Dan <[email protected]> writes: > On Fri, Jun 12, 2026 at 3:40 PM Dave Love <[email protected]> > wrote: > >> And if your system (if that's the place) is owned, aren't all bets off? >> > > That would be the case where a separate (physically or phone-number) system > would prevent the compromise.
What compromise? If an attacker owns my laptop somehow, they have access to my TGT, cookies etc., and can snoop on password/OTP entry. They can't get the OTP secret from external hardware, or easily extract my TGT from KCM, but presumably can register another OTP secret with access to those credentials. I don't know details of actual supply chain attacks, but I have a real example close to home (rather, work). Of course I'm happy to use OTP for what threat model it addresses. Others will disagree, but here's someone who presumably would be a supply chain target: Unpopular opinion: passwords.txt is fine. If you can extract files from my laptop you can probably get my cookies (depending on how the OS keychain is used), and certainly a number of authentication tokens, as well as pictures and private documents. — Filippo Valsorda -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
