Are hardware security keys (e.g ones supporting Fido2) “able to protect authentication” even in case of compromised devices?

Correct me if I am wrong, please.

I understand that 2FA (MFA) increases account security in case an attacker obtains a password which might be possible via various ways, e.g. phishing, database breach, brute-force, etc..

However, if the 2FA device is compromised (full system control) which can also be the very same device then 2FA is broken. It’s not as likely as opposed to only using a password but conceptually this is true.

Do hardware security keys protect against compromised devices? I read that the private key cannot be extracted from those devices. I think about protecting my ssh logins with a FIDO2 key. Taking ssh as an example, I would imagine that on a compromised device the ssh handshake and key exchange can be intercepted and the Fido2 key can be used for malicious things.

Additionally: Fido2 protects against phishing by storing the website it is setup to authenticate with. Does FIDO2 and openssh also additionally implement host key verification or doesn’t it matter because FIDO2 with openssh is already asymmetric encryption and thus not vulnerable to MitM attacks?

Nginx not able to serve subdomain on same server as domain

On my nginx server (ubuntu 18.04), I want to host domain.com and apis.domain.com, where domain.com is one index.html file and apis.domain.com is a proxy to my node js api, which is running on port 3001.

I have 2 files in /etc/nginx/sites-available folder called domain.com and apis.domain.com and here are the contents from those files.

// domain.com server {         listen 80;         listen [::]:80;          root /var/www/domain.com/html/production;         index index.html          server_name domain.com www.domain.com;          location / {                 try_files $  uri $  uri/ =404;         } }  // apis.domain.com upstream domain_apis {         server 127.0.0.1:3001;         keepalive 64; }  server {     listen 80;     server_name apis.domain.com;   location / {         proxy_set_header X-Forwarded-For $  proxy_add_x_forwarded_for;         proxy_set_header X-Real-IP $  remote_addr;         proxy_set_header Host $  http_host;          proxy_http_version 1.1;         proxy_set_header Upgrade $  http_upgrade;         proxy_set_header Connection "upgrade";          proxy_pass http://domain_apis/;         proxy_redirect off;         proxy_read_timeout 240s;     } } 

when I hit domain.com, things are working fine. But when I hit apis.domain.com, it serves the page from domain.com root folder. I have replaced reverse proxy with simple server with another subdomain, but it always serves the root domain.

Any ideas on how to debug this and how to check if requests are hitting the correct block?

Not able to find the constraints option in the Rigidbody component

I am working on a game tutorial right now and I need to freeze constraints for a model prefab. I add a Rigidbody component and I want to freeze rotations on the x and z axes. However, I am not able to find the option in the component. Is there another way to access rotation constraints (I do not want to code the constraints at the moment)? Or is there something I am missing in the new version. Please do let me know. Thanks

Rigidbody component. It does not have the constraints option here at all!

I am using Unity 5.6.7f1 Personal

Not able to receive any notification from netconf test tool [closed]

I am working with netconf test tool to simulate devices. I was able to edit configuration on the devices. I was working with notification even tough I subscribed to a stream I was not able to get any notification from the device. If anybody has an understanding or have worked on netconf test tool with notification, it would be a great help .

Here is my python code

import sys import logging from ncclient import manager from ncclient import operations  log = logging.getLogger(__name__)  CREATE_SUBSCRIPTION = '''<?xml version="1.0" encoding="UTF-8"?>   <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="{}">     <create-subscription xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">       <stream>NETCONF</stream>     </create-subscription>   </rpc>''' # Fill the device information and establish a NETCONF session def connect(host, port, user, password):     return manager.connect(host=host,                            port=port,                            username=user,                            password=password,                            hostkey_verify=False,                            allow_agent=False,                            look_for_keys=False)   def test_notification(host, port, user, password):     # 1.Create a NETCONF session     with connect(host, port=port, user=user, password=password) as m:         # 2.Set the message-id for the rpc         msgId = 1002         rpc = CREATE_SUBSCRIPTION.format(msgId)          # 3.Send rpc         result = m._session.send(rpc)         m.take_notification(block=True, timeout=None)   if __name__ == '__main__':     logging.basicConfig(level=logging.DEBUG)     test_notification(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]) 

How close to you does your Familiar have to be for you to be able to dismiss it into its pocket dimension?

How close to you does your Familiar have to be for you to be able to dismiss it into its pocket dimension?

Within 30′, to match the area you can resummon it into? Within voice range? Within 100′, which is its telepathic communication range? Within 120′ if you use the Message cantrip to make the command? Within any distance on the same plane, if you have Voice of the Chain Master? Within any distance on the same plane, regardless? Within any distance on any plane, if you cast Sending to make the command? Anywhere in the multiverse? The Find Familiar spell does not say.

How can a character be able to Detect Thoughts on multiple people at once?

Since this video came out (timestamped to the important part), I have been puzzling over any spell I could find to understand what’s going on. While I know a DM can invent all they want for NPCs and enemies, I also know that Monty Martin (the DM of that game) finds pleasure in beating his players with enemies that conform to the same parameters that PCs have (thus making a RAW PC as his villain and outplaying the actual PCs). So I am sure that this demonstration of skill from the sallow-eyed man is an actual RAW spell or ability, though I have not been able to find such a trick since that episode first aired.

Does anyone know of a way that a character can be granted "mass detect thoughts"?

Restrict CA to issue certficates for one domain or to be able to sign just one server certificate

I have a server and I want my iPhone to connect to it securely. However, I cannot just install the self-signed server certificate on my iPhone. When I install the profile (that’s what they call the certificate), it says "Not verified".

Normally, you would go to CA Trust settings and enable full trust for the certificate. BUT I deliberately made the certificate with critical,CA:false constraint. That’s the reason it does not show in the CA Trust settings.

Why did I do it — I just need to install the single certificate and I don’t want to totally compromise my iPhone security, if my CA credentials got stolen.

Do this have a solution? iOS probably requires a CA to trust a certificate, but I don’t want a possibility to create certificates at all (beside the one), or at least for another domains.


One potential "solution" might be to create the CA, sign the server certificate and then delete the CA key, as it would not be needed and would live for a shorter time (lower chance to get stolen).

However, people except me wouldn’t be stoked to install it. (I don’t want to buy a certificate as its a home project and I don’t even have a domain name, just the IP address.)

The certificate complies with apple’s current requirements for server certificates. (https://support.apple.com/en-us/HT210176)