Re: How do I read result of a QR Code

[Tim via users]

On Mon, 2024-01-22 at 15:50 -0700, Joe Zeff wrote:
> Well, I am a BOFH, you know.  Letting him find out the hard way was the 
> easiest way to get rid of the git, especially when you consider that the 
> tech he connects to when he calls back to clean up his mess won't be 
> anywhere near as experienced or skilled as I was.

Many years ago I was tasked repeatedly to fix someone's PC who couldn't
be convinced to stop doing foolish things.  The last time I had an
audience as I worked, and a PC with at least three major problems,
along with the usual plethora of viruses/malware,etc.

One complaint was that for a brief moment after every boot that a full
screen picture of two naked hairy men appeared on screen.  'Twas an
easy fix, but since all the other fixes required many reboots along the
way, and I had an audience, I left that till last.
 
-- 
 
NB:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the list.
 
The following system info data is generated fresh for each post:
 
uname -rsvp
Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53
UTC 2023 x86_64
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Joe Zeff]

On 01/22/2024 01:47 PM, Tim via users wrote:

I remember trying that out on Win98SE, just within a LAN.  Gawd, it was
a pain.  And I'm sure it was full of buffer overflows, like all
Microsoft products.


Well, I am a BOFH, you know.  Letting him find out the hard way was the 
easiest way to get rid of the git, especially when you consider that the 
tech he connects to when he calls back to clean up his mess won't be 
anywhere near as experienced or skilled as I was.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Mon, 2024-01-22 at 09:57 -0700, Joe Zeff wrote:
> Back around the turn of the Millenium, I had a caller who wanted to know 
> if he could use MS Home Web Server (I think it was) to set up a 
> website.  (If you have to ask, you probably shouldn't be doing it.)  I 
> tried to explain the risks, but he wanted to learn from experience, so I 
> told him that he could.  I can't help but wondering how many times he 
> got pwnd before he learned his lesson.

I remember trying that out on Win98SE, just within a LAN.  Gawd, it was
a pain.  And I'm sure it was full of buffer overflows, like all
Microsoft products.

The trouble with the "give them enough rope" approach is that they
don't just shoot themselves in the foot, their compromised computer
spews garbage that makes everyone else's life a pain (spreading spam
and viruses).  But Windows users are so used to their computer being a
russian roulette machine that they don't consider it's wrong, and that
they shouldn't be doing something that causes havoc for other people.

-- 
 
NB:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the list.
 
The following system info data is generated fresh for each post:
 
uname -rsvp
Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53
UTC 2023 x86_64
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Patrick O'Callaghan]

On Mon, 2024-01-22 at 09:49 -0700, Joe Zeff wrote:
> 
> On 1/22/24 00:30, Tim via users wrote:
> > Then, when it went haywire one day I had to tell telephone support
> > the
> > password to sort things out.  Embarrassing, and quite satisfying at
> > the
> > same time.
> 
> When I was doing tech support, the ID10Ts in IT decided to make our 
> passwords expire after 60 days on services inside the firewall. 

One of my banks still does this. I keep telling them this is outdated
security practice from the 1960's but they don't listen. The upshot is
that they're encouraging people to use weak passwords they can
remember, and then recycle them: password1, password2, password3 etc.

They also won't let me use a password manager on their website, so I
have to copy-paste from a different window or tab.

So many of these rules come from CYA.

poc
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Joe Zeff]

On 1/22/24 04:49, Tim via users wrote:

I'm sure it would have been cheaper to have designed their security
better, in the first place.  They probably spend more on their
advertising budget than IT, so it's not like they can't afford it.



Back around the turn of the Millenium, I had a caller who wanted to know 
if he could use MS Home Web Server (I think it was) to set up a 
website.  (If you have to ask, you probably shouldn't be doing it.)  I 
tried to explain the risks, but he wanted to learn from experience, so I 
told him that he could.  I can't help but wondering how many times he 
got pwnd before he learned his lesson.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Joe Zeff]

On 1/22/24 00:30, Tim via users wrote:

Then, when it went haywire one day I had to tell telephone support the
password to sort things out.  Embarrassing, and quite satisfying at the
same time.


When I was doing tech support, the ID10Ts in IT decided to make our 
passwords expire after 60 days on services inside the firewall.  Sigh!  
Mine were always chosen from my fine collection of "unprintable" terms, 
compiled when I was in Uncle Sam's Navy. My lead was quite amused the 
one time I had to give it to her.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Mon, 2024-01-22 at 00:02 -0800, ToddAndMargo via users wrote:
> Add to injury, if they get hacked and they pencil
> whipped, they become responsible for all costs
> involved. Telling them that their grandchildren
> will need lawyers does not phase them.

You would think that "you hate your legal fees now, just imagine the
costs when your stuff-up bites you back" would scare them, but no...  

I think it was the year before last that our second largest telco and
ISP stuffed up and leaked people's ID en masse.  Now they're wearing
the costs for a huge proportion on the population needing to replace
their driver's licenses.

I'm sure it would have been cheaper to have designed their security
better, in the first place.  They probably spend more on their
advertising budget than IT, so it's not like they can't afford it.

-- 
 
uname -rsvp
Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/21/24 23:30, Tim via users wrote:

On Sun, 2024-01-21 at 16:39 -0800, ToddAndMargo via users wrote:

I needed a password eight characters long
I picked "Snow White and the Seven Dwarfs".

Okay, that was a "Dad Joke" but it probably is a really
strong password and easy to remember.  I recommend run on
phrases to my customers.  When I make them up for them,
I often use a phrase that flatters their business.
Those they never forget.


I had to pick one for a store credit card when they forced us to do
something on-line with it (after many years of having it without any
on-line services), and went with something along the lines of "this
service really sucks."

Then, when it went haywire one day I had to tell telephone support the
password to sort things out.  Embarrassing, and quite satisfying at the
same time.

Services should really have two passwords, one for you to use online
and another for you to say to technical support to prove it's you.
Technical support SHOULD NEVER identify person by date of birth and
phone number or street address.

We really need some agency we can report services to who have such crap
security that you just know they're going to be hacked and it's going
to compromise you.  Maybe then we'd have far less bulk data thefts if
there actually were consequences for being slack, consequences before
it's too late, and they were forced into doing things better.  It seems
like there's a huge one every month around here.
  



Hi Tim,

I do Payment Card Industry (PCI) consulting.  I only have
three customers that take it seriously.  All they others
I have approached have blown me off.  To quote one of
them "I am not going to pay that much money just to
take credit cards".  I now use cash as much as I can.
I have seen to many violations.  (By the way, I am
not that expensive.)

A few of them come back to get a real firewall (not
just NAT) installed, but most just pencil whip the
questionnaire.  And to add insult to injury, even
when I print out the Revised Statue that requires to
them to be PCI compliant, they do not care.

Add to injury, if they get hacked and they pencil
whipped, they become responsible for all costs
involved. Telling them that their grandchildren
will need lawyers does not phase them.

Oh another password I see a lot is "Microsoft S***s"
without the asterisks.  And when they are required
to set up multi-factor authentication, they change
their cell phone numbers and call me to redo
everything.  So far I am successful with every
thing except Apple ID, which have to be done
at the $$$ Apple Store.

-T


--
~~
When you say, "I wrote a program that
crashed Windows," people just stare at
you blankly and say, "Hey, I got those
with the system, for free."
 -- Linus Torvalds
~~
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Sun, 2024-01-21 at 16:39 -0800, ToddAndMargo via users wrote:
> I needed a password eight characters long
> I picked "Snow White and the Seven Dwarfs".
> 
> Okay, that was a "Dad Joke" but it probably is a really
> strong password and easy to remember.  I recommend run on
> phrases to my customers.  When I make them up for them,
> I often use a phrase that flatters their business.
> Those they never forget.

I had to pick one for a store credit card when they forced us to do
something on-line with it (after many years of having it without any
on-line services), and went with something along the lines of "this
service really sucks."

Then, when it went haywire one day I had to tell telephone support the
password to sort things out.  Embarrassing, and quite satisfying at the
same time.

Services should really have two passwords, one for you to use online
and another for you to say to technical support to prove it's you. 
Technical support SHOULD NEVER identify person by date of birth and
phone number or street address.

We really need some agency we can report services to who have such crap
security that you just know they're going to be hacked and it's going
to compromise you.  Maybe then we'd have far less bulk data thefts if
there actually were consequences for being slack, consequences before
it's too late, and they were forced into doing things better.  It seems
like there's a huge one every month around here.
 
-- 
 
uname -rsvp
Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Joe Zeff]

On 1/21/24 17:39, ToddAndMargo via users wrote:

Okay, that was a "Dad Joke" but it probably is a really
strong password and easy to remember.  I recommend run on
phrases to my customers.  When I make them up for them,
I often use a phrase that flatters their business.
Those they never forget.



Yes.  A well-known SF author and computer columnist I used to know used 
thisisaverylongpassword on his router.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/21/24 06:22, Jeffrey Walton wrote:

On Sun, Jan 21, 2024 at 6:31 AM Tim via users
 wrote:


On Sun, 2024-01-21 at 02:56 -0800, ToddAndMargo via users wrote:

This all goes back to using easy passwords.  And the
same passwords on different sites:

https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication

   "In fact, databases of known breached account information
   reveal the actual passwords in use around the world, and
   we can see that people typically fail to choose sufficiently
   long, complex, and unique passcodes. A study of the most
   common passwords used globally has “123456”, “qwerty”
   (six consecutive keys on a keyboard) and “password” among
   the top 5."


Password construction rules were always a crock of crap.  Must have one
capital, symbol, number, etc just gave a series of clues to crackers.
While making it harder for you to come up with a code you can remember
and type (and just watch dyslexic people try to get these things right,
illiterate people who can't spell, or anybody on a mobile phone touch
screen).  Then have to go through it again and again on forced periodic
changes.


Password complexity requirements are still a load of crap. No one
knows where the crap came from. Searching for the history of
complexity requirements seems to point to Microsoft NT 3.5. And we
know complex passwords result in weaker passwords from Security
Usability studies.


I thought so.



Another load of crap is password rotation policies. You never throw
away a good secret unless there's evidence of misuse or breach. And
forcing users to gratuitously change their password results in users
choosing weaker and weaker passwords over time as they are constantly
grinded on to change good passwords. We know this from Security
Usability studies.


I can personally attest to this from my travels as
a computer consultant


Anyone designing an authentication system would be well served to read
Peter Gutmann's Engineering Security,
. Chapter 7
covers Passwords.

Jeff



I needed a password eight characters long
I picked "Snow White and the Seven Dwarfs".

Okay, that was a "Dad Joke" but it probably is a really
strong password and easy to remember.  I recommend run on
phrases to my customers.  When I make them up for them,
I often use a phrase that flatters their business.
Those they never forget.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Jeffrey Walton]

On Sun, Jan 21, 2024 at 6:31 AM Tim via users
 wrote:
>
> On Sun, 2024-01-21 at 02:56 -0800, ToddAndMargo via users wrote:
> > This all goes back to using easy passwords.  And the
> > same passwords on different sites:
> >
> > https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication
> >
> >   "In fact, databases of known breached account information
> >   reveal the actual passwords in use around the world, and
> >   we can see that people typically fail to choose sufficiently
> >   long, complex, and unique passcodes. A study of the most
> >   common passwords used globally has “123456”, “qwerty”
> >   (six consecutive keys on a keyboard) and “password” among
> >   the top 5."
>
> Password construction rules were always a crock of crap.  Must have one
> capital, symbol, number, etc just gave a series of clues to crackers.
> While making it harder for you to come up with a code you can remember
> and type (and just watch dyslexic people try to get these things right,
> illiterate people who can't spell, or anybody on a mobile phone touch
> screen).  Then have to go through it again and again on forced periodic
> changes.

Password complexity requirements are still a load of crap. No one
knows where the crap came from. Searching for the history of
complexity requirements seems to point to Microsoft NT 3.5. And we
know complex passwords result in weaker passwords from Security
Usability studies.

Another load of crap is password rotation policies. You never throw
away a good secret unless there's evidence of misuse or breach. And
forcing users to gratuitously change their password results in users
choosing weaker and weaker passwords over time as they are constantly
grinded on to change good passwords. We know this from Security
Usability studies.

Anyone designing an authentication system would be well served to read
Peter Gutmann's Engineering Security,
. Chapter 7
covers Passwords.

Jeff
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

ToddAndMargo via users wrote:
>> Multi-Factor Authentication is a technique to try to get around
>> the users response to the obnoxious nature of passwords.
>> Whether or not it improves things or just manages to
>> further annoy the poop out of the users is up for debate.

& this:
> Certain people should not drink; certain people should
> not drive; and I wonder sometimes if certain users
> should consider that they really should not be using
> computers, and considering the poor nature of the security,
> starting with Windows users.

I'm inclined to feel it's just another level of useless annoyance.  I
don't see it stopping fishing when people just respond to hackers as if
they were a legit company, following all the instructions from the
hacker to compromise themselves.

I've also said for a long time that computing is not many people's
forte, they don't have the aptitude for it, and they shouldn't be
forced into it.  Don't make seniors have to keep their pension,
banking, medical data, etc, organised on-line.

I was always surprised when people who could barely read would ask me
to fix their computer for them, which they were doing a lot of reading-
related activities on.  Don't know why they wanted to do something they
clearly hated.

-- 
 
NB:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the list.
 
The following system info data is generated fresh for each post:
 
uname -rsvp
Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53
UTC 2023 x86_64
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Sun, 2024-01-21 at 02:56 -0800, ToddAndMargo via users wrote:
> This all goes back to using easy passwords.  And the
> same passwords on different sites:
> 
> https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication
> 
>   "In fact, databases of known breached account information
>   reveal the actual passwords in use around the world, and
>   we can see that people typically fail to choose sufficiently
>   long, complex, and unique passcodes. A study of the most
>   common passwords used globally has “123456”, “qwerty”
>   (six consecutive keys on a keyboard) and “password” among
>   the top 5."

Password construction rules were always a crock of crap.  Must have one
capital, symbol, number, etc just gave a series of clues to crackers. 
While making it harder for you to come up with a code you can remember
and type (and just watch dyslexic people try to get these things right,
illiterate people who can't spell, or anybody on a mobile phone touch
screen).  Then have to go through it again and again on forced periodic
changes.

I favour passphrases of several words.  And I think rule enforcement
ought to be along the lines of auto-reject "qwerty"-like passwords and
other forbidden words.


You have no clue if my password is 898d4 or sixgorillaswillnotletmego,
not at any stage of the game.  You don't get any "you've guessed half
of it right," like in the movies.  You just get pass or fail, and
multiple fails ought to trigger defensive methods.  Any service that
lets someone hammer away at it is manifestly incompetent.

 
-- 
 
NB:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the list.
 
The following system info data is generated fresh for each post:
 
uname -rsvp
Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53
UTC 2023 x86_64
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/21/24 02:56, ToddAndMargo via users wrote:

Multi-Factor Authentication is a technique to try to get around
the users response to the obnoxious nature of passwords.
Whether or not it improves things or just manages to
further annoy the poop out of the users is up for debate.


Certain people should not drink; certain people should
not drive; and I wonder sometimes if certain users
should consider that they really should not be using
computers, and considering the poor nature of the security,
starting with Windows users.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/20/24 22:52, Tim via users wrote:

On Sat, 2024-01-20 at 17:54 -0800, ToddAndMargo via users wrote:

c) Something you are, such as a biometric. This method
involves verification of characteristics inherent to the
individual, such as via retina scans, iris scans, fingerprint
scans, finger vein scans, facial recognition, voice
recognition, hand geometry, and even earlobe geometry


The problem with biometrics, is that if you're identified by data about
you, that data is stolen, and someone can provide it on demand without
your presence, you can't change your authentication data.  If someone
can fake your biodata, they can do it forever.

Fingerprints lifted from the glossy surface of your phone, a
compromised service that held your data, a fraudulent service that gets
you to log into them...



Yikes!  The bad guys can just use a "keystroke" logger
stye malware to intercept your biometric data and then
they can repeat it at will.

This all goes back to using easy passwords.  And the
same passwords on different sites:

https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication

 "In fact, databases of known breached account information
 reveal the actual passwords in use around the world, and
 we can see that people typically fail to choose sufficiently
 long, complex, and unique passcodes. A study of the most
 common passwords used globally has “123456”, “qwerty”
 (six consecutive keys on a keyboard) and “password” among
 the top 5."

Add to that the foolish security sites that ask you to constantly
change your password all the time.  If the bad buys have not
figured out how to crack your password the first time, lets
give them another change every two weeks!  I have seen customers
with passwords on sticky notes on the bottom of the monitors:
abc!, abc!!, abc!!!, abc, etc. to revolve through their
passwords.  The revolving passwords silliness has been proven
time and again to lessen security.

Multi-Factor Authentication is a technique to try to get around
the users response to the obnoxious nature of passwords.
Whether or not it improves things or just manages to
further annoy the poop out of the users is up for debate.



--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Sat, 2024-01-20 at 17:54 -0800, ToddAndMargo via users wrote:
> c) Something you are, such as a biometric. This method
> involves verification of characteristics inherent to the
> individual, such as via retina scans, iris scans, fingerprint
> scans, finger vein scans, facial recognition, voice
> recognition, hand geometry, and even earlobe geometry

The problem with biometrics, is that if you're identified by data about
you, that data is stolen, and someone can provide it on demand without
your presence, you can't change your authentication data.  If someone
can fake your biodata, they can do it forever.

Fingerprints lifted from the glossy surface of your phone, a
compromised service that held your data, a fraudulent service that gets
you to log into them...

-- 
 
uname -rsvp
Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Sat, 2024-01-20 at 22:08 +0100, Walter H. via users wrote:
> not really, because, the knowledge of user and password is somewhere else;

There are a lot of people who'll have an unsecured phone, because it's
a pain to them.

> so neither the person who stole your phone (the 2FA device) nor you are 
> able to login;
> 
> you should not use the phone as all in one:
> - the login device,
> - the 2FA device and also
> - the password manager device

A lot of people will.  It's the point of contact, it's the stupid
SMS they receive on the same device to confirm its them, it may be a
rolling code generator.

I get the impression it's a major reason phones are stolen - identity
theft rather than the value of the phone, itself.  That, and maybe
hoping for nudes.

-- 
 
uname -rsvp
Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/20/24 13:08, Walter H. via users wrote:

On 20.01.2024 20:39, Tim via users wrote:

On Sat, 2024-01-20 at 20:00 +0100, Walter H. via users wrote:

buy an iPhone ...

exact this what you want is the other way of it sense;

2FA = 2 Factor Authentication

example you login on a site, there you have the knowledge of

user and password

and then the 2nd factor, which is a OTP

when you really do this with your fedora, then there is NO 2nd factor,
because when your fedora gets compromised, the 2FA gets compromised, too

That's one of my gripes about two-factor authentication - it
(typically) uses your phone.  Steal someone's phone, and it's
everything they need to pretend to be you.


not really, because, the knowledge of user and password is somewhere else;

so neither the person who stole your phone (the 2FA device) nor you are 
able to login;


you should not use the phone as all in one:
- the login device,
- the 2FA device and also
- the password manager device


https://docs-prv.pcisecuritystandards.org/Guidance%20Document/Authentication/Multi-Factor-Authentication-Guidance-v1.pdf

You have to pick two of the three below.

a) Something you know, such as a password or passphrase. This
method involves verification of information that a user
provides, such as a password/passphrase, PIN, or the answers
to secret questions (challenge-response).

b) Something you have, such as a token device or smartcard. This
method involves verification of a specific item a user has in
their possession, such as a physical or logical security
token, a one-time password (OTP) token, a key fob, an
employee access card, or a phone’s SIM card. For mobile
authentication, a smartphone often provides the possession
factor in conjunction with an OTP app or a cryptographic
material (i.e., certificate or a key) residing on the device.

c) Something you are, such as a biometric. This method
involves verification of characteristics inherent to the
individual, such as via retina scans, iris scans, fingerprint
scans, finger vein scans, facial recognition, voice
recognition, hand geometry, and even earlobe geometry

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Walter H. via users]

On 20.01.2024 20:52, Chris Adams wrote:

Once upon a time, Tim  said:

That's one of my gripes about two-factor authentication - it
(typically) uses your phone.  Steal someone's phone, and it's
everything they need to pretend to be you.

That's going to be true of any second-factor device.  In theory, MFA is
"something you know plus something you have", but we use too many
passwords to "know" them all, so we use password managers.
password managers/safes are ok as long as they are independent from the 
device used for login ...

Then the
"know" is just one password manager master password... but the "have" is
often stored in the same password manager (because where else are you
going to store it?).
a tip: don't store the whole password; e.g. use the stored passwords 
plus something short only in your head;
it might be the same to all used passwords; 3 or 4 signs are enough, 
e.g. '#A7x'

I know, if doing like this, the password manager isn't simple any more; but
as always said: simplicity and security don't go together;




smime.p7s
Description: S/MIME Cryptographic Signature
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Walter H. via users]

On 20.01.2024 20:39, Tim via users wrote:

On Sat, 2024-01-20 at 20:00 +0100, Walter H. via users wrote:

buy an iPhone ...

exact this what you want is the other way of it sense;

2FA = 2 Factor Authentication

example you login on a site, there you have the knowledge of

user and password

and then the 2nd factor, which is a OTP

when you really do this with your fedora, then there is NO 2nd factor,
because when your fedora gets compromised, the 2FA gets compromised, too

That's one of my gripes about two-factor authentication - it
(typically) uses your phone.  Steal someone's phone, and it's
everything they need to pretend to be you.
  


not really, because, the knowledge of user and password is somewhere else;

so neither the person who stole your phone (the 2FA device) nor you are 
able to login;


you should not use the phone as all in one:
- the login device,
- the 2FA device and also
- the password manager device




smime.p7s
Description: S/MIME Cryptographic Signature
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Chris Adams]

Once upon a time, Tim  said:
> That's one of my gripes about two-factor authentication - it
> (typically) uses your phone.  Steal someone's phone, and it's
> everything they need to pretend to be you.

That's going to be true of any second-factor device.  In theory, MFA is
"something you know plus something you have", but we use too many
passwords to "know" them all, so we use password managers.  Then the
"know" is just one password manager master password... but the "have" is
often stored in the same password manager (because where else are you
going to store it?).

It still helps, because while people may re-use passwords (so one breach
can lead to access at other sites), the 2FA codes are unique per site
(so breaching one site won't lead to other sites).  The password/MFA
code master password (and encryption) is the single point of security
then, but that's still usually harder to breach.  Most devices have
"good enough" security, so someone getting your device doesn't help them
unless they get it in an unlocked state (and even then, gets ONE person
breached, not a million).  But at that point, you're also down to the
wrench attack.

https://xkcd.com/538/

tl;dr: login security is hard
-- 
Chris Adams 
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Sat, 2024-01-20 at 20:00 +0100, Walter H. via users wrote:
> buy an iPhone ...
> 
> exact this what you want is the other way of it sense;
> 
> 2FA = 2 Factor Authentication
> 
> example you login on a site, there you have the knowledge of
> 
> user and password
> 
> and then the 2nd factor, which is a OTP
> 
> when you really do this with your fedora, then there is NO 2nd factor,
> because when your fedora gets compromised, the 2FA gets compromised, too

That's one of my gripes about two-factor authentication - it
(typically) uses your phone.  Steal someone's phone, and it's
everything they need to pretend to be you.
 
-- 
 
uname -rsvp
Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Walter H. via users]

On 17.01.2024 01:54, ToddAndMargo via users wrote:

On 1/16/24 15:44, Samuel Sieb wrote:

On 1/16/24 15:42, Samuel Sieb wrote:

On 1/16/24 14:58, ToddAndMargo via users wrote:

On 1/16/24 14:29, Barry wrote:



On 16 Jan 2024, at 20:43, ToddAndMargo via users 
 wrote:


"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?


You mean creating the 6 digit codes? Isn’t that the point?

Barry


The opposite!

I want to decode the Roshack splotch (OTP) when it is
presented to me, so I can enter the number into the
multifactor authentication challenge.


You are misunderstanding how this works.  That QR code contains a 
secret value that lets the OTP application generate the 6 digit 
codes as needed.  There is no actual code in the QR code.


To clarify further, you only need the QR code *once*.  After that, 
you use the application to give you the code you need when asked for.



This what I am after.  A program presents a QC splotch.  A
user scans it with their Android phone and reads it into
FreeOTP.  FreeOTP coughs out a six digit code, which
I enter.

I want to do this without the Android. 


buy an iPhone ...

exact this what you want is the other way of it sense;

2FA = 2 Factor Authentication

example you login on a site, there you have the knowledge of

user and password

and then the 2nd factor, which is a OTP

when you really do this with your fedora, then there is NO 2nd factor,
because when your fedora gets compromised, the 2FA gets compromised, too





smime.p7s
Description: S/MIME Cryptographic Signature
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

I got a bit funny with sed

$ zbarimg /home/temp/Screenshot_2024-01-04_16-08-43.png | sed -e 
's/.*?secret=//' -e 's/&.*//'

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 23:38, Samuel Sieb wrote:

On 1/16/24 23:06, ToddAndMargo via users wrote:

On 1/16/24 22:48, Samuel Sieb wrote:

On 1/16/24 21:38, ToddAndMargo via users wrote:

On 1/16/24 20:36, Samuel Sieb wrote:

I gave you detailed instructions on this in an earlier email.
But you only need to do this once. Once it's setup, you don't use 
the QR code again.  The program will keep giving you those codes 
when you need them.


I think it never got here or it went over my head.

:'(

Would you repeat it?


https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/AYN3AV7SLA755TM6WREY7CKBTZPZVH23/

Copied with a slight edit:

On 1/16/24 01:18, ToddAndMargo via users wrote:
 > Fedora 39
 >
 > I do not have a stinkin' smart phone.
 >
 > I scanned a QR code to drive and read it with zbarimg.
 > (it is a security code so I doctored the result up a lot).
 >
 > zbarimg Screenshot_2024-01-04_16-08-43.png
 >
 > 
QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com


The "abcd" part should be "totp", meaning it's a time-based code.
If there aren't any other parameters, it should be the usual 6-digits 
with 30 second change interval.


 > On a stinking smart phone, it brings back a six digit code.
 > How do I duplicate this in Fedora?

You need a program that can handle OTP codes.  There are at least two 
in the Fedora repo: "keysmith" and "numberstation".  I think they 
only need the "ABCDEFGHIJKLMNON" part after "secret=".


numberstation wanted to setup the kde keyring, but keysmith seemed 
like it would work right away.



I did see that.  I installed both.  Could not figure out how to
load the qr code into the to get the number back.  They both
looked like they generated the QR code, not extracted it.
I may be wrong though.


You're still misunderstanding.  You are not extracting the *number*.

Here's a real example otpauth url that you would get from the QR code:
otpauth://totp/ACME%20Co:j...@example.com?secret=AUSJD7LZ5H27TAC7NW2IJMATDMVDUPUG&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30

I can run keysmith, so I'll give you the very specific instructions for 
that.  I assume you've already setup the access password for the program.


Click the add button.
Fill in the account name and issuer as you want.  It's just for your 
reference.

The account type is time-based.
The secret key is the part between "?secret=" and the following "&".  In 
my example, this would be "AUSJD7LZ5H27TAC7NW2IJMATDMVDUPUG".
You can click on the details button if you want, but don't change 
anything in there.
Click the add button and you will go back to the main screen and your 
entry will have a 6-digit number beside and a timer bar showing when it 
will change again.


When the website asks you for the 2FA value, you can click on the number 
which will copy it to the clipboard and then you can paste it on the 
website.  Or type it out if you want.


This is exactly what the OTP app on the phone will do as well.


Perfect!  Thank you!

Sorry for being so thick headed on this.  I finally sunk in.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 23:38, Samuel Sieb wrote:

On 1/16/24 23:06, ToddAndMargo via users wrote:

On 1/16/24 22:48, Samuel Sieb wrote:

On 1/16/24 21:38, ToddAndMargo via users wrote:

On 1/16/24 20:36, Samuel Sieb wrote:

I gave you detailed instructions on this in an earlier email.
But you only need to do this once. Once it's setup, you don't use 
the QR code again.  The program will keep giving you those codes 
when you need them.


I think it never got here or it went over my head.

:'(

Would you repeat it?


https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/AYN3AV7SLA755TM6WREY7CKBTZPZVH23/

Copied with a slight edit:

On 1/16/24 01:18, ToddAndMargo via users wrote:
 > Fedora 39
 >
 > I do not have a stinkin' smart phone.
 >
 > I scanned a QR code to drive and read it with zbarimg.
 > (it is a security code so I doctored the result up a lot).
 >
 > zbarimg Screenshot_2024-01-04_16-08-43.png
 >
 > 
QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com


The "abcd" part should be "totp", meaning it's a time-based code.
If there aren't any other parameters, it should be the usual 6-digits 
with 30 second change interval.


 > On a stinking smart phone, it brings back a six digit code.
 > How do I duplicate this in Fedora?

You need a program that can handle OTP codes.  There are at least two 
in the Fedora repo: "keysmith" and "numberstation".  I think they 
only need the "ABCDEFGHIJKLMNON" part after "secret=".


numberstation wanted to setup the kde keyring, but keysmith seemed 
like it would work right away.



I did see that.  I installed both.  Could not figure out how to
load the qr code into the to get the number back.  They both
looked like they generated the QR code, not extracted it.
I may be wrong though.


You're still misunderstanding.  You are not extracting the *number*.

Here's a real example otpauth url that you would get from the QR code:
otpauth://totp/ACME%20Co:j...@example.com?secret=AUSJD7LZ5H27TAC7NW2IJMATDMVDUPUG&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30

I can run keysmith, so I'll give you the very specific instructions for 
that.  I assume you've already setup the access password for the program.


Click the add button.
Fill in the account name and issuer as you want.  It's just for your 
reference.

The account type is time-based.
The secret key is the part between "?secret=" and the following "&".  In 
my example, this would be "AUSJD7LZ5H27TAC7NW2IJMATDMVDUPUG".
You can click on the details button if you want, but don't change 
anything in there.
Click the add button and you will go back to the main screen and your 
entry will have a 6-digit number beside and a timer bar showing when it 
will change again.


When the website asks you for the 2FA value, you can click on the number 
which will copy it to the clipboard and then you can paste it on the 
website.  Or type it out if you want.


This is exactly what the OTP app on the phone will do as well.


Thank you!
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Samuel Sieb]

On 1/16/24 23:06, ToddAndMargo via users wrote:

On 1/16/24 22:48, Samuel Sieb wrote:

On 1/16/24 21:38, ToddAndMargo via users wrote:

On 1/16/24 20:36, Samuel Sieb wrote:

I gave you detailed instructions on this in an earlier email.
But you only need to do this once. Once it's setup, you don't use 
the QR code again.  The program will keep giving you those codes 
when you need them.


I think it never got here or it went over my head.

:'(

Would you repeat it?


https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/AYN3AV7SLA755TM6WREY7CKBTZPZVH23/

Copied with a slight edit:

On 1/16/24 01:18, ToddAndMargo via users wrote:
 > Fedora 39
 >
 > I do not have a stinkin' smart phone.
 >
 > I scanned a QR code to drive and read it with zbarimg.
 > (it is a security code so I doctored the result up a lot).
 >
 > zbarimg Screenshot_2024-01-04_16-08-43.png
 >
 > 
QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com


The "abcd" part should be "totp", meaning it's a time-based code.
If there aren't any other parameters, it should be the usual 6-digits 
with 30 second change interval.


 > On a stinking smart phone, it brings back a six digit code.
 > How do I duplicate this in Fedora?

You need a program that can handle OTP codes.  There are at least two 
in the Fedora repo: "keysmith" and "numberstation".  I think they only 
need the "ABCDEFGHIJKLMNON" part after "secret=".


numberstation wanted to setup the kde keyring, but keysmith seemed 
like it would work right away.



I did see that.  I installed both.  Could not figure out how to
load the qr code into the to get the number back.  They both
looked like they generated the QR code, not extracted it.
I may be wrong though.


You're still misunderstanding.  You are not extracting the *number*.

Here's a real example otpauth url that you would get from the QR code:
otpauth://totp/ACME%20Co:j...@example.com?secret=AUSJD7LZ5H27TAC7NW2IJMATDMVDUPUG&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30

I can run keysmith, so I'll give you the very specific instructions for 
that.  I assume you've already setup the access password for the program.


Click the add button.
Fill in the account name and issuer as you want.  It's just for your 
reference.

The account type is time-based.
The secret key is the part between "?secret=" and the following "&".  In 
my example, this would be "AUSJD7LZ5H27TAC7NW2IJMATDMVDUPUG".
You can click on the details button if you want, but don't change 
anything in there.
Click the add button and you will go back to the main screen and your 
entry will have a 6-digit number beside and a timer bar showing when it 
will change again.


When the website asks you for the 2FA value, you can click on the number 
which will copy it to the clipboard and then you can paste it on the 
website.  Or type it out if you want.


This is exactly what the OTP app on the phone will do as well.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 22:48, Samuel Sieb wrote:

On 1/16/24 21:38, ToddAndMargo via users wrote:

On 1/16/24 20:36, Samuel Sieb wrote:

I gave you detailed instructions on this in an earlier email.
But you only need to do this once. Once it's setup, you don't use the 
QR code again.  The program will keep giving you those codes when you 
need them.


I think it never got here or it went over my head.

:'(

Would you repeat it?


https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/AYN3AV7SLA755TM6WREY7CKBTZPZVH23/

Copied with a slight edit:

On 1/16/24 01:18, ToddAndMargo via users wrote:
 > Fedora 39
 >
 > I do not have a stinkin' smart phone.
 >
 > I scanned a QR code to drive and read it with zbarimg.
 > (it is a security code so I doctored the result up a lot).
 >
 > zbarimg Screenshot_2024-01-04_16-08-43.png
 >
 > 
QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com


The "abcd" part should be "totp", meaning it's a time-based code.
If there aren't any other parameters, it should be the usual 6-digits 
with 30 second change interval.


 > On a stinking smart phone, it brings back a six digit code.
 > How do I duplicate this in Fedora?

You need a program that can handle OTP codes.  There are at least two in 
the Fedora repo: "keysmith" and "numberstation".  I think they only need 
the "ABCDEFGHIJKLMNON" part after "secret=".


numberstation wanted to setup the kde keyring, but keysmith seemed like 
it would work right away.



I did see that.  I installed both.  Could not figure out how to
load the qr code into the to get the number back.  They both
looked like they generated the QR code, not extracted it.
I may be wrong though.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Samuel Sieb]

On 1/16/24 21:38, ToddAndMargo via users wrote:

On 1/16/24 20:36, Samuel Sieb wrote:

I gave you detailed instructions on this in an earlier email.
But you only need to do this once. Once it's setup, you don't use the 
QR code again.  The program will keep giving you those codes when you 
need them.


I think it never got here or it went over my head.

:'(

Would you repeat it?


https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/AYN3AV7SLA755TM6WREY7CKBTZPZVH23/

Copied with a slight edit:

On 1/16/24 01:18, ToddAndMargo via users wrote:
> Fedora 39
>
> I do not have a stinkin' smart phone.
>
> I scanned a QR code to drive and read it with zbarimg.
> (it is a security code so I doctored the result up a lot).
>
> zbarimg Screenshot_2024-01-04_16-08-43.png
>
> 
QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com


The "abcd" part should be "totp", meaning it's a time-based code.
If there aren't any other parameters, it should be the usual 6-digits 
with 30 second change interval.


> On a stinking smart phone, it brings back a six digit code.
> How do I duplicate this in Fedora?

You need a program that can handle OTP codes.  There are at least two in 
the Fedora repo: "keysmith" and "numberstation".  I think they only need 
the "ABCDEFGHIJKLMNON" part after "secret=".


numberstation wanted to setup the kde keyring, but keysmith seemed like 
it would work right away.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 20:36, Samuel Sieb wrote:

On 1/16/24 16:54, ToddAndMargo via users wrote:

On 1/16/24 15:44, Samuel Sieb wrote:

On 1/16/24 15:42, Samuel Sieb wrote:

On 1/16/24 14:58, ToddAndMargo via users wrote:

On 1/16/24 14:29, Barry wrote:



On 16 Jan 2024, at 20:43, ToddAndMargo via users 
 wrote:


"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?


You mean creating the 6 digit codes? Isn’t that the point?

Barry


The opposite!

I want to decode the Roshack splotch (OTP) when it is
presented to me, so I can enter the number into the
multifactor authentication challenge.


You are misunderstanding how this works.  That QR code contains a 
secret value that lets the OTP application generate the 6 digit 
codes as needed.  There is no actual code in the QR code.


To clarify further, you only need the QR code *once*.  After that, 
you use the application to give you the code you need when asked for.



This what I am after.  A program presents a QC splotch.  A
user scans it with their Android phone and reads it into
FreeOTP.  FreeOTP coughs out a six digit code, which
I enter.

I want to do this without the Android.


I gave you detailed instructions on this in an earlier email.
But you only need to do this once. Once it's setup, you don't use the QR 
code again.  The program will keep giving you those codes when you need 
them.


I think it never got here or it went over my head.

:'(

Would you repeat it?
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Samuel Sieb]

On 1/16/24 20:36, ToddAndMargo via users wrote:

Found this:

ykocli is a front-end command line utility (actually, a bash script)
that places ykman obtained TOTP tokens into the CopyQ clipboard.


That is a program for working with the Yubikey hardware tokens.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 01:18, ToddAndMargo via users wrote:

Hi All,

Fedora 39

I do not have a stinkin' smart phone.

I scanned a QR code to drive and read it with zbarimg.
(it is a security code so I doctored the result up a lot).

zbarimg Screenshot_2024-01-04_16-08-43.png

QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com
scanned 1 barcode symbols from 1 images in 0.02 seconds

On a stinking smart phone, it brings back a six digit code.
How do I duplicate this in Fedora?

Many thanks,
-T

Is there a way to run Android apps on Fedora?
--


Found this:

ykocli is a front-end command line utility (actually, a bash script)
that places ykman obtained TOTP tokens into the CopyQ clipboard.

1) does it extract or create?

2) what is a CopyQ clipboard?

Many thanks,
-T

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Samuel Sieb]

On 1/16/24 16:54, ToddAndMargo via users wrote:

On 1/16/24 15:44, Samuel Sieb wrote:

On 1/16/24 15:42, Samuel Sieb wrote:

On 1/16/24 14:58, ToddAndMargo via users wrote:

On 1/16/24 14:29, Barry wrote:



On 16 Jan 2024, at 20:43, ToddAndMargo via users 
 wrote:


"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?


You mean creating the 6 digit codes? Isn’t that the point?

Barry


The opposite!

I want to decode the Roshack splotch (OTP) when it is
presented to me, so I can enter the number into the
multifactor authentication challenge.


You are misunderstanding how this works.  That QR code contains a 
secret value that lets the OTP application generate the 6 digit codes 
as needed.  There is no actual code in the QR code.


To clarify further, you only need the QR code *once*.  After that, you 
use the application to give you the code you need when asked for.



This what I am after.  A program presents a QC splotch.  A
user scans it with their Android phone and reads it into
FreeOTP.  FreeOTP coughs out a six digit code, which
I enter.

I want to do this without the Android.


I gave you detailed instructions on this in an earlier email.
But you only need to do this once. Once it's setup, you don't use the QR 
code again.  The program will keep giving you those codes when you need 
them.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 01:18, ToddAndMargo via users wrote:

Hi All,

Fedora 39

I do not have a stinkin' smart phone.

I scanned a QR code to drive and read it with zbarimg.
(it is a security code so I doctored the result up a lot).

zbarimg Screenshot_2024-01-04_16-08-43.png

QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com
scanned 1 barcode symbols from 1 images in 0.02 seconds

On a stinking smart phone, it brings back a six digit code.
How do I duplicate this in Fedora?

Many thanks,
-T

Is there a way to run Android apps on Fedora?



I do not suppose there is away to do this with a
bash script (get the number out of the QR image)?
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 17:55, Todd Zullinger wrote:

ToddAndMargo via users wrote:

On 1/16/24 15:44, Samuel Sieb wrote:

On 1/16/24 15:42, Samuel Sieb wrote:

You are misunderstanding how this works.  That QR code contains a
secret value that lets the OTP application generate the 6 digit
codes as needed.  There is no actual code in the QR code.


To clarify further, you only need the QR code *once*.  After that, you
use the application to give you the code you need when asked for.


This what I am after.  A program presents a QC splotch.  A
user scans it with their Android phone and reads it into
FreeOTP.  FreeOTP coughs out a six digit code, which
I enter.


There are a number of apps which support multi-factor
authentication for Fedora.  Just three of which I am aware
of in the main repository are:

 google-authenticator
 keepassxc
 secrets

There may be others.  You should search for MFA, 2FA,
multi-factor authentication and such.

https://gitlab.gnome.org/World/Authenticator is available as
a flatpak.

There's also https://authenticator.cc/ which is a browser
extension.  (Though IMO, doing MFA in an extension seems to
be defeating the purpose of MFA.  Or at least it brings in
more risk than I could justify.)

I don't use any of these apps.  I like my MFA app being on a
separate device like an Android phone.  Or, even better, I
avoid TOTP MFA entirely and use FIDO2 via a YubiKey.


I can't figure out how to import a qc splotch into
either keepassxc or secrets.  And I do not trust Google
as far as I can ...
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Todd Zullinger]

ToddAndMargo via users wrote:
> On 1/16/24 15:44, Samuel Sieb wrote:
>> On 1/16/24 15:42, Samuel Sieb wrote:
>>> You are misunderstanding how this works.  That QR code contains a
>>> secret value that lets the OTP application generate the 6 digit
>>> codes as needed.  There is no actual code in the QR code.
>> 
>> To clarify further, you only need the QR code *once*.  After that, you
>> use the application to give you the code you need when asked for.
> 
> This what I am after.  A program presents a QC splotch.  A
> user scans it with their Android phone and reads it into
> FreeOTP.  FreeOTP coughs out a six digit code, which
> I enter.

There are a number of apps which support multi-factor
authentication for Fedora.  Just three of which I am aware
of in the main repository are:

google-authenticator
keepassxc
secrets

There may be others.  You should search for MFA, 2FA,
multi-factor authentication and such.

https://gitlab.gnome.org/World/Authenticator is available as
a flatpak.

There's also https://authenticator.cc/ which is a browser
extension.  (Though IMO, doing MFA in an extension seems to
be defeating the purpose of MFA.  Or at least it brings in
more risk than I could justify.)

I don't use any of these apps.  I like my MFA app being on a
separate device like an Android phone.  Or, even better, I
avoid TOTP MFA entirely and use FIDO2 via a YubiKey.

-- 
Todd


signature.asc
Description: PGP signature
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 15:44, Samuel Sieb wrote:

On 1/16/24 15:42, Samuel Sieb wrote:

On 1/16/24 14:58, ToddAndMargo via users wrote:

On 1/16/24 14:29, Barry wrote:



On 16 Jan 2024, at 20:43, ToddAndMargo via users 
 wrote:


"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?


You mean creating the 6 digit codes? Isn’t that the point?

Barry


The opposite!

I want to decode the Roshack splotch (OTP) when it is
presented to me, so I can enter the number into the
multifactor authentication challenge.


You are misunderstanding how this works.  That QR code contains a 
secret value that lets the OTP application generate the 6 digit codes 
as needed.  There is no actual code in the QR code.


To clarify further, you only need the QR code *once*.  After that, you 
use the application to give you the code you need when asked for.



This what I am after.  A program presents a QC splotch.  A
user scans it with their Android phone and reads it into
FreeOTP.  FreeOTP coughs out a six digit code, which
I enter.

I want to do this without the Android.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Samuel Sieb]

On 1/16/24 15:42, Samuel Sieb wrote:

On 1/16/24 14:58, ToddAndMargo via users wrote:

On 1/16/24 14:29, Barry wrote:



On 16 Jan 2024, at 20:43, ToddAndMargo via users 
 wrote:


"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?


You mean creating the 6 digit codes? Isn’t that the point?

Barry


The opposite!

I want to decode the Roshack splotch (OTP) when it is
presented to me, so I can enter the number into the
multifactor authentication challenge.


You are misunderstanding how this works.  That QR code contains a secret 
value that lets the OTP application generate the 6 digit codes as 
needed.  There is no actual code in the QR code.


To clarify further, you only need the QR code *once*.  After that, you 
use the application to give you the code you need when asked for.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Samuel Sieb]

On 1/16/24 14:58, ToddAndMargo via users wrote:

On 1/16/24 14:29, Barry wrote:



On 16 Jan 2024, at 20:43, ToddAndMargo via users 
 wrote:


"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?


You mean creating the 6 digit codes? Isn’t that the point?

Barry


The opposite!

I want to decode the Roshack splotch (OTP) when it is
presented to me, so I can enter the number into the
multifactor authentication challenge.


You are misunderstanding how this works.  That QR code contains a secret 
value that lets the OTP application generate the 6 digit codes as 
needed.  There is no actual code in the QR code.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 14:29, Barry wrote:




On 16 Jan 2024, at 20:43, ToddAndMargo via users 
 wrote:

"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?


You mean creating the 6 digit codes? Isn’t that the point?

Barry


The opposite!

I want to decode the Roshack splotch (OTP) when it is
presented to me, so I can enter the number into the
multifactor authentication challenge.
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Barry]

> On 16 Jan 2024, at 20:43, ToddAndMargo via users 
>  wrote:
> 
> "keysmith" looks like it is "creating" the things, not
> reading them.  Am I missing something?

You mean creating the 6 digit codes? Isn’t that the point?

Barry

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[ToddAndMargo via users]

On 1/16/24 01:46, Samuel Sieb wrote:

On 1/16/24 01:18, ToddAndMargo via users wrote:

Fedora 39

I do not have a stinkin' smart phone.

I scanned a QR code to drive and read it with zbarimg.
(it is a security code so I doctored the result up a lot).

zbarimg Screenshot_2024-01-04_16-08-43.png

QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com


The "abcd" part should be "totp", meaning it's a time-based code.
If there aren't any other parameters, it should be the usual 6-digits 
with 30 second change interval.



On a stinking smart phone, it brings back a six digit code.
How do I duplicate this in Fedora?


You need a program that can handle OTP codes.  There are at least two in 
the Fedora repo: "keysmith" and "numberstation".  I think they only need 
the "secret=" part.


"keysmith" looks like it is "creating" the things, not
reading them.  Am I missing something?
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Barry]

> On 16 Jan 2024, at 10:00, Tim via users  wrote:
> 
> There is a structure to QR codes.

It is just error corrected encoded text.
But to be useful you needs the text to be recognisable.
Hence the use of URLs that you see the app offer.

Barry
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Tim via users]

On Tue, 2024-01-16 at 01:18 -0800, ToddAndMargo via users wrote:
> Fedora 39
> 
> I do not have a stinkin' smart phone.

Me neither, I keep mine nice and clean.  My friend has one that feels
like it's been slid along a public toilet floor.

Pet hate, some service that asks people to scan a QR code from their
website.  Which isn't possible (for most people) if they don't have a
phone, or if they only have a phone (what are they supposed to do, mess
around with mirrors?).

> I scanned a QR code to drive and read it with zbarimg.
> (it is a security code so I doctored the result up a lot).
> 
> zbarimg Screenshot_2024-01-04_16-08-43.png
> 
> QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com
> scanned 1 barcode symbols from 1 images in 0.02 seconds
> 
> On a stinking smart phone, it brings back a six digit code.
> How do I duplicate this in Fedora?
> 

Possibly use curl or wget to retrieve the results from the decoded web
address.  It's probably where the phone gets the code from, rather than
directly out of the QR image.  Or maybe it's some of the digits
embedded in the middle of the URL.

There is a structure to QR codes.  Looking at a generator on my phone,
you get to specify the type of content, then various data elements in
it.  Such as being a personal contact, then name=something,
address=something else, telephone=something or other.  Though a
specialist QR reading app for a particular purpose may do its own
thing.


-- 
 
uname -rsvp
Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Jeffrey Walton]

On Tue, Jan 16, 2024 at 4:46 AM Samuel Sieb  wrote:
>
> On 1/16/24 01:18, ToddAndMargo via users wrote:
> > Fedora 39
> >
> > I do not have a stinkin' smart phone.
> >
> > I scanned a QR code to drive and read it with zbarimg.
> > (it is a security code so I doctored the result up a lot).
> >
> > zbarimg Screenshot_2024-01-04_16-08-43.png
> >
> > QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com
>
> The "abcd" part should be "totp", meaning it's a time-based code.
> If there aren't any other parameters, it should be the usual 6-digits
> with 30 second change interval.
>
> > On a stinking smart phone, it brings back a six digit code.
> > How do I duplicate this in Fedora?
>
> You need a program that can handle OTP codes.  There are at least two in
> the Fedora repo: "keysmith" and "numberstation".  I think they only need
> the "secret=" part.

I use Keysmith for GitHub on Fedora 38 and above. I did not need to
scan a QR code because Microsoft will show you the OTP seed, which can
be entered into Keysmith.

Keysmith is a KDE app, so it is easiest to use if you have a KDE spin.
If you are building from source, almost all the dependencies are
already present or available for the machine.

Jeff
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Roberto Ragusa]

On 1/16/24 10:18, ToddAndMargo via users wrote:

Hi All,

Fedora 39

I do not have a stinkin' smart phone.

I scanned a QR code to drive and read it with zbarimg.
(it is a security code so I doctored the result up a lot).

zbarimg Screenshot_2024-01-04_16-08-43.png

QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com
scanned 1 barcode symbols from 1 images in 0.02 seconds

On a stinking smart phone, it brings back a six digit code.
How do I duplicate this in Fedora?




The QR includes a secret used to create OTP values used for authentication.
You need the "oathtool" rpm, the 6 digit generation happens with:

oathtool --totp xxx

You may find examples on the net.

Regards.

--
   Roberto Ragusamail at robertoragusa.it
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Jeffrey Walton]

On Tue, Jan 16, 2024 at 4:19 AM ToddAndMargo via users
 wrote:
>
> Hi All,
>
> Fedora 39
>
> I do not have a stinkin' smart phone.
>
> I scanned a QR code to drive and read it with zbarimg.
> (it is a security code so I doctored the result up a lot).
>
> zbarimg Screenshot_2024-01-04_16-08-43.png
>
> QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com
> scanned 1 barcode symbols from 1 images in 0.02 seconds
>
> On a stinking smart phone, it brings back a six digit code.
> How do I duplicate this in Fedora?

To avoid the noise, search GitHub, GitLab, etc.
.

This one looks useful: .
It is described as "Extract one time password (OTP) secrets from QR
codes exported by two-factor authentication (2FA) apps such as "Google
Authenticator". The exported QR codes from authentication apps can be
captured by camera, read from images, or read from text files. The
secrets can be exported to JSON or CSV, or printed as QR codes to
console."

> Is there a way to run Android apps on Fedora?

I've never tried it, so I can't answer. Someone else will have to comment.

Jeff
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: How do I read result of a QR Code

[Samuel Sieb]

On 1/16/24 01:18, ToddAndMargo via users wrote:

Fedora 39

I do not have a stinkin' smart phone.

I scanned a QR code to drive and read it with zbarimg.
(it is a security code so I doctored the result up a lot).

zbarimg Screenshot_2024-01-04_16-08-43.png

QR-Code:otpauth://abcd/efgh:123445566?secret=ABCDEFGHIJKLMNONP&issuer=abcd.com


The "abcd" part should be "totp", meaning it's a time-based code.
If there aren't any other parameters, it should be the usual 6-digits 
with 30 second change interval.



On a stinking smart phone, it brings back a six digit code.
How do I duplicate this in Fedora?


You need a program that can handle OTP codes.  There are at least two in 
the Fedora repo: "keysmith" and "numberstation".  I think they only need 
the "secret=" part.

--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue