SN 803: Comparative Smartphone Security

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Steve nice podcast as usual. again I’d like to repeat that by reading the Flash admin guide it is possible to set up a config file that will keep flash working on a ‘allow-list’ set of domains or urls, and keep the browser from updating or deleting flash. FWIW. as they say, RTFM! And reading Adobe’s recent announcements about flash retirement can take you to that revelation. Too bad the railroad didn’t even do that.
“mms.cfg” in proper location:

EOLUninstallDisable = 1
AutoUpdateDisable = 1
EnableAllowList = 1

followed by one or more patterns, such as

AllowListUrlPattern = *://*.mydomain.com/
AllowListUrlPattern = *://*.mydomain.com:8080/

there are also instructions on how to trace the process of pattern checking which essentially includes an option that will allow ALL flash :frowning:

https://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

I am still listening to the show, but wanted to comment about the password manager discussion you had. You pointed out that password managers that auto fill in the credentials without user interaction is a security weakness for better usability.

I am using Bitwarden and it prompts me with a popup asking if I want to fill in the offered field with my saved credentials. So it seems that it is a bit more secure then the other solutions out there, but a bit more inconvenient to use with the extra step.

I was just reminded of a discussion on a mail list that touches on the password managers also.
Someone opened a help request that user credentials were getting saved in some of the web forms. Some investigation showed that the browser password manager was auto filing in the user and password fields on the page when this one user was editing a different portion of the page. So when he saved his edit the username and password got saved as well.

Security and his manager were notified since it was against policy to use password managers. And he had to reset his password since anyone with access to the system could now see his password.

On the subject of password manager, at least in Chrome 88 there are settings/toggle for
“Offer to save passwords” and “Auto Sign-in”. Also on my computer in order to show password when clicking on eye icon to show password, i am prompted by local login prompt. I am synchronizing passwords through Goggle though. In Firefox of course you have to set password yourself outside of the local account.