A multifactor authentication device showing TOTP codes

An ESP32 MultiFactor TOTP Generator

MFA, or multifactor authentication, is a standard security feature these days. However, it can be a drag to constantly reach into one’s pocket, scroll to Google Authenticator (other MFA applications are available!), and find the correct TOTP code to log in to a site for a short while. [Allan Oricil] felt this pain point, so they took the problem by the horns and created a desktop MFA TOTP generator to make life just that little bit easier.

TOTP, which stands for Time-based One-Time Password, is a security measure that uses a device or application to provide unique codes that expire after a short time. Two-factor authentication requires a physical item (something you have), such as a key or swipe card, and knowledge of a fact (something you know), like a password, rather than relying on a single factor. This approach ensures a higher level of security. [Allan]’s project is a physical thing one would use with a password or key file.

Continue reading “An ESP32 MultiFactor TOTP Generator”

This Week In Security: Too Little Too Late, And Other Stories

Microsoft has just announced a way to disable JScript in Internet Explorer. This would have been very useful a few years ago, to proactively prevent problems found in the now-ancient JScript engine, which ran their own slightly different version of standard JavaScript. Even though IE is no longer under active development, it still receives security updates. JScript, on the other hand, is basically done. If you’re one of the 1.06% that still use IE, then go flip the switch to protect yourself from additional JScript vulnerabilities.

Zerologon and Samba?

Samba is an open source re-implemenation of Microsoft’s SMB protocol. There’s a clever term that describes the reality of this situation: “Bug for bug compatibility”. Remember Zerologon, the flaw where a security token’s generation could be manipulated to vastly reduce the key space? Samba follows the specification, and therefore suffers from the same issue, though it seems to be unusual to actually run Samba in a vulnerable configuration.

Other implementations cannot say the same. QNAP in particular has been bitten by Zerologon when configured as a domain controller. What’s not clear is whether QNAP is running Samba on the NAS products, or if this is yet another vulnerable implementation. Either way, go update your devices. Continue reading “This Week In Security: Too Little Too Late, And Other Stories”

PlatformIO And Visual Studio Take Over The World

In a recent post, I talked about using the “Blue Pill” STM32 module with the Arduino IDE. I’m not a big fan of the Arduino IDE, but I will admit it is simple to use which makes it good for simple things.

I’m not a big fan of integrated development environments (IDE), in general. I’ve used plenty of them, especially when they are tightly tied to the tool I’m trying to use at the time. But when I’m not doing anything special, I tend to just write my code in emacs. Thinking about it, I suppose I really don’t mind an IDE if it has tools that actually help me. But if it is just a text editor and launches a few commands, I can do that from emacs or another editor of my choice. The chances that your favorite IDE is going to have as much editing capability and customization as emacs are close to zero. Even if you don’t like emacs, why learn another editor if there isn’t a clear benefit in doing so?

There are ways, of course, to use other tools with the Arduino and other frameworks and I decided to start looking at them. After all, how hard can it be to build Arduino code? If you want to jump straight to the punch line, you can check out the video, below.

Continue reading “PlatformIO And Visual Studio Take Over The World”