have no source code to, how would you even know that it keeps the passwords local? It could be sending emails to China, or POSTing them to reddit's troon headquarters in San Francisco. Even as much as I like password managers in principle, there is an element of trust which you can't just ignore.

and being able to move 2FA inside the app for almost** everything
[...]
**I have no idea why Steam insists on being a special fucking snowflake when it comes to 2FA but I can't be bothered with the risk/hassle of manually extracting keys to seed OTP if they're not willing to give them to me directly. Too great a risk of losing the account due to some shenanigans that render my 2fa invalid.

You have NO fucking idea. I needed to set up a Microsoft account a few weeks back for a new job. I click on their link for the keys, put it in my password manager, get the typical 6 digit code every 30 seconds... but the Microsoft screen does not advance to ask you to try it the first time. It just stalled out. I cancel everything, start from scratch. Still nothing. Waste better part of a day, cannot log in... and this is for a new job. Turns out, only Microsoft's own 2FA app works with it. Something about the 2FA app phones home, makes it all work. Once past that, my password manager can handle the 2FA, but not for that initial setup. Really pissed me off. Who the hell does shit like that? What was the point, even? It's goddamned spiteful.