• 0 Posts
  • 25 Comments
Joined 1 month ago
cake
Cake day: May 20th, 2024

help-circle




  • A bit of both. The Allies started denazification. Then the western allies and Germans who got into power (including Nazis) became less and less strict as they realized they needed some of them to build up structures of society, especially with the cold war beginning. And of course Nazis protecting Nazis.

    The allies even gave some groups of Nazis weapons to prepare for a guerilla war in case Stalin invaded West Germany (see Gladio and other stay behind groups).

    Not punishing Nazis for their crimes was so common that there is a word created for this specific meaning: A Nazi or collaborator basically getting pardoned or even getting the authorities formally void their offenses/atrocities: Persilschein. The word refers to a popular brand of laundry detergent, similar to the phrase"whitewashing".









  • If it is just the location, then it could be spoofed.

    If it is something that requires physical presence, then you need both devices to communicate with each other. If it is not done via QR code (like some online banking do), then both devices need to be connected, e.g. via WiFi or Bluetooth. In this case, if an attacker controls one of the devices (that’s the class of attacks 2FA should prevent you from), the attacker probably controls both devices. So what’s the point then?



  • How would MS Authenticator make it any better than TOTP?

    To break TOTP, the attacker would need to:

    a) be able to observe the initial exchange of the TOTP secrets. To do that, the attacker needs access to the victim’s computer (on user level) at that specific time they set up TOTP. TOTP is a TOFU concept and thus not designed to protect against that. However, if the attacker controls the victim’s computer at that time, the victim is screwed anyways even before setting up 2FA.

    b) have access to the TOTP app’s secret storage and to the victim’s login credentials (e.g. by phishing). If the attacker can gain that level of access, they would also have access to the Microsoft Authenticator’s secret storage, so there is no benefit of the Microsoft app.

    On the other hand, Microsoft Authenticator is a very huge app (>100MB is huge for an authenticator app, Aegis is just 6MB, FreeOTP+ 11MB), i.e. it brings a large attack surface, especially by connecting to the internet.

    I don’t think Microsoft Authenticator brings security benefits over a clean and simple TOTP implementation.




  • It might depend on configuration. In the only case of Microsoft enforced 2FA I know of, it is just TOTP. Microsoft’s web interface nudges (tries to trick) you into using the MS Authenticator app, but that app is not needed. You can use any TOTP capable 2FA app, e.g. Aegis or FreeOTP+, both of which are also available through F-Droid and don’t require internet connection.