You don’t want anything that advertises next generation encryption. You want tried and true encryption. You want boring encryption.
fake keepass repo on github
Submitted 14 hours ago by not_IO@lemmy.blahaj.zone to technology@lemmy.world
https://lemmy.blahaj.zone/pictrs/image/2f5edd37-242d-4551-bada-474f769b44a5.webp
Comments
henfredemars@infosec.pub 11 hours ago
JasonDJ@lemmy.zip 10 hours ago
But post-quantum…
Natanael@infosec.pub 10 hours ago
Then you want them to advertise NIST PQ standards
sugar_in_your_tea@sh.itjust.works 8 hours ago
For a personal database that’s unlikely to leave your hardware, sure. For SSH keys or something else that needs to be accessible publicly, post quantum or other “next generation” encryption may be reasonable.
If you’re sharing KeePass with others, maybe post quantum encryption is something to look for to get a bit of protection going forward.
A_norny_mousse@feddit.org 14 hours ago
Thank you for your service.
I use keepassxc and although I’m unlikely to ever install it any other way than through my distro’s package manager without 3rd party repos, this is good to know and hits a personal note.
Fuck all nefarious hackes and scammers. I just re-installed my server and installed crowdsec on it not 24h hours ago, and already got 20 000 bans. Twenty thousand! It’s getting worse and worse and worse and worse.
solsangraal@lemmy.zip 13 hours ago
i’m brand new to linux after decades of windows. is there a comprehensive resource that talks about security on linux beyond just “linux is super secure don’t worry about it”? i feel like the more people continue to ditch windows, the more scammers are going to focus their energy on linux, and i know next to nothing
problembasedperson@lemmy.dbzer0.com 13 hours ago
wiki.archlinux.org/title/Security
Applicable to most Linux distros.
A_norny_mousse@feddit.org 11 hours ago
First of all there isn’t One Linux.
In simple terms for an end user, yes, you are definitely better off with any of the major distros.
Non-commerciality is probably the most important aspect. Or as someone put it a long time ago: “Suddenly I realized that the software is on my side.”
Cenzorrll@lemmy.world 3 hours ago
I’ve used Linux for 15+ years.
Install from the repositories, if it isn’t in your “app store” or installed using apt or yum or whatever your distro package manager is, don’t bother with it until you’re more familiar with Linux.
Your system is 99%+ of the time going to be secure as long as you don’t install something sketch. You need to install it, it won’t just happen on it’s own, things can be hidden behind copy paste instructions so be sure you have a good idea of what each step does if you’re doing that (I’ve never come across this in the wild, FYI). The other small percentage is a bug or something in packages (see the xz debacle) which you have little control over. The best thing you can do is just keep packages up to date.
null_dot@lemmy.dbzer0.com 11 hours ago
Please nobody wheel out the Swiss cheese analogy or I’ll shit myself.
jdeath@lemm.ee 5 hours ago
hey guys, AI really is good for something! it helps scammers a ton!
filcuk@lemmy.zip 5 hours ago
This is depressing. And what’s worse is that the best way to combat this is probably also AI. We’ll just scam ourselves out of resources by wasting it all on scams and battling scams. What a fitting way to go would that be.
x00z@lemmy.world 13 hours ago
PSA: The amount of stars on GitHub can be botted and is not a good indicator to know if you are dealing with a legitimate repository. Even the commit history can be faked (although that’s less common).
kinship@lemmy.sdf.org 7 hours ago
How to go about it then? I am a layman and can’t inspect every application that I download on github
x00z@lemmy.world 3 hours ago
Try to do some research like you would do with closed source tools. See if they have a website and if it links to the GitHub you encountered. Also see if there are subreddits or forums and see what they link to.
In the case of this “Pro” version of KeePass; a simple search would have shown that there is no Pro version.
mazzilius_marsti@lemmy.world 4 hours ago
i like Keepass, in fact I’ve been using it fot almost 2 years. Might consider going “GNU Pass” so I have more controls.
wischi@programming.dev 2 hours ago
I used keepass since ages and about two years ago I switched to a self-hosted vaultwarden instance and I still think it was a great choice. So of you have a docker experience and a little VM lying around you could give vaultwarden/Bitwarden a try.
lemmydividebyzero@reddthat.com 8 hours ago
Someone will probably attach an LLM and call it the Ultimate edition, because why not…
rbos@lemmy.ca 6 hours ago
Thank goodness for distro repositories with somewhat-vetted software.
DarkCloud@lemmy.world 13 hours ago
This is why I never feel safe downloading a program from Github. I need a recognisable domain name website that google or duckduckgo has picked as the product.
ABasilPlant@lemmy.world 13 hours ago
I need a recognisable domain name website that google or duckduckgo has picked as the product.
This doesn’t always work. For example, I used to (and still do) see a lot of fake websites when I l type revanced (revanced.app) on duckduckgo, and I’ve nearly fallen for two of the fake ones before (I think two of .com / .org / .to…?)
Thankfully ublock origin warns users of this:
Otherwise, I’d have 100% downloaded some malware-loaded crap.
Imhotep@lemmy.world 11 hours ago
Just tried a search for Magisk and uBlock indeed does a great job at blocking all the scam websites.
Imhotep@lemmy.world 11 hours ago
I need to install Magisk.
Google: 1st result: their Github page 2: magisk-manager.fr.uptodown.com/android 3: magiskmanager.com/ 4: magisk-manager.fr.softonic.com/android
Kagi: 1st result: their Github page 2: magisk.me/ (icon showing it may be scam) 3: magiskmanager.com/ (scam icon) 4: themagisk.com/ (scam icon)
No way I’m clicking on anything but the Github page. Kagi is somewhat better than Google, but you have to pay attention to the small warning icon. I would say bot search engines do a bad job and shouldn’t show those results (or have an option “show me unsafe websites”)
Serinus@lemmy.world 13 hours ago
Wait til you hear about npm.
jjjalljs@ttrpg.network 9 hours ago
This reminds me of the new vector for malware that targets “vibe coders”. LLMs tend to hallucinate libraries that don’t exist. Like, it’ll tell you to add, install, and use jjj_image_proc or whatever. The vibe coder will then get an error like “that library doesn’t exist” and "can’t call jjj_image_proc.process()`.
But you, a malicious user, could go and create a library named
jjj_image_procand give it a function namedprocess. Vibe coders will then pull down and run your arbitrary code, and that’s kind of game over for them.You’d just need to find some commonly hallucinated library names
dependencyinjection@discuss.tchncs.de 10 hours ago
As a Typescript developer, npm is a damn mess. I ain’t got a clue how to handle these dependencies.
rottingleaf@lemmy.world 12 hours ago
I myself prefer to keep good ass IRL
SpiderUnderUrBed@lemmy.zip 1 hour ago
I feel like github should have verified repositories