I just downloaded a new version of Rapport. It is an anti-malware 
application suggested by my bank. Todays date is Sept 30. The date on 
the downloaded files is Sept 26. Even though I just downloaded it, the 
only dates showing up in the information panel are no later than the 26. 
That is so even with a search using the Finder's find application.

Is that to be expected from a dmg folder? Should there be no actual 
recording of the actual date those files were first stored in my 
computer? Would that arise because I am saving a disk image as is?


With all the horror stories about malware going around, I am probably 
more paranoid than I ought to be.

-- 

Sam

Conservatives are against Darwinism but for natural selection.
Liberals are for Darwinism but totally against any selection.

In article <SalmonEgg-D40D6A.07134130092011@news60.forteinc.com>,
Salmon Egg <SalmonEgg@sbcglobal.net> wrote:

> I just downloaded a new version of Rapport. It is an anti-malware 
> application suggested by my bank.

don't waste your time.

In article <SalmonEgg-D40D6A.07134130092011@news60.forteinc.com>,
 Salmon Egg <SalmonEgg@sbcglobal.net> wrote:

> I just downloaded a new version of Rapport. It is an anti-malware 
> application suggested by my bank. Todays date is Sept 30. The date on 
> the downloaded files is Sept 26. Even though I just downloaded it, the 
> only dates showing up in the information panel are no later than the 26. 
> That is so even with a search using the Finder's find application.
> 
> Is that to be expected from a dmg folder? Should there be no actual 
> recording of the actual date those files were first stored in my 
> computer? Would that arise because I am saving a disk image as is?
> 
> 
> With all the horror stories about malware going around, I am probably 
> more paranoid than I ought to be.

It's entirely normal that files are downloaded with the date they have 
on the server.  This is actually quite handy as I can see at a glance 
how old a piece of software or a document is.

-- 
Paul Sture

On 11-09-30 9:13 AM, Salmon Egg wrote:
> I just downloaded a new version of Rapport.

There's decent anti-malware and there is bad anti-malware. Stay the hell
away from Rapport.

Rapport is a suite of shit that has been put together by Trusteer, a
company sells bad advice to banks about user logins.

> With all the horror stories about malware going around, I am probably 
> more paranoid than I ought to be.

Being concerned about security is a good thing. But fearful and panicked
people make very bad security choices.

I'm sorry to put you in the position of having to choose between
trusting "some guy on Usenet" vs trusting your bank for security advice.
But that won't stop me from voicing my opinion.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In article <9em8fiFh7dU1@mid.individual.net>,
 Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-09-30 9:13 AM, Salmon Egg wrote:
> > I just downloaded a new version of Rapport.
> 
> There's decent anti-malware and there is bad anti-malware. Stay the 
> hell away from Rapport.
> 
> Rapport is a suite of shit that has been put together by Trusteer, a 
> company sells bad advice to banks about user logins.


There is decent anti-virus software available for Macs; I use ClamXav.  
In 27 years of using Macs I have found exactly 1 virus (nVIR, many years 
ago).  But eventually that will change, as recent events are showing.


> > With all the horror stories about malware going around, I am 
> > probably more paranoid than I ought to be.
> 
> Being concerned about security is a good thing. But fearful and 
> panicked people make very bad security choices.


"Fearful and panicked" seems to describe the entire financial sector.  
Add "lemming-like" and you've got 'em pretty much nailed down.


> I'm sorry to put you in the position of having to choose between 
> trusting "some guy on Usenet" vs trusting your bank for security 
> advice. But that won't stop me from voicing my opinion.


I don't know about Rapport but given the banking industry's dismal track 
record on just about anything in the past decade, I don't take their 
advice about anything.  In fact I no longer use banks at all and use an 
excellent credit union instead.  Great customer service (or more 
accurately, member services since it is a cooperative)

-- 
Ten years ago I walked this street, my dreams were riding tall-
tonight I would be grateful, Lord, for any dream at all.
Some folks would be happy just to have one dream come true
but everything you gather is just more that you will lose.  -R. Hunter

In article <9em8fiFh7dU1@mid.individual.net>,
 Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-09-30 9:13 AM, Salmon Egg wrote:
> > I just downloaded a new version of Rapport.
> 
> There's decent anti-malware and there is bad anti-malware. Stay the hell
> away from Rapport.
> 
> Rapport is a suite of shit that has been put together by Trusteer, a
> company sells bad advice to banks about user logins.
> 
> > With all the horror stories about malware going around, I am probably 
> > more paranoid than I ought to be.
> 
> Being concerned about security is a good thing. But fearful and panicked
> people make very bad security choices.
> 
> I'm sorry to put you in the position of having to choose between
> trusting "some guy on Usenet" vs trusting your bank for security advice.
> But that won't stop me from voicing my opinion.
> 
> Cheers,
> 
I appreciate your opinion. I do not want to be paranoid, but I am not 
really capable of coping with the flood of stuff that comes along. I 
must rely on others. The question is who. I presume the banks are 
motivated to prevent malware even if they may not be all that good at it.

I learned my software technology using my Apple ][ computer using 
assembler and DOS listings. At the time, although it was not easy, it 
seemed feasible to get down to the very nitty gritty of the computer. 
Now, with increasing age and complication, I cannot even deceive myself 
to believe I will ever be in knowing control again.

-- 

Sam

Conservatives are against Darwinism but for natural selection.
Liberals are for Darwinism but totally against any selection.

In article <SalmonEgg-96E461.12473030092011@news60.forteinc.com>,
Salmon Egg <SalmonEgg@sbcglobal.net> wrote:

> > > I just downloaded a new version of Rapport.
> > 
> > There's decent anti-malware and there is bad anti-malware. Stay the hell
> > away from Rapport.
> > 
> > Rapport is a suite of shit that has been put together by Trusteer, a
> > company sells bad advice to banks about user logins.
> > 
> > > With all the horror stories about malware going around, I am probably 
> > > more paranoid than I ought to be.
> > 
> > Being concerned about security is a good thing. But fearful and panicked
> > people make very bad security choices.
> > 
> > I'm sorry to put you in the position of having to choose between
> > trusting "some guy on Usenet" vs trusting your bank for security advice.
> > But that won't stop me from voicing my opinion.
>
> I appreciate your opinion. I do not want to be paranoid, but I am not 
> really capable of coping with the flood of stuff that comes along. I 
> must rely on others.

flood of what stuff? there is no mac malware, other than a couple of
trojans that require the user to download and install them.

> The question is who. I presume the banks are 
> motivated to prevent malware even if they may not be all that good at it.

and if they're not good at it, why do what they suggest? it will cause
more problems than it solves.

nospam <nospam@nospam.invalid> wrote:

> In article <SalmonEgg-96E461.12473030092011@news60.forteinc.com>,
> Salmon Egg <SalmonEgg@sbcglobal.net> wrote:

Jeffy Goldberg wrote:

> > > I'm sorry to put you in the position of having to choose between
> > > trusting "some guy on Usenet" vs trusting your bank for security advice.
> > > But that won't stop me from voicing my opinion.
> >
> > I appreciate your opinion. I do not want to be paranoid, but I am not
> > really capable of coping with the flood of stuff that comes along. I
> > must rely on others.
> 
> flood of what stuff? there is no mac malware, other than a couple of
> trojans that require the user to download and install them.

Yep, and one of the common forms of such Trojans is something that
appears on the surface to be a message from your bank warning you that
you better hurry up and click on a link to avoid security problems.

Panicing and following any directions that appear to come from your bank
is the *CAUSE* of a lot of the problems - not the solution.

(I was regularly dissapointed by the so-called IT "professionals" at the
NASA site where I worked. The things that were actually from them so
often looked indistinguishable from scams, complete with email links to
click on. Also often complete with simillarly poor grammar and spelling.
I never could manage to get across to them why looking just like the
scams was a bad idea. And yes, I know that my own grammar in casually
written usenet posts is bad, as illustrated right here; I can do grammar
right when I bother; am not bothering. I am also amused by
self-referential writing.)

Oh, and another source of problems is using the same password for your
bank as for various other random sites. Then when those other sites get
hacked and have all their passwords stolen, the hacker has a good
candidate to try for your bank password. Yes, there has been a flood of
that recently.

Neither of these have much directly to do with Macs. That's the kind of
stuff that can (and did) happen without computers being involved at all.
For example, it is much like the old classic of the real con man
intercepting you outside of the bank and getting your help to catch some
alleged con men. It's one of the oldest cons around.

Even though they don't directly have to do with Macs, there is Mac
software that can help. 1Password, for example, makes it easier to
manage having different passwords for all the sites you have logins for.
That in turn helps protect you against one of the above-mentioned
attacks.

-- 
Richard Maine                    | Good judgment comes from experience;
email: last name at domain . net | experience comes from bad judgment.
domain: summertriangle           |  -- Mark Twain

On 2011-09-30 10:13 , Salmon Egg wrote:
> I just downloaded a new version of Rapport. It is an anti-malware
> application suggested by my bank. Todays date is Sept 30. The date on
> the downloaded files is Sept 26. Even though I just downloaded it, the
> only dates showing up in the information panel are no later than the 26.
> That is so even with a search using the Finder's find application.
>
> Is that to be expected from a dmg folder? Should there be no actual
> recording of the actual date those files were first stored in my
> computer? Would that arise because I am saving a disk image as is?
>
>
> With all the horror stories about malware going around, I am probably
> more paranoid than I ought to be.

On Mac's the file date is when that file was created.  On your system 
you can also see when the file was last opened.

Just because your bank suggests anti-malware does not mean you should 
install it.  In fact what they suggest should probably be run from, not 
to.

A quick online check of Rapport suggests that it's buggy going in, 
useless in service and can cause damage when being (inevitably) removed.

Best anti-malware for Mac's is you.

-- 
gmail originated posts filtered due to spam.

On 9/30/11   PDT 3:15 PM, Alan Browne wrote:
> On 2011-09-30 10:13 , Salmon Egg wrote:
>> I just downloaded a new version of Rapport. It is an anti-malware
>> application suggested by my bank. Todays date is Sept 30. The date on
>> the downloaded files is Sept 26. Even though I just downloaded it, the
>> only dates showing up in the information panel are no later than the 26.
>> That is so even with a search using the Finder's find application.
>>
>> Is that to be expected from a dmg folder? Should there be no actual
>> recording of the actual date those files were first stored in my
>> computer? Would that arise because I am saving a disk image as is?
>>
>>
>> With all the horror stories about malware going around, I am probably
>> more paranoid than I ought to be.
>
> On Mac's the file date is when that file was created. On your system you
> can also see when the file was last opened.
>
> Just because your bank suggests anti-malware does not mean you should
> install it. In fact what they suggest should probably be run from, not to.
>
> A quick online check of Rapport suggests that it's buggy going in,
> useless in service and can cause damage when being (inevitably) removed.
>
> Best anti-malware for Mac's is you.

Well said.

In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
 nospam@see.signature (Richard Maine) wrote:

> Oh, and another source of problems is using the same password for your
> bank as for various other random sites. Then when those other sites get
> hacked and have all their passwords stolen, the hacker has a good
> candidate to try for your bank password. Yes, there has been a flood of
> that recently.

What I do in this regard is to keep a data base for various sites. I 
have passwords that are combinations of letters, numbers, and 
punctuation. I type these out in a subjectively random fashion. I store 
them with links to the sites. Each place gets its own password. I even 
change them from time to time but probably not often enough. If I ever 
lose my data base, I will be in deep trouble.

-- 

Sam

Conservatives are against Darwinism but for natural selection.
Liberals are for Darwinism but totally against any selection.

On 11-09-30 6:12 PM, Salmon Egg wrote:

> What I do in this regard is to keep a data base for various sites. I 
> have passwords that are combinations of letters, numbers, and 
> punctuation. I type these out in a subjectively random fashion. I store 
> them with links to the sites. Each place gets its own password. I even 
> change them from time to time but probably not often enough. If I ever 
> lose my data base, I will be in deep trouble.

First a disclosure: I work for AgileBits, the makers on 1Password.

Now, bearing that disclosure in mind, please get yourself a good
password manager!

Please do not use a "home grown" password management system if you don't
have expertise in this field. This is another instance of where fear can
lead people to make poor security decisions.

Although we haven't seen this on the Mac yet, there is a long tradition
of Windows malware that searches people's files for exactly such
databases.  You are correct to use absolutely unique passwords for every
site, but you are wrong to put all those eggs in one basket unless you
know how to design these things.

Design of such things is much more than picking a strong encryption
algorithm. It involves making sure that decrypted data never gets
written to disk, either in swap or in temporary files. This is just one
of the many kinds of things that need to be thought through.

So please, please, use something designed by professionals. I would even
prefer to see you use a competitor's product than to use your own home
grown password management system.

Cheers,

-j

-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-09-30 6:12 PM, Salmon Egg wrote:
> 
> > What I do in this regard is to keep a data base for various sites. I
> > have passwords that are combinations of letters, numbers, and 
> > punctuation. I type these out in a subjectively random fashion. I store
> > them with links to the sites. Each place gets its own password. I even
> > change them from time to time but probably not often enough. If I ever
> > lose my data base, I will be in deep trouble.
> 
> First a disclosure: I work for AgileBits, the makers on 1Password.

Which I previously recommended (and I don't work for them).

> Although we haven't seen this on the Mac yet, there is a long tradition
> of Windows malware that searches people's files for exactly such
> databases.

Yup. In fact when NSA did a test attack (with our foreknowledge) on our
NASA site several years back, they caught me on exactly that. I was
about to say that they cracked into my Mac, but I guess that was a
little before I got my Mac and it was instead into my Linux desktop
system. No big surprise there; they managed to crack into almost every
system on site - yes, including the Macs (ok, they did "cheat" by
starting from inside our firewall). In fact, they complimented me on
being the only sysadmin who noticed and reported their successful
intrusion. They had a keylogger already installed and apparently watched
me as I found the intrusion. I pulled the network cable a little too
late - namely after they had retrieved my homemade "database" (aka text
file) with all the passwords to my other systems. I had literally a few
hundred accounts, so I had to have some kind of helper system.

After complimenting me on noticing the intrusion, they politely (quite
so - I was impressed, at least by the working-level folk) suggested
that, although they well understood why I needed some such database in
spite of official policies forbidding them, I ought to add at least one
extra layer of protection to it. In particular, they suggested I put my
text file in an encryted disk image.

-- 
Richard Maine                    | Good judgment comes from experience;
email: last name at domain . net | experience comes from bad judgment.
domain: summertriangle           |  -- Mark Twain

In article <9en2vjF8b2U1@mid.individual.net>,
 Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-09-30 6:12 PM, Salmon Egg wrote:
> 
> > What I do in this regard is to keep a data base for various sites. I 
> > have passwords that are combinations of letters, numbers, and 
> > punctuation. I type these out in a subjectively random fashion. I store 
> > them with links to the sites. Each place gets its own password. I even 
> > change them from time to time but probably not often enough. If I ever 
> > lose my data base, I will be in deep trouble.
> 
> First a disclosure: I work for AgileBits, the makers on 1Password.
> 
> Now, bearing that disclosure in mind, please get yourself a good
> password manager!
> 
> Please do not use a "home grown" password management system if you don't
> have expertise in this field. This is another instance of where fear can
> lead people to make poor security decisions.
> 
> Although we haven't seen this on the Mac yet, there is a long tradition
> of Windows malware that searches people's files for exactly such
> databases.  You are correct to use absolutely unique passwords for every
> site, but you are wrong to put all those eggs in one basket unless you
> know how to design these things.
> 
> Design of such things is much more than picking a strong encryption
> algorithm. It involves making sure that decrypted data never gets
> written to disk, either in swap or in temporary files. This is just one
> of the many kinds of things that need to be thought through.
> 
> So please, please, use something designed by professionals. I would even
> prefer to see you use a competitor's product than to use your own home
> grown password management system.
> 
> Cheers,
> 
> -j

I looked at a bunch of different ones--DataGuardian and 1Password, 
amongst others.  1Password has chosen to support multiple browsers with 
a plug-in that allows for stronger integration.  Not an easy task with 
stuff like Firefox and Chrome coming out with new versions over couple 
months or so.  Those developers will be sending their kids through 
college.

Plus their support is great.

Yes, I bought it.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

In message <SalmonEgg-D40D6A.07134130092011@news60.forteinc.com> 
  Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> I just downloaded a new version of Rapport. It is an anti-malware 

I read the description of what Rapport does and swore I would *never*
install it.

> Is that to be expected from a dmg folder? Should there be no actual 
> recording of the actual date those files were first stored in my 
> computer? Would that arise because I am saving a disk image as is?

DMGs will have the dates the files were created ON THE DMG, not one your
system.

> With all the horror stories about malware going around, I am probably 
> more paranoid than I ought to be.

I suggest you look into what Rapport is and how it works before
installing it then. Sounded to me very much like a malware keylogger.

-- 
Science is the foot that kicks magic square in the nuts.

In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
  Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
>  nospam@see.signature (Richard Maine) wrote:

>> Oh, and another source of problems is using the same password for your
>> bank as for various other random sites. Then when those other sites get
>> hacked and have all their passwords stolen, the hacker has a good
>> candidate to try for your bank password. Yes, there has been a flood of
>> that recently.

> What I do in this regard is to keep a data base for various sites. I 
> have passwords that are combinations of letters, numbers, and 
> punctuation. I type these out in a subjectively random fashion. I store 
> them with links to the sites. Each place gets its own password. I even 
> change them from time to time but probably not often enough. If I ever 
> lose my data base, I will be in deep trouble.

1Password.

Go. Now.

(and unlike someone else who I am sure will be posting, I do *not* work
for them :).


-- 
I don't believe there's a power in the 'verse can stop Kaylee from bein'
cheerful. Sometimes you just wanna duct-tape her mouth and dump her in
the hold for a month.

In article <slrnj8d8je.2mpt.g.kreme@ibook-g4-2.local>,
 Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:

> In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
>   Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> > In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
> >  nospam@see.signature (Richard Maine) wrote:
> 
> >> Oh, and another source of problems is using the same password for your
> >> bank as for various other random sites. Then when those other sites get
> >> hacked and have all their passwords stolen, the hacker has a good
> >> candidate to try for your bank password. Yes, there has been a flood of
> >> that recently.
> 
> > What I do in this regard is to keep a data base for various sites. I 
> > have passwords that are combinations of letters, numbers, and 
> > punctuation. I type these out in a subjectively random fashion. I store 
> > them with links to the sites. Each place gets its own password. I even 
> > change them from time to time but probably not often enough. If I ever 
> > lose my data base, I will be in deep trouble.
> 
> 1Password.
> 
> Go. Now.
> 
> (and unlike someone else who I am sure will be posting, I do *not* work
> for them :).

LastPass is both free and better, IMO:

<http://lastpass.com>

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <vilain-8ED113.21461930092011@news.individual.net>,
 Michael Vilain <vilain@NOspamcop.net> wrote:

> I looked at a bunch of different ones--DataGuardian and 1Password, 
> amongst others.  1Password has chosen to support multiple browsers with 
> a plug-in that allows for stronger integration.  Not an easy task with 
> stuff like Firefox and Chrome coming out with new versions over couple 
> months or so.  Those developers will be sending their kids through 
> college.
> 
> Plus their support is great.

1Password is definitely more buggy than LastPass, IME. And LastPass is 
free.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <j65hdp$6a8$2@dont-email.me>,
 John McWilliams <jpmcw@comcast.net> wrote:

> On 9/30/11   PDT 3:15 PM, Alan Browne wrote:
> > On 2011-09-30 10:13 , Salmon Egg wrote:
> >> I just downloaded a new version of Rapport. It is an anti-malware
> >> application suggested by my bank. Todays date is Sept 30. The date on
> >> the downloaded files is Sept 26. Even though I just downloaded it, the
> >> only dates showing up in the information panel are no later than the 26.
> >> That is so even with a search using the Finder's find application.
> >>
> >> Is that to be expected from a dmg folder? Should there be no actual
> >> recording of the actual date those files were first stored in my
> >> computer? Would that arise because I am saving a disk image as is?
> >>
> >>
> >> With all the horror stories about malware going around, I am probably
> >> more paranoid than I ought to be.
> >
> > On Mac's the file date is when that file was created. On your system you
> > can also see when the file was last opened.
> >
> > Just because your bank suggests anti-malware does not mean you should
> > install it. In fact what they suggest should probably be run from, not to.
> >
> > A quick online check of Rapport suggests that it's buggy going in,
> > useless in service and can cause damage when being (inevitably) removed.
> >
> > Best anti-malware for Mac's is you.
> 
> Well said.

And fundamental to _your_ anti-malware behavior:

1. If you're really that concerned about malware, demote your everyday 
user account to 'normal' from 'admin', if you haven't already. This will 
prevent a number of attack approaches. This has been discussed at length 
in these hallowed halls. You still need an admin account, and you can 
still do most of what you need with an admin password, but demoting 
yourself is easy and relatively no hassle in practice.

2. Google about social engineering malware, to learn the behavioral 
basics like not supplying a password unless you know **EXACTLY** why 
it's required, et al.

3.  Relax so you don't get flustered and do something stupid. (This item 
presumes you've completed 1 & 2.)


Remember, I'm pullin' for ya.
We're all in this together.
                  --Red Green

In article <jollyroger-9AEDB1.09383801102011@news.individual.net>,
 Jolly Roger <jollyroger@pobox.com> wrote:

> In article <slrnj8d8je.2mpt.g.kreme@ibook-g4-2.local>,
>  Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:
> 
> > In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
> >   Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> > > In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
> > >  nospam@see.signature (Richard Maine) wrote:
> > 
> > >> Oh, and another source of problems is using the same password for your
> > >> bank as for various other random sites. Then when those other sites get
> > >> hacked and have all their passwords stolen, the hacker has a good
> > >> candidate to try for your bank password. Yes, there has been a flood of
> > >> that recently.
> > 
> > > What I do in this regard is to keep a data base for various sites. I 
> > > have passwords that are combinations of letters, numbers, and 
> > > punctuation. I type these out in a subjectively random fashion. I store 
> > > them with links to the sites. Each place gets its own password. I even 
> > > change them from time to time but probably not often enough. If I ever 
> > > lose my data base, I will be in deep trouble.
> > 
> > 1Password.
> > 
> > Go. Now.
> > 
> > (and unlike someone else who I am sure will be posting, I do *not* work
> > for them :).
> 
> LastPass is both free and better, IMO:
> 
> <http://lastpass.com>

I was sold until I saw it was the same people that make Xmarks and 
they've been 'blessed' by CNET.  I had a problem with Xmarks and logged 
into their forum.  There was no email address on their site.  I had to 
scrounge through DNS to get a contact address.  No response either on 
their forum or email.  Others have the same problem that haven't been 
addressed in 2 years.  Plus it's a subscriber-service model rather than 
a software product model.  I refuse to be a revenue stream for a company.

I won't go anywere near this product or Xmarks.  Ever.

ymmv.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

In article <jollyroger-4584EA.09395601102011@news.individual.net>,
 Jolly Roger <jollyroger@pobox.com> wrote:

> In article <vilain-8ED113.21461930092011@news.individual.net>,
>  Michael Vilain <vilain@NOspamcop.net> wrote:
> 
> > I looked at a bunch of different ones--DataGuardian and 1Password, 
> > amongst others.  1Password has chosen to support multiple browsers with 
> > a plug-in that allows for stronger integration.  Not an easy task with 
> > stuff like Firefox and Chrome coming out with new versions over couple 
> > months or so.  Those developers will be sending their kids through 
> > college.
> > 
> > Plus their support is great.
> 
> 1Password is definitely more buggy than LastPass, IME. And LastPass is 
> free.

We have different criteria for what's a bug and what's a feature, IMO.  
I don't trust LastPass given my experience with their support for 
Xmarks.  Never will I trust these guys.  And if you can't trust the 
company who's software is keeping your passwords, why not write them on 
a sticky and keep them under your keyboard?

YMMV.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

In article <vilain-BE92A6.08423901102011@news.individual.net>,
 Michael Vilain <vilain@NOspamcop.net> wrote:

> In article <jollyroger-4584EA.09395601102011@news.individual.net>,
>  Jolly Roger <jollyroger@pobox.com> wrote:
> 
> > In article <vilain-8ED113.21461930092011@news.individual.net>,
> >  Michael Vilain <vilain@NOspamcop.net> wrote:
> > 
> > > I looked at a bunch of different ones--DataGuardian and 1Password, 
> > > amongst others.  1Password has chosen to support multiple browsers with 
> > > a plug-in that allows for stronger integration.  Not an easy task with 
> > > stuff like Firefox and Chrome coming out with new versions over couple 
> > > months or so.  Those developers will be sending their kids through 
> > > college.
> > > 
> > > Plus their support is great.
> > 
> > 1Password is definitely more buggy than LastPass, IME. And LastPass is 
> > free.
> 
> We have different criteria for what's a bug and what's a feature, IMO.  
> I don't trust LastPass given my experience with their support for 
> Xmarks.

What experience was that?

> Never will I trust these guys.

Why not? 

What makes you consider the 1Password author more trustworthy?

>  And if you can't trust the 
> company who's software is keeping your passwords, why not write them on 
> a sticky and keep them under your keyboard?

I do trust LastPass with my passwords.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <vilain-AD5010.08382601102011@news.individual.net>,
 Michael Vilain <vilain@NOspamcop.net> wrote:

> In article <jollyroger-9AEDB1.09383801102011@news.individual.net>,
>  Jolly Roger <jollyroger@pobox.com> wrote:
> 
> > In article <slrnj8d8je.2mpt.g.kreme@ibook-g4-2.local>,
> >  Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:
> > 
> > > In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
> > >   Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> > > > In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
> > > >  nospam@see.signature (Richard Maine) wrote:
> > > 
> > > >> Oh, and another source of problems is using the same password for your
> > > >> bank as for various other random sites. Then when those other sites get
> > > >> hacked and have all their passwords stolen, the hacker has a good
> > > >> candidate to try for your bank password. Yes, there has been a flood of
> > > >> that recently.
> > > 
> > > > What I do in this regard is to keep a data base for various sites. I 
> > > > have passwords that are combinations of letters, numbers, and 
> > > > punctuation. I type these out in a subjectively random fashion. I store 
> > > > them with links to the sites. Each place gets its own password. I even 
> > > > change them from time to time but probably not often enough. If I ever 
> > > > lose my data base, I will be in deep trouble.
> > > 
> > > 1Password.
> > > 
> > > Go. Now.
> > > 
> > > (and unlike someone else who I am sure will be posting, I do *not* work
> > > for them :).
> > 
> > LastPass is both free and better, IMO:
> > 
> > <http://lastpass.com>
> 
> I was sold until I saw it was the same people that make Xmarks and 
> they've been 'blessed' by CNET.

I'm not sure what that's supposed to mean. I have always liked Xmarks, 
and CNET editor ratings don't typically effect my decision making 
process either way.

> I had a problem with Xmarks and logged into their forum.  

Never used their community forums myself.

> There was no email address on their site.

So? They provide a method for contacting support here:

<http://www.xmarks.com/about/help>

> I had to 
> scrounge through DNS to get a contact address.  No response either on 
> their forum or email.

LOL... Personally, I wouldn't assume that a company's registered DNS 
contact address would necessarily respond to support queries. And often, 
community forums are provided strictly for users discussions rather than 
actual support. It seems like you may have unreasonable expectations.

> Others have the same problem that haven't been 
> addressed in 2 years.

What problem?

Is this with the free version, by chance?

> Plus it's a subscriber-service model rather than 
> a software product model.  I refuse to be a revenue stream for a company.

What the hell are you talking about? It's free, as in beer.

> I won't go anywere near this product or Xmarks.  Ever.

You're silly.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

On 11-09-30 11:46 PM, Michael Vilain wrote:

>  1Password has chosen to support multiple browsers with 
> a plug-in that allows for stronger integration.  Not an easy task with 
> stuff like Firefox and Chrome coming out with new versions over couple 
> months or so.

We had a real rough spot in this regard during July and August. However
the transition in technology that we made is paying off. 1Password
worked on FF7 without any problems or user intervention needed when that
came out. (It also works with FF8 and FF9, and is holding its own on
FF10 nightlies.)

With Chrome, it is working with Canary (at least it is today).

As far as I know, none of our competitors, even today, have an extension
working for 5.1. Ours was ready (though buggy) on day one, and it is now
far more robust.

Let's just say that there have been a lot of very long days and lost
weekends over the past several months getting ready for Safari 5.1 and
rebuilding our extension system to withstand rapid browser version changes.

Cheers,

-j

-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

On 11-10-01 9:39 AM, Jolly Roger wrote:

> 1Password is definitely more buggy than LastPass, IME. And LastPass is 
> free.

1Password and LastPass have very different ways of operating. It would
be unseemly of me to discuss the merits of each. So I will only talk
about the bugginess in 1Password that you may have encountered.

Our new extension design that came into play with the release of Safari
5.1 was buggy at first. It is much much better now. And, of course, it
is better than not having an extension at all.

LastPass has not yet managed to release a working extension for Safari
5.1. I don't fault them for this; it is a tough nut to crack and we have
been planning for it, one way or another, since WWDC10 when Apple told
developers that Scripting Additions was going away. Even with that lead
time, it was hard. One problem is that because only paid Apple developer
members had Lion and Safari Previews, we didn't have our fantastic pool
of bata testers.

Later in the summer, Firefox became our big problem. (But again, the
release of FF7 has showed things that are right about our approach; the
change to FF7 went unnoticed by our users.) But we had been getting a
huge number of reports of crippling performance problems with FF6 and
our new extension. It turns out that there is a nasty memory leak in
Mozilla's handling of submenus in contextual menus. So we had to drop a
feature in FF until FF gets fixed.

Of course our biggest problem with FF6 was that we lost auto-save for a
bit.  Our Firefox users were justifiably furious during the weeks it
took to get this working. The good news is that what we learned in that
process is going to make autosave even nicer in all extensions.

Anyway, let me repeat what I said earlier. I would rather see people use
our competitor's products than to not use anything at all. Password
management is too important for the security of the whole network
environment.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In article <jollyroger-1F6EF8.11271601102011@news.individual.net>,
 Jolly Roger <jollyroger@pobox.com> wrote:

> In article <vilain-AD5010.08382601102011@news.individual.net>,
>  Michael Vilain <vilain@NOspamcop.net> wrote:
> 
> > In article <jollyroger-9AEDB1.09383801102011@news.individual.net>,
> >  Jolly Roger <jollyroger@pobox.com> wrote:
> > 
> > > In article <slrnj8d8je.2mpt.g.kreme@ibook-g4-2.local>,
> > >  Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:
> > > 
> > > > In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
> > > >   Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> > > > > In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
> > > > >  nospam@see.signature (Richard Maine) wrote:
> > > > 
> > > > >> Oh, and another source of problems is using the same password for 
> > > > >> your
> > > > >> bank as for various other random sites. Then when those other sites 
> > > > >> get
> > > > >> hacked and have all their passwords stolen, the hacker has a good
> > > > >> candidate to try for your bank password. Yes, there has been a flood 
> > > > >> of
> > > > >> that recently.
> > > > 
> > > > > What I do in this regard is to keep a data base for various sites. I 
> > > > > have passwords that are combinations of letters, numbers, and 
> > > > > punctuation. I type these out in a subjectively random fashion. I 
> > > > > store 
> > > > > them with links to the sites. Each place gets its own password. I 
> > > > > even 
> > > > > change them from time to time but probably not often enough. If I 
> > > > > ever 
> > > > > lose my data base, I will be in deep trouble.
> > > > 
> > > > 1Password.
> > > > 
> > > > Go. Now.
> > > > 
> > > > (and unlike someone else who I am sure will be posting, I do *not* work
> > > > for them :).
> > > 
> > > LastPass is both free and better, IMO:
> > > 
> > > <http://lastpass.com>
> > 
> > I was sold until I saw it was the same people that make Xmarks and 
> > they've been 'blessed' by CNET.
> 
> I'm not sure what that's supposed to mean. I have always liked Xmarks, 
> and CNET editor ratings don't typically effect my decision making 
> process either way.
> 
> > I had a problem with Xmarks and logged into their forum.  
> 
> Never used their community forums myself.
> 
> > There was no email address on their site.
> 
> So? They provide a method for contacting support here:
> 
> <http://www.xmarks.com/about/help>
> 
> > I had to 
> > scrounge through DNS to get a contact address.  No response either on 
> > their forum or email.
> 
> LOL... Personally, I wouldn't assume that a company's registered DNS 
> contact address would necessarily respond to support queries. And often, 
> community forums are provided strictly for users discussions rather than 
> actual support. It seems like you may have unreasonable expectations.
> 
> > Others have the same problem that haven't been 
> > addressed in 2 years.
> 
> What problem?
> 
> Is this with the free version, by chance?
> 
> > Plus it's a subscriber-service model rather than 
> > a software product model.  I refuse to be a revenue stream for a company.
> 
> What the hell are you talking about? It's free, as in beer.
> 
> > I won't go anywere near this product or Xmarks.  Ever.
> 
> You're silly.

Maybe I am silly.  But I tried to use their software by creating an 
account using my personal email account.  One that I've had for over 15 
years.  It didn't take it.  So I went onto their forums to look for a 
solution.  Apparently the validation for email accounts has bugs in it.  
Others had the same problem that were not addressed over 2 years ago.

So I created an account using a gmail address.  It took that and created 
the account.  I attempted to change it to my personal email account and 
it would not let me.  I could not contact anyone to get clarification or 
complain or any understanding.  If it's a requirement that I pay them a 
yearly fee to use their software, I'll pass.  Same with LastPass.  I 
don't trust any company that might be gone holding my passwords or 
bookmarks. 

Reading the product description says this was originally 'foxsync' or 
something like that.  I tried that service a couple years ago, which 
probably why my regular email address doesn't work.  It's blocked 
because I deleted my account.  Apparently they keep old accounts and 
just flag them as deleted rather than deleting the user information.

We obviously have different criteria for what we need in products. 
You're willing to trust these people with your passwords and bookmarks.  
I am not.  Not for $1/month.  Not for my bookmarks (StupidPhones don't 
use web browsers).  And a key feature they've discontinued is password 
synch.  It's been removed from the product.

http://getsatisfaction.com/foxmarks/topics/restore_passwords_after_a_comp
uter_rebuild

Crappy, subscription-based support which I have to pay for to get a 
product that supposedly 'just works' to work.  Their servers go down, no 
passwords or bookmarks.  Various outages are reported in their support 
forums.  So.  Not.  Happening. 

They may have a right to use whatever revenue model they want.  I'm just 
going to contribute to it.  They want me to be a revenue stream, like 
B&A and Wells Fargo who now charge for debit cards (which I also don't 
use).

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

On 11-10-01 10:03 AM, Fred Moore wrote:

> 1. If you're really that concerned about malware, demote your everyday 
> user account to 'normal' from 'admin', if you haven't already. This will 
> prevent a number of attack approaches. This has been discussed at length 
> in these hallowed halls. You still need an admin account, and you can 
> still do most of what you need with an admin password, but demoting 
> yourself is easy and relatively no hassle in practice.
> 
> 2. Google about social engineering malware, to learn the behavioral 
> basics like not supplying a password unless you know **EXACTLY** why 
> it's required, et al.
> 
> 3.  Relax so you don't get flustered and do something stupid. (This item 
> presumes you've completed 1 & 2.)

And let me add number 0. Keep your software and system up to date. In
the Windows world (where the numbers are big enough to draw conclusions
from) the large majority of compromises (other than the socially
engineered ones) are exploiting vulnerabilities that have already been
fixed by the vendors. Update, update, update!

Cheers,

-j

-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-09-30 9:13 AM, Salmon Egg wrote:
> > I just downloaded a new version of Rapport.
> 
> There's decent anti-malware and there is bad anti-malware. Stay the hell
> away from Rapport.
> 
> Rapport is a suite of shit that has been put together by Trusteer, a
> company sells bad advice to banks about user logins.
> 
> > With all the horror stories about malware going around, I am probably
> > more paranoid than I ought to be.
> 
> Being concerned about security is a good thing. But fearful and panicked
> people make very bad security choices.
> 
> I'm sorry to put you in the position of having to choose between
> trusting "some guy on Usenet" vs trusting your bank for security advice.
> But that won't stop me from voicing my opinion.
> 
> Cheers,
> 

ditto.

H

In article <9eovgsFjimU1@mid.individual.net>, Jeffrey Goldberg
<nobody@goldmark.org> wrote:

> > 1Password is definitely more buggy than LastPass, IME. And LastPass is 
> > free.
> 
> 1Password and LastPass have very different ways of operating. It would
> be unseemly of me to discuss the merits of each. So I will only talk
> about the bugginess in 1Password that you may have encountered.
> 
> Our new extension design that came into play with the release of Safari
> 5.1 was buggy at first. It is much much better now. And, of course, it
> is better than not having an extension at all.

this is apparently indicative of the problem. you are concerned with
bugs in the extensions, not the app itself. a lot of people do not use
the extensions (ios users, for instance) and are stuck with unresolved
bugs in the app.

still to this day, there are *numerous* bugs, some of which are a
trivial fix (wrong keyboard comes up on the iphone, very easy to
change). other bugs include the list not updating properly when entries
are added or deleted (you have to switch out and back to get the new
item to show up), items showing up in the wrong order, as well as the
occasional crash. most of them are 100% reproducible. i reported them a
couple of years ago, certainly by now they could have been fixed.

Paul Sture <paul.nospam@sture.ch> wrote:

> In article <SalmonEgg-D40D6A.07134130092011@news60.forteinc.com>,
>  Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> 
> > I just downloaded a new version of Rapport. It is an anti-malware 
> > application suggested by my bank. Todays date is Sept 30. The date on
> > the downloaded files is Sept 26. Even though I just downloaded it, the
> > only dates showing up in the information panel are no later than the 26.
> > That is so even with a search using the Finder's find application.
> > 
> > Is that to be expected from a dmg folder? Should there be no actual
> > recording of the actual date those files were first stored in my 
> > computer? Would that arise because I am saving a disk image as is?
> > 
> > 
> > With all the horror stories about malware going around, I am probably
> > more paranoid than I ought to be.
> 
> It's entirely normal that files are downloaded with the date they have
> on the server.  This is actually quite handy as I can see at a glance
> how old a piece of software or a document is.

Indeed. Your bank however is clueless.
-- 
If you're not part of the solution, you're part of the precipitate.

On 11-10-01 12:42 PM, nospam wrote:

> this is apparently indicative of the problem. you are concerned with
> bugs in the extensions, not the app itself. a lot of people do not use
> the extensions (ios users, for instance) and are stuck with unresolved
> bugs in the app.

I'm sorry. I was talking about 1Password on the Mac. The (known) bugs
you describe in the iPad and iPhone apps are a different matter.

You are correct that iOS development has been lagging. With enormous
changes to how browsers work and update, our focus has been elsewhere.
But you will see fixes to the iOS apps, but I can't promise when.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

On 11-10-01 4:47 PM, Jamie Kahn Genet wrote:

> I never could get 1Password to work properly - it would never prompt me
> to save logins, amongst other issues. Agile support blamed my Leopard
> issues, except that was early Leopard being very buggy on all systems,
> not just one. Still, I couldn't really complain - I won it as part of a
> competition a couple years back.

When you want to give it another try, let me know.

> Nonetheless I still find password managers more hassle than they're
> worth.

Then, at least in your case, we have failed. We want to make it easier
to do the secure thing than to do the less secure thing. We can't always
achieve that, but it really is what we design for.

> Instead I rely on strong unique passwords for important sites (banking,
> OSX account logins, etc), a single strong password for sites I'd like to
> keep private, but would not be hurt if they were compromised, and an
> easy to remember less strong password for everything else (web forums,
> etc).

If you are not already doing so, please include your mail email account
as something that requires the strongest level of passwords. Password
"reset" mechanisms for many sites simply trust that you still control
your email account.

I change them periodically in a non-obvious sequence (to make it
> easier to remember the changes), and despite the strong passwords
> including capitalisation, punctuation, numbers, and being of a decent
> length, they make up nonsense sayings or ideas that - so far as I know -
> only have meaning to me.

I have an article on picking strong master passwords for 1Password, but
it applies to anything that you need a very strong memorable password for.

  http://blog.agilebits.com/2011/06/toward-better-master-passwords/

What you are doing appears to be fine, as long as you really keep the
strong ones unique. That puts a limit on the number of those that you
can have.

> So yeah - so long as your memory is decent and you don't have more than
> a handful of important logins, I reckon you can get by without a
> homemade database or commercial password manager plus smartphone for
> work, and still stay secure enough.

Your system is a major improvement on what the majority of Internet
users do, so I'm not going to criticize. You found something that gives
you reasonable security that works for you.

My only concern is that people who try to follow your practice may not
have to discipline to ensure that they really are using unique passwords
for important sites. They may start out with that, and have the best
intentions, but it is hard to strictly maintain that.

Cheers,

-j

-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In article <vilain-3D0449.10073101102011@news.individual.net>,
 Michael Vilain <vilain@NOspamcop.net> wrote:

> In article <jollyroger-1F6EF8.11271601102011@news.individual.net>,
>  Jolly Roger <jollyroger@pobox.com> wrote:
> 
> > In article <vilain-AD5010.08382601102011@news.individual.net>,
> >  Michael Vilain <vilain@NOspamcop.net> wrote:
> > 
> > > I won't go anywere near this product or Xmarks.  Ever.
> > 
> > You're silly.
> 
> Maybe I am silly.  But I tried to use their software by creating an 
> account using my personal email account.  One that I've had for over 15 
> years.  It didn't take it.  So I went onto their forums to look for a 
> solution.  Apparently the validation for email accounts has bugs in it.  
> Others had the same problem that were not addressed over 2 years ago.

Perhaps it's an edge case that simply does not affect most users. And 
most people have alternative addresses. If so, I can understand it not 
being very high priority for them. If it affected me, I would have 
submitted an actual support request.

> So I created an account using a gmail address.  It took that and created 
> the account.  I attempted to change it to my personal email account and 
> it would not let me.  I could not contact anyone to get clarification or 
> complain or any understanding.

Really? Because I found their official support form quite quickly.

> If it's a requirement that I pay them a 
> yearly fee to use their software, I'll pass.

There is no such requirement for Xmarks. Again, it is freeware.

> Same with LastPass.

LastPass is also freeware.

> I don't trust any company that might be gone holding my passwords or 
> bookmarks. 

Do you trust yourself?  : )

If you had bothered to read, you would have learned that the passwords 
aren't transferred off of your own computer - ever. They stay on your 
computer and are accessible only by you. 

> Reading the product description says this was originally 'foxsync' or 
> something like that.  I tried that service a couple years ago, which 
> probably why my regular email address doesn't work.  It's blocked 
> because I deleted my account.

Wow, this is rich! So which is it?: Is there a 2+ year bug in their 
email validation algorithm, or did you try to use an email from an 
account you let stagnate?

> Apparently they keep old accounts and just flag them as deleted 
> rather than deleting the user information.

Maybe, maybe not. Until you bother to contact their support about it, I 
guess we'll never know.

> We obviously have different criteria for what we need in products.

I can't speak for you. What I need is a password manager that works at 
least 90% of the time, and makes my life easier. With 1Password, very 
often it failed to recognize password changes, or to apply passwords to 
different web pages on the same domain. Also, once or twice, it crashed 
my browser. That's too buggy for me. LastPass, on the other hand, 
supports multiple browsers on multiple platforms, and just works 99% of 
the time. It's great.
 
> You're willing to trust these people with your passwords and bookmarks.

Again, my passwords never leave my machine with LastPass. 

I couldn't care less if sone nerd at Xmarks sees my bookmarks. Big deal.
   
> I am not.  Not for $1/month.

It's FREE. Had you bothered to read, you might know that.

> Not for my bookmarks (StupidPhones don't 
> use web browsers).  And a key feature they've discontinued is password 
> synch.  It's been removed from the product.
> 
> http://getsatisfaction.com/foxmarks/topics/restore_passwords_after_a_comp
> uter_rebuild

That's what LastPass is for, silly.

> Crappy,

You apparently haven't even used it enough to form that opinion. 

> subscription-based support which I have to pay for to get a 
> product that supposedly 'just works' to work.

It does work. You're just mad at them for remembering you already had an 
account and not providing quick email support to you for free.

> Their servers go down, no passwords or bookmarks.

That's a load of crap. Your passwords are stored locally. Your bookmarks 
are stored locally as well. Nothing can prevent you from accessing them.

> Various outages are reported in their support 
> forums.  So.  Not.  Happening. 

An outage on their side will not affect your ability to access your 
passwords on your machine.

> They may have a right to use whatever revenue model they want.  I'm just 
> going to contribute to it.  They want me to be a revenue stream, like 
> B&A and Wells Fargo who now charge for debit cards (which I also don't 
> use).

Right. That's why the software is completely FREE...

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-09-30 6:12 PM, Salmon Egg wrote:
> 
> > What I do in this regard is to keep a data base for various sites. I
> > have passwords that are combinations of letters, numbers, and 
> > punctuation. I type these out in a subjectively random fashion. I store
> > them with links to the sites. Each place gets its own password. I even
> > change them from time to time but probably not often enough. If I ever
> > lose my data base, I will be in deep trouble.
> 
> First a disclosure: I work for AgileBits, the makers on 1Password.
> 
> Now, bearing that disclosure in mind, please get yourself a good
> password manager!
> 
> Please do not use a "home grown" password management system if you don't
> have expertise in this field. This is another instance of where fear can
> lead people to make poor security decisions.
> 
> Although we haven't seen this on the Mac yet, there is a long tradition
> of Windows malware that searches people's files for exactly such
> databases.  You are correct to use absolutely unique passwords for every
> site, but you are wrong to put all those eggs in one basket unless you
> know how to design these things.
> 
> Design of such things is much more than picking a strong encryption
> algorithm. It involves making sure that decrypted data never gets
> written to disk, either in swap or in temporary files. This is just one
> of the many kinds of things that need to be thought through.
> 
> So please, please, use something designed by professionals. I would even
> prefer to see you use a competitor's product than to use your own home
> grown password management system.
> 
> Cheers,
> 
> -j

I never could get 1Password to work properly - it would never prompt me
to save logins, amongst other issues. Agile support blamed my Leopard
issues, except that was early Leopard being very buggy on all systems,
not just one. Still, I couldn't really complain - I won it as part of a
competition a couple years back.

Nonetheless I still find password managers more hassle than they're
worth. While I'm wary of strange computers, sometimes I still want to
login to a site at work, for example. Perhaps if I owned or wanted a
smartphone password managers would make sense (for those with phone apps
that sync the passwords, anyway). But right now for a non-smartphone
user they're not usable.

Instead I rely on strong unique passwords for important sites (banking,
OSX account logins, etc), a single strong password for sites I'd like to
keep private, but would not be hurt if they were compromised, and an
easy to remember less strong password for everything else (web forums,
etc). I change them periodically in a non-obvious sequence (to make it
easier to remember the changes), and despite the strong passwords
including capitalisation, punctuation, numbers, and being of a decent
length, they make up nonsense sayings or ideas that - so far as I know -
only have meaning to me.

Thus I only have to remember a handful of strong passwords and the
sequence I change them with periodically. It's not a perfect system (my
passwords are not truly random, as long as they could be, or unique to
every single login), but it has served me well over the years, and if I
ever forget a password and/or the sequence, I need only use Keychain
Access on one of my computers to remind me. Or if I ever forget my OSX
account login passwords and sequences (highly unlikely given their
frequency of use, but I like to plan ahead), I have them written down
and locked away in a secure location with other important hard copy
documents.

So yeah - so long as your memory is decent and you don't have more than
a handful of important logins, I reckon you can get by without a
homemade database or commercial password manager plus smartphone for
work, and still stay secure enough.

-- 
If you're not part of the solution, you're part of the precipitate.

In article <jollyroger-6170D0.16421301102011@news.individual.net>,
 Jolly Roger <jollyroger@pobox.com> wrote:

> If you had bothered to read, you would have learned that the passwords 
> aren't transferred off of your own computer - ever. They stay on your 
> computer and are accessible only by you. 

I should really correct myself and clarify: Your master password is 
never transferred off of your own computer - ever. A one-way hash of 
your master password and a highly encrypted package is sent to LastPass. 
All encryption and decryption happens on your computer. The only reason 
the encrypted package is sitting on the LastPass server is to allow it 
to be used on other browser clients. LastPass doesn't have access to any 
of your passwords.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <9epdboF5h4U1@mid.individual.net>, Jeffrey Goldberg
<nobody@goldmark.org> wrote:

> > this is apparently indicative of the problem. you are concerned with
> > bugs in the extensions, not the app itself. a lot of people do not use
> > the extensions (ios users, for instance) and are stuck with unresolved
> > bugs in the app.
> 
> I'm sorry. I was talking about 1Password on the Mac. 

so was i. not everyone uses the extensions.

> The (known) bugs
> you describe in the iPad and iPhone apps are a different matter.

both mac and ios have unresolved bugs. 

> You are correct that iOS development has been lagging. With enormous
> changes to how browsers work and update, our focus has been elsewhere.
> But you will see fixes to the iOS apps, but I can't promise when.

i heard the same line 2 years ago. 

i don't want a password manager whose development is lagging, and with
the new direction for the mac app, it looks like it's time to switch to
something else.

Michael Vilain <vilain@NOspamcop.net> wrote:

> In article <jollyroger-9AEDB1.09383801102011@news.individual.net>,
>  Jolly Roger <jollyroger@pobox.com> wrote:
> 
> > In article <slrnj8d8je.2mpt.g.kreme@ibook-g4-2.local>,
> >  Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:
> > 
> > > In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
> > >   Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> > > > In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
> > > >  nospam@see.signature (Richard Maine) wrote:
> > > 
> > > >> Oh, and another source of problems is using the same password for your
> > > >> bank as for various other random sites. Then when those other sites get
> > > >> hacked and have all their passwords stolen, the hacker has a good
> > > >> candidate to try for your bank password. Yes, there has been a flood of
> > > >> that recently.
> > > 
> > > > What I do in this regard is to keep a data base for various sites. I
> > > > have passwords that are combinations of letters, numbers, and 
> > > > punctuation. I type these out in a subjectively random fashion. I store
> > > > them with links to the sites. Each place gets its own password. I even
> > > > change them from time to time but probably not often enough. If I ever
> > > > lose my data base, I will be in deep trouble.
> > > 
> > > 1Password.
> > > 
> > > Go. Now.
> > > 
> > > (and unlike someone else who I am sure will be posting, I do *not* work
> > > for them :).
> > 
> > LastPass is both free and better, IMO:
> > 
> > <http://lastpass.com>
> 
> I was sold until I saw it was the same people that make Xmarks and 
> they've been 'blessed' by CNET.  I had a problem with Xmarks and logged
> into their forum.  There was no email address on their site.  I had to
> scrounge through DNS to get a contact address.  No response either on
> their forum or email.  Others have the same problem that haven't been
> addressed in 2 years.  Plus it's a subscriber-service model rather than
> a software product model.  I refuse to be a revenue stream for a company.
> 
> I won't go anywere near this product or Xmarks.  Ever.
> 
> ymmv.

I had a very good support experience when I used xmarks, but that was
before they realised their revenue model was a failure and they were
bought out. Things might've changed.
-- 
If you're not part of the solution, you're part of the precipitate.

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-01 10:03 AM, Fred Moore wrote:
> 
> > 1. If you're really that concerned about malware, demote your everyday
> > user account to 'normal' from 'admin', if you haven't already. This will
> > prevent a number of attack approaches. This has been discussed at length
> > in these hallowed halls. You still need an admin account, and you can
> > still do most of what you need with an admin password, but demoting
> > yourself is easy and relatively no hassle in practice.
> > 
> > 2. Google about social engineering malware, to learn the behavioral
> > basics like not supplying a password unless you know **EXACTLY** why
> > it's required, et al.
> > 
> > 3.  Relax so you don't get flustered and do something stupid. (This item
> > presumes you've completed 1 & 2.)
> 
> And let me add number 0. Keep your software and system up to date. In
> the Windows world (where the numbers are big enough to draw conclusions
> from) the large majority of compromises (other than the socially
> engineered ones) are exploiting vulnerabilities that have already been
> fixed by the vendors. Update, update, update!
> 
> Cheers,
> 
> -j

I'd also add that you should _never_ login to important or private sites
like online banking, online stores that you allow storage your credit
card to speed purchasing, etc, or remote login to your own computers
from strange computers or networks.

By 'strange' I mean a computer and/or network that is not 100% under
your control. Do not allow other people access to admin logins on your
own computers. Even family should only have standard accounts that
severely limit permissions and where files can be saved. Everyone else
should be forced to use the guest account (that wipes itself every time
it's logged out of). Fast user switching means you don't even have to
stop what you're doing if someone else wants to use your computer for a
moment - use it! Don't just let them use your own account, even for
'just a minute'.

If a friend comes over and wants to hop online, give them access only
between their computer and the internet. It helps to have such network
logins setup beforehand on your router that isolate a user from the rest
of your LAN. After they're gone change the password for the login you
gave them.

Or if you're out and about with your laptop, use VPN to secure your
communications between your laptop and a network you DO trust.

Oh - and for WiFi users - make sure you secure your network with WPA2 if
possible, or at least WEP if you've older gear. But I'd strongly suggest
you upgrade to WPA2 compliant hardware in a residential setting. Leaving
aside the security implications, you have no idea how many times I have
come across users stealing other people's WiFi.
-- 
If you're not part of the solution, you're part of the precipitate.

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-01 4:47 PM, Jamie Kahn Genet wrote:
> 
> > I never could get 1Password to work properly - it would never prompt me
> > to save logins, amongst other issues. Agile support blamed my Leopard
> > issues, except that was early Leopard being very buggy on all systems,
> > not just one. Still, I couldn't really complain - I won it as part of a
> > competition a couple years back.
> 
> When you want to give it another try, let me know.

That will be when I get a smartphone, which given the horribly expensive
mobile data plans here in NZ, won't be anytime soon :-\

> > Nonetheless I still find password managers more hassle than they're
> > worth.
> 
> Then, at least in your case, we have failed. We want to make it easier
> to do the secure thing than to do the less secure thing. We can't always
> achieve that, but it really is what we design for.
> 
> > Instead I rely on strong unique passwords for important sites (banking,
> > OSX account logins, etc), a single strong password for sites I'd like to
> > keep private, but would not be hurt if they were compromised, and an
> > easy to remember less strong password for everything else (web forums,
> > etc).
> 
> If you are not already doing so, please include your mail email account
> as something that requires the strongest level of passwords. Password
> "reset" mechanisms for many sites simply trust that you still control
> your email account.

Indeed. Email security is _key_, and worth singling out, as once someone
compromises your email account, some services still make it far too easy
to reset your password using only your email address. If you can use
services that require security questions to reset your password, and for
goodness sake don't use 'What is your mother's maiden name?'!! :-D

Not to mention the invasion of privacy if it's an IMAP account with all
your existing emails able to be read by an intruder, or with POP they
can read any new emails or even setup your service to forward all email
to them as well; and the potential for identity theft, phishing posing
as you to your friends and other people, harvesting of other people's
email addresses and names, theft of any private information stored in
email, etc, etc.

> I change them periodically in a non-obvious sequence (to make it
> > easier to remember the changes), and despite the strong passwords
> > including capitalisation, punctuation, numbers, and being of a decent
> > length, they make up nonsense sayings or ideas that - so far as I know -
> > only have meaning to me.
> 
> I have an article on picking strong master passwords for 1Password, but
> it applies to anything that you need a very strong memorable password for.
> 
>   http://blog.agilebits.com/2011/06/toward-better-master-passwords/

And a good way to come up with any strong yet memorable password :-)

> What you are doing appears to be fine, as long as you really keep the
> strong ones unique. That puts a limit on the number of those that you
> can have.

However there is a flaw in my scheme: I'd run into trouble if I had more
than a handful of unique important passwords and sequences to remember
(at least given the state of my memory, heh). Still, most people
probably don't have too many important logins provided they avoid saving
their payment details on shopping sites that don't force re-entry if a
new address is used (or better yet don't save _any_ payment or address
details). Which brings up another point - before you let sites store
your payment info, make sure someone who gets your login can't buy stuff
and have it sent to a strange address.

So long as I do that I can keep most shopping sites in the 'strong but
not unique password' pool.

> > So yeah - so long as your memory is decent and you don't have more than
> > a handful of important logins, I reckon you can get by without a
> > homemade database or commercial password manager plus smartphone for
> > work, and still stay secure enough.
> 
> Your system is a major improvement on what the majority of Internet
> users do, so I'm not going to criticize. You found something that gives
> you reasonable security that works for you.
> 
> My only concern is that people who try to follow your practice may not
> have to discipline to ensure that they really are using unique passwords
> for important sites. They may start out with that, and have the best
> intentions, but it is hard to strictly maintain that.
> 
> Cheers,
> 
> -j

Or they'll stop periodically changing them. The user's good intentions
to use strong passwords and change them regularly are all well and good,
but when even very large companies like Sony lose massive numbers of
customer's personal details, one shouldn't trust companies to keep
passwords secure or to report theft in a timely manner.

Query - does 1Password prompt users to change stored passwords
occasionally, and how often? Or just the master password? Or neither? I
wonder if you do prompt them, how many ignore said prompt? As you point
out - a good system falls apart when a user becomes lax implementing it,
even if you automate as much as possible.

Assuming use only on secure networks and computers, I'd prompt users to
change their stored super long and random passwords at least once a
year, and the master password once a month. Or better yet force them,
though I suppose that's not doable with a third party password manager,
at least in a way users would accept.
-- 
If you're not part of the solution, you're part of the precipitate.

On 11-10-01 4:56 PM, nospam wrote:
> In article <9epdboF5h4U1@mid.individual.net>, Jeffrey Goldberg
> <nobody@goldmark.org> wrote:

>> I'm sorry. I was talking about 1Password on the Mac. 

> so was i. not everyone uses the extensions.

The bugs you mentioned were specific to iOS, so I hope you will forgive
my misunderstanding.

>> You are correct that iOS development has been lagging. With enormous
>> changes to how browsers work and update, our focus has been elsewhere.
>> But you will see fixes to the iOS apps, but I can't promise when.
> 
> i heard the same line 2 years ago. 

Yeah. The bugs that you mentioned have been around for a very long time.
(I don't think it's been two years, but your over all points stands even
if it's "only" been 16 months.)

> i don't want a password manager whose development is lagging,

You do know that 1Password for Mac is very actively developed. There
have been scores of updates this year alone. Development for iOS is
lagging only in comparison to our Mac and Windows development.

> and with the new direction for the mac app,

Is this actually causing problems for you, or is your objection more
philosophical. The look and feel of our browser extensions has changed
dramatically with the new underlying technology. Although we might have
been able to delay the change for another few months, the change really
is something that we had to do.  With the impending demise of
ScriptingAdditions (do you know that in some of the Lion previews it was
actually removed, only to be added back in by Apple at the last minute?)
and the Firefox release schedule, the old way was looking backwards
instead of building to the future.

> it looks like it's time to switch to something else.

I'm sorry to hear that, but if you do make a switch, note that you can
can export your 1Password data to CSV (and other formats) through

 File > Export All

Most systems will import reasonably well from CSV files.

Also as long as you have a system that the current version of 1Password
runs on, you will be able to get at and export your data any time in the
future.  We don't believe in lock in, but I do recommend that you make
an export now instead of years from now when version 3.8 may not work
the system you have then.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

On 11-10-01 7:25 PM, Jamie Kahn Genet wrote:

> Query - does 1Password prompt users to change stored passwords
> occasionally, and how often?

No. It doesn't have this feature. Like many features it's under
consideration, but I can't say much more.

> Or just the master password? Or neither?

Neither. Unless you have a bad master password, there is no reason to
change it. The advice to change passwords is based on the possibility of
passwords being discovered. Discovery is either through network sniffing
(not an issue with master passwords as they never travel over the net,
even encrypted), or through password reuse. If your master password is
truly unique, then this isn't a concern either.

So I recommend that people get a good unique master password and keep it
for life.

> I
> wonder if you do prompt them, how many ignore said prompt? As you point
> out - a good system falls apart when a user becomes lax implementing it,
> even if you automate as much as possible.

We encourage unique passwords everywhere. With that, the need for
password changes is ameliorated. But it would be nice for us to have a
reminder in place for systems that require password changes.


> Assuming use only on secure networks and computers, I'd prompt users to
> change their stored super long and random passwords at least once a
> year, and the master password once a month.

I have to disagree. Forcing password changes when people use unique
passwords over unsniffable networks adds confusion for no significant
security gains.

Also your 1Password master password should be considered more like a PGP
or SSH private key password. These are passwords for life that shouldn't
be changed.

Cheers,

-j

-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

On 10-01-2011 11:42, Michael Vilain wrote:
> company who's software is keeping your passwords, why not write them on
> a sticky and keep them under your keyboard?

Which is what a lot of people do, now that so many sites force you to 
create a password you can't remember.

So, the attempt to enforce security actually weakens it.

On the other hand, someone who breaks into your system can't download
the sticky under the keyboard—not even if you fail to put tape on
the camera.  :-)

-- 
Wes Groleau

   There are two types of people in the world …
   http://Ideas.Lang-Learn.us/barrett?itemid=1157

In article <j68hhm$f9s$9@dont-email.me>,
 Wes Groleau <Groleau+news@FreeShell.org> wrote:

> Which is what a lot of people do, now that so many sites force you to 
> create a password you can't remember.
> 
> So, the attempt to enforce security actually weakens it.
> 
> On the other hand, someone who breaks into your system can't download
> the sticky under the keyboard—not even if you fail to put tape on
> the camera.  :-)

I use Apple's keychain, but for web sites that have disabled it, I use 
1Password.  I don't use any of 1Password's other features, and haven't yet 
found a need for it on either of my iDevices.

-- 
Tea Party Patriots is to Patriotism as 
People's Democratic Republic is to Democracy.

In article <9epsv6Fp06U1@mid.individual.net>, Jeffrey Goldberg
<nobody@goldmark.org> wrote:

> > and with the new direction for the mac app,
> 
> Is this actually causing problems for you, or is your objection more
> philosophical. 

the problem is that it will be mac app store exclusive which means no
more fixes for anyone who doesn't use the app store for whatever
reason, plus the delete your app and lose your data nonsense.

On Sat, 01 Oct 2011 20:40:28 -0700, nospam wrote:

> he problem is that it will be mac app store exclusive which means no
> more fixes for anyone who doesn't use the app store for whatever
> reason, plus the delete your app and lose your data nonsense.

No, 3.9 (version 4 when it's final) and 3.8 are being developed in
parallel.
From their web site: 

Will 1Password 3.8 still get updates?

Absolutely! Because 1Password 3.8 and 3.9 are so similar when we have a fix
for 3.9 we will include it in 3.8 as well, and vice versa: many fixes that
will go into 3.9 will originate from fixes we included in 3.8. A good
example of this is we brought Full Screen support from 3.9 into the 3.8.6
release and several of the 3.8.6 fixes will be included in future 3.9
releases.

The only exemption to this is any code that requires the new technologies
available in Lion (such as the new 1Password Helper menu on the main menu
bar). Since 3.8 supports Snow Leopard, we're not able to rely on these
technologies and so the feature won't be added.

In article <1k8ibqt.au8iuf1tf4syvN%jamiekg@wizardling.geek.nz>,
 jamiekg@wizardling.geek.nz (Jamie Kahn Genet) wrote:

> I had a very good support experience when I used xmarks, but that was
> before they realised their revenue model was a failure and they were
> bought out. Things might've changed.

Nothing's changed as far as I can tell.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

On 11-10-01 10:56 PM, Richard Wakeford wrote:
> On Sat, 01 Oct 2011 20:40:28 -0700, nospam wrote:
> 
>> he problem is that it will be mac app store exclusive which means no
>> more fixes for anyone who doesn't use the app store for whatever
>> reason, plus the delete your app and lose your data nonsense.
> 
> No, 3.9 (version 4 when it's final) and 3.8 are being developed in
> parallel.
> From their web site: 
> 
> Will 1Password 3.8 still get updates?
> 
> Absolutely! Because 1Password 3.8 and 3.9 are so similar when we have a fix
> for 3.9 we will include it in 3.8 as well, and vice versa: many fixes that
> will go into 3.9 will originate from fixes we included in 3.8. A good
> example of this is we brought Full Screen support from 3.9 into the 3.8.6
> release and several of the 3.8.6 fixes will be included in future 3.9
> releases.

Indeed. Because we can release updates more quickly to the non-MAS
version, it is currently well ahead of the MAS version in bug fixes.

But the new extension model allows us to update the browser extensions
for both at the same time without requiring getting a new version of the
1Password application.

If nospam has a philosophical objection to dealing with a company that
sells through the MAS, there really isn't anything I can say.  What I
can say is that we really don't want to spend our time and effort
managing our own store. But this comes at a substantial cost.

From my point of view the thing that I like least about selling through
the MAS is that we can't offer refunds ourselves. We like having our 30
day refund policy, and I hate having to tell people who ask for refunds
that they need to talk to Apple about that.

There are other downsides to using the MAS, but on balance, we obviously
think that the advantages are greater.

One thing is that it greatly simplifies the whole license business. We
had a variety of different licenses. The MAS purchase is now sort of
like our "Family License". Also it simplifies the security of downloads
and updates. Many of the security improvements over the past year have
been to our updater mechanism to ensure that people didn't get malicious
copies (not that we are aware of such things in existence, but we wanted
to head that off before it became a threat). Having Apple's codesigning
and download and updates through the MAS allow us to remove a whole
chunk of business from the code that never really contributed to what
users want to do.

Another thing is that we have to protect our customer database (we don't
store credit card numbers). Apple, for user privacy, gives no
information about individual purchasers to developers. While this makes
our customer data base less useful (because it lacks all MAS
purchasers), it also means that we don't have responsibility for that data.

Anyway, there are loads of reasons for and against, but those are just a
few that I wanted to mention here.

Cheers,

-j



-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-01 7:25 PM, Jamie Kahn Genet wrote:
> 
> > Query - does 1Password prompt users to change stored passwords
> > occasionally, and how often?
> 
> No. It doesn't have this feature. Like many features it's under
> consideration, but I can't say much more.
> 
> > Or just the master password? Or neither?
> 
> Neither. Unless you have a bad master password, there is no reason to
> change it. The advice to change passwords is based on the possibility of
> passwords being discovered. Discovery is either through network sniffing
> (not an issue with master passwords as they never travel over the net,
> even encrypted), or through password reuse. If your master password is
> truly unique, then this isn't a concern either.
> 
> So I recommend that people get a good unique master password and keep it
> for life.
> 
> > I
> > wonder if you do prompt them, how many ignore said prompt? As you point
> > out - a good system falls apart when a user becomes lax implementing it,
> > even if you automate as much as possible.
> 
> We encourage unique passwords everywhere. With that, the need for
> password changes is ameliorated. But it would be nice for us to have a
> reminder in place for systems that require password changes.

I know I'd feel happier if I could set the password manager software to
prompt me to create a new online banking password at a set interval
(maybe every year if I never bank online on strange computers such as
those at work, for example. Maybe every month if I do).

> > Assuming use only on secure networks and computers, I'd prompt users to
> > change their stored super long and random passwords at least once a
> > year, and the master password once a month.
> 
> I have to disagree. Forcing password changes when people use unique
> passwords over unsniffable networks adds confusion for no significant
> security gains.

Well I'd only bother for my handful of important services. Not every
single login to a random web forum.

> Also your 1Password master password should be considered more like a PGP
> or SSH private key password. These are passwords for life that shouldn't
> be changed.
> 
> Cheers,
> 
> -j

I'm a little more paranoid - I don't completely trust other companies to
look after my login info for their services, as there have been too many
examples where they have not done so. I cringe every time a company
contacts me to advise my login info was stolen - it has happened three
times in as many years.
As for the master password - it's security relies on having a secure
network and computers/smartphone. Again - my paranoia rears it's head...
:-)

Still, as I use a system to alter my important passwords in a
non-obvious way, it would be easy for me to create a new master password
every month, and remember it. I'm in the habit and would appreciate
software that prodded me to do so.

Granted the risks of one's master password being compromised are slim,
but as it's easy for me to do the above I might as well. However I agree
that my paranoia are not for everyone, heh, and most people would likely
be adequately served by a strong unique and unchanging master password,
provided they were very careful where they use it.

But I completely disagree one never need change passwords for important
services - for the reasons I gave above. To suggest otherwise seems
somewhat foolhardy IMHO.
-- 
If you're not part of the solution, you're part of the precipitate.

In article <9es5qmFk5oU1@mid.individual.net>,
 Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-01 10:56 PM, Richard Wakeford wrote:
> > On Sat, 01 Oct 2011 20:40:28 -0700, nospam wrote:
> > 
> >> he problem is that it will be mac app store exclusive which means no
> >> more fixes for anyone who doesn't use the app store for whatever
> >> reason, plus the delete your app and lose your data nonsense.
> > 
> > No, 3.9 (version 4 when it's final) and 3.8 are being developed in
> > parallel.
> > From their web site: 
> > 
> > Will 1Password 3.8 still get updates?
> > 
> > Absolutely! Because 1Password 3.8 and 3.9 are so similar when we have a fix
> > for 3.9 we will include it in 3.8 as well, and vice versa: many fixes that
> > will go into 3.9 will originate from fixes we included in 3.8. A good
> > example of this is we brought Full Screen support from 3.9 into the 3.8.6
> > release and several of the 3.8.6 fixes will be included in future 3.9
> > releases.
> 
> Indeed. Because we can release updates more quickly to the non-MAS
> version, it is currently well ahead of the MAS version in bug fixes.
> 
> But the new extension model allows us to update the browser extensions
> for both at the same time without requiring getting a new version of the
> 1Password application.
> 
> If nospam has a philosophical objection to dealing with a company that
> sells through the MAS, there really isn't anything I can say.  What I
> can say is that we really don't want to spend our time and effort
> managing our own store. But this comes at a substantial cost.
> 
> From my point of view the thing that I like least about selling through
> the MAS is that we can't offer refunds ourselves. We like having our 30
> day refund policy, and I hate having to tell people who ask for refunds
> that they need to talk to Apple about that.
> 
> There are other downsides to using the MAS, but on balance, we obviously
> think that the advantages are greater.
> 
> One thing is that it greatly simplifies the whole license business. We
> had a variety of different licenses. The MAS purchase is now sort of
> like our "Family License". Also it simplifies the security of downloads
> and updates. Many of the security improvements over the past year have
> been to our updater mechanism to ensure that people didn't get malicious
> copies (not that we are aware of such things in existence, but we wanted
> to head that off before it became a threat). Having Apple's codesigning
> and download and updates through the MAS allow us to remove a whole
> chunk of business from the code that never really contributed to what
> users want to do.
> 
> Another thing is that we have to protect our customer database (we don't
> store credit card numbers). Apple, for user privacy, gives no
> information about individual purchasers to developers. While this makes
> our customer data base less useful (because it lacks all MAS
> purchasers), it also means that we don't have responsibility for that data.
> 
> Anyway, there are loads of reasons for and against, but those are just a
> few that I wanted to mention here.
> 
> Cheers,
> 
> -j

I personally will find another password manager that does not use the 
Macintosh Apple Store when 1Password transitions to selling exclusively 
through the Macintosh Apple Store.  I refuse to buy anything costing 
more than $10 from there because of the "no refunds policy" their 
support people quoted the last time I complained about a product.  I 
think the courts in California would invalidate that policy and wonder 
if someone buys a $200 product what would happen if they took Apple to 
Small Claims Court on it.  Apple used to have a 'no refunds on Apple 
Equipment' policy but if you complain enough, they used to take care of 
you to make things right.

I wonder what will happen when I do a chargeback for the 2nd time and my 
Apple ID is flagged as invalid.  I won't be able to buy from iTunes or 
the Apple Store again.  That's a risk I'll take when the time comes.

I can see why a small vendor would be willing to use the Mac Apple Store 
rather than sell a product themselves.  But I won't be buying those 
products.  If that's where 1Password is going, thanks for the heads up.  
I'll start looking for a replacement now.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

On 11-10-02 6:26 PM, Jamie Kahn Genet wrote:
> Jeffrey Goldberg <nobody@goldmark.org> wrote:

>> Also your 1Password master password should be considered more like a PGP
>> or SSH private key password. These are passwords for life that shouldn't
>> be changed.

> I'm a little more paranoid - I don't completely trust other companies to
> look after my login info for their services,

I'm sorry, but you are making the mistake where paranoia is leading you
to make poor security decisions. But it's not your fault. It's mine,
sort of.

Your 1Password master password isn't subject to compromise of anybody
else's service. It *never* leaves your machine in any form. (That is,
not even an encrypted or hashed version leaves your machine or is
written to disk.)

> As for the master password - it's security relies on having a secure
> network and computers/smartphone. Again - my paranoia rears it's head...
> :-)

Changing your 1Password master password, other things being equal,
actually weakens your security. Again, the same is true for things like
PGP and SSH.

The core distinction is that some passwords (like logins for various
services) are passwords for authentication. Other passwords, like your
1Password master password, is a password for encryption. These serve
very different functions and need to be treated differently.

When you create a 1Password database, 1Password will pick a random
128-bit number (using cryptographically suitable random number
generators). This number is your actual de/en-cryption key. This is the
key that your data is encrypted with.

Your master password is used to encrypt that encryption key, using a
process described here:

 http://blog.agilebits.com/2011/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/

Shortened: http://goo.gl/94tLN

Changing your master password does not actually change your decryption
key. Thus by changing your master password you are increasing the
opportunity for someone to get at your decryption key if they have older
copies of your data.

There are a number of strong reasons why things like 1Password, SSH, PGP
and the like use this notion of having a random key protected by a
password, but one of the disadvantages is that changing a master
password does not provide the security that people may think it does.

So for applications where a strong password is used to protect a random
key, I hope I've made the case against frequent changes of passwords.
(I'll return to discussion of how this should be presented to users.)

Now for the other cases.

Frequent password changes, unless your passwords are truly random, mean
that you have a system. Passwords that you use in one instance (time and
place) are related to passwords that you use in other instances. A
compromised or malicious site could, after enough of your password
changes, work out your system. Also the process of a password change
offers its own attack surface. The added complexity for the user is a
big cost; complexity leads to error. What I am saying is that there are
security costs - some tiny, some significant - in changing a password
for some service. Those costs must be balanced against the security gain
from a password change.

So I will repeat again, the far biggest reason that people are told to
change passwords it because of the concern that they use the same
password for other services. If you are using truly unique passwords for
a service and you use unsniffable network connections, the security gain
from a password change in marginal.

> Still, as I use a system to alter my important passwords in a
> non-obvious way, it would be easy for me to create a new master password
> every month, and remember it. I'm in the habit and would appreciate
> software that prodded me to do so.

I have been looking at ways in which we can actually discourage people
from changing their master passwords frequently. Maybe just text in the
password change dialogue that says "A strong, unique master password is
for life" with a link to some of our documents explaining what I've
explained here.

I'm afraid that you have fallen into the trap of leaping from "change
your site password once a year" to "changing every password once a month
will be more secure". It just doesn't work that way. Trade-offs need to
be considered.

Now I will return to the thing that keeps me up at night. What the user
thinks is happening when they change a master password isn't what is
really happening. This can and does lead people into taking steps that
weaken their security.

I really really want 1Password to be a tool for people who don't want to
study cryptographic protocols and dig into security. The idea is to
bring top notch security to the typical user. I think we succeed at
this, but it means that we conceal the complexity of what is going on
under the hood. I've written before that convenience and simplicity is
part of security

 http://blog.agilebits.com/2011/08/convenience-is-security/

Almost everyone's experience with passwords is for authentication, so
they will tend to treat a 1Password master password the same way. Even
sophisticated users like you will make that mistake. In some instances,
this kind of error has led to really serious problems. The release of
the unredacted WikiLeaks cables is a consequence of exactly this error.
A journalist was given a password that he treated as an authentication
password instead of as an encryption one. See Matt Blaze's analysis:

 http://www.crypto.com/blog/wikileaking/

But again, the whole point of bringing serious security to ordinary
users means that they should be able to use the system without having to
get lectures on things like this.  This is why the model of how things
work that is presented to the user is so much simpler than what really
happens. This, over all, is a good thing. We are trying to present
something that is enormously complicated in a simple enough fashion that
anyone can use it.

The downside of this is exactly what we encounter in this case (and in a
few others). Users build up an incorrect mental model of what is going
on, but sometimes they act on that incorrect model and do damage to
themselves. I'd love it if they would all read our "behind the scenes"
documentation before doing so. (We do document all of this.) But we know
that that isn't going to happen.

So the question we constantly face is how much complexity we present to
the "innocent" user to help forestall errors by the exceptional user who
wants to tinker or be "extra clever" with how they use the system.

As I said, this is what keeps me up at night. Our "security trade-offs"
are almost always one kind of security versus another. And when I learn
that people are doing the kind of thing that you are doing, I have a
great pit in my stomach. I can expand our FAQ and maybe I can get a note
in the password changing dialogue box advising people not to.

Ultimately we have three routes we can go.

(1) Not conceal the complexity, but then have a tool that will appeal
only to geeks. Thus leaving ordinary users without good password
management (There's a reason why PGP never caught on.)

(2) Continue with what we are doing, accepting that there are dangers
when the user model differs from what is really happening.

(3) Use naive protocols and architecture in the implementation that
matches a simple user model. It will be bad security for a number of
reasons, but it will never surprise the user (except that if the
weaknesses of the system bites them.)

So I still think we are doing the right thing by going with (2), but it
isn't a costless decision.

> But I completely disagree one never need change passwords for important
> services - for the reasons I gave above. To suggest otherwise seems
> somewhat foolhardy IMHO.

I hope that I've explained why encryption passwords should never be
changed (unless you know that they are weak for some reason or other).

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In message <9eovgsFjimU1@mid.individual.net> 
  Jeffrey Goldberg <nobody@goldmark.org> wrote:
> On 11-10-01 9:39 AM, Jolly Roger wrote:

>> 1Password is definitely more buggy than LastPass, IME. And LastPass is 
>> free.

> Our new extension design that came into play with the release of Safari
> 5.1 was buggy at first. It is much much better now. And, of course, it
> is better than not having an extension at all.

As a non-employee I can confirm that it was very very buggy, and that it
isn't now.


-- 
I intend to live forever -- so far, so good!

In message <011020111042567380%nospam@nospam.invalid> 
  nospam <nospam@nospam.invalid> wrote:
> In article <9eovgsFjimU1@mid.individual.net>, Jeffrey Goldberg
> <nobody@goldmark.org> wrote:

>> > 1Password is definitely more buggy than LastPass, IME. And LastPass is 
>> > free.
>> 
>> 1Password and LastPass have very different ways of operating. It would
>> be unseemly of me to discuss the merits of each. So I will only talk
>> about the bugginess in 1Password that you may have encountered.
>> 
>> Our new extension design that came into play with the release of Safari
>> 5.1 was buggy at first. It is much much better now. And, of course, it
>> is better than not having an extension at all.

> this is apparently indicative of the problem. you are concerned with
> bugs in the extensions, not the app itself. a lot of people do not use
> the extensions (ios users, for instance) and are stuck with unresolved
> bugs in the app.

> still to this day, there are *numerous* bugs, some of which are a
> trivial fix (wrong keyboard comes up on the iphone, very easy to
> change). other bugs include the list not updating properly when entries
> are added or deleted (you have to switch out and back to get the new
> item to show up), items showing up in the wrong order, as well as the
> occasional crash. most of them are 100% reproducible. i reported them a
> couple of years ago, certainly by now they could have been fixed.

Hmm. I don't think I've ever had a non-beta of 1Password.app crash. I
don't know what you mean by the wrong keyboard in the iOS app, but I
only use it to copy passwords on rear occasions.

-- 
I WILL NOT ENCOURAGE OTHERS TO FLY Bart chalkboard Ep. 7F03

In message <9epsv6Fp06U1@mid.individual.net> 
  Jeffrey Goldberg <nobody@goldmark.org> wrote:
> I'm sorry to hear that, but if you do make a switch, note that you can
> can export your 1Password data to CSV (and other formats) through

You can also open up the keychain package and open the 1Password.html
file and access all your passwords even without 1Password.


-- 
He [Edward d'Eath] could think in italics. Such people needed watching.
Preferably from a safe distance. 

In message <jollyroger-9AEDB1.09383801102011@news.individual.net> 
  Jolly Roger <jollyroger@pobox.com> wrote:
> In article <slrnj8d8je.2mpt.g.kreme@ibook-g4-2.local>,
>  Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:

>> In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
>>   Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
>> > In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
>> >  nospam@see.signature (Richard Maine) wrote:
>> 
>> >> Oh, and another source of problems is using the same password for your
>> >> bank as for various other random sites. Then when those other sites get
>> >> hacked and have all their passwords stolen, the hacker has a good
>> >> candidate to try for your bank password. Yes, there has been a flood of
>> >> that recently.
>> 
>> > What I do in this regard is to keep a data base for various sites. I 
>> > have passwords that are combinations of letters, numbers, and 
>> > punctuation. I type these out in a subjectively random fashion. I store 
>> > them with links to the sites. Each place gets its own password. I even 
>> > change them from time to time but probably not often enough. If I ever 
>> > lose my data base, I will be in deep trouble.
>> 
>> 1Password.
>> 
>> Go. Now.
>> 
>> (and unlike someone else who I am sure will be posting, I do *not* work
>> for them :).

> LastPass is both free and better, IMO:

> <http://lastpass.com>

LastPass is pretty nifty, especially considering it's free, but I don't
see anyway in which it is better than 1Password. 

-- 
My little brother got his arm stuck in the microwave. So my mom had to
take him to the hospital. My grandma dropped acid this morning, and she
freaked out. She hijacked a busload of penguins. So it's sort of a
family crisis. Bye!

On 11-10-02 8:25 PM, Michael Vilain wrote:
> In article <9es5qmFk5oU1@mid.individual.net>,
>  Jeffrey Goldberg <nobody@goldmark.org> wrote:

>> From my point of view the thing that I like least about selling through
>> the MAS is that we can't offer refunds ourselves. We like having our 30
>> day refund policy, and I hate having to tell people who ask for refunds
>> that they need to talk to Apple about that.

> I personally will find another password manager that does not use the 
> Macintosh Apple Store when 1Password transitions to selling exclusively 
> through the Macintosh Apple Store.

Nothing is written in stone about how we will distribute 1Password 4.
1Password 3.8 will continue to be developed and available outside of the
MAS. There are lots of reasons why moving to MAS only would make our
lives much easier, but you are not the first person to tell us this.

> I refuse to buy anything costing 
> more than $10 from there because of the "no refunds policy" their 
> support people quoted the last time I complained about a product.

I really hope that they change this or are forced to change it:

> I 
> think the courts in California would invalidate that policy and wonder 
> if someone buys a $200 product what would happen if they took Apple to 
> Small Claims Court on it.

I agree.

> I can see why a small vendor would be willing to use the Mac Apple Store 
> rather than sell a product themselves.  But I won't be buying those 
> products.  If that's where 1Password is going, thanks for the heads up.  
> I'll start looking for a replacement now.

We want to simplify our business processes and make things simpler for
customers. But we certainly don't want to scare customers away. So we
are *looking at* MAS only from 4.0 onward. We have not committed to any
such plan. What we have committed to is developing 3.8 (non-MAS version)
along side 3.9 (MAS version) at least until 4.0.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In message <jollyroger-6170D0.16421301102011@news.individual.net> 
  Jolly Roger <jollyroger@pobox.com> wrote:
> In article <vilain-3D0449.10073101102011@news.individual.net>,
>  Michael Vilain <vilain@NOspamcop.net> wrote:

>> In article <jollyroger-1F6EF8.11271601102011@news.individual.net>,
>>  Jolly Roger <jollyroger@pobox.com> wrote:
>> 
>> > In article <vilain-AD5010.08382601102011@news.individual.net>,
>> >  Michael Vilain <vilain@NOspamcop.net> wrote:
>> > 
>> > > I won't go anywere near this product or Xmarks.  Ever.
>> > 
>> > You're silly.
>> 
>> Maybe I am silly.  But I tried to use their software by creating an 
>> account using my personal email account.  One that I've had for over 15 
>> years.  It didn't take it.  So I went onto their forums to look for a 
>> solution.  Apparently the validation for email accounts has bugs in it.  
>> Others had the same problem that were not addressed over 2 years ago.

> Perhaps it's an edge case that simply does not affect most users. And 
> most people have alternative addresses. If so, I can understand it not 
> being very high priority for them. If it affected me, I would have 
> submitted an actual support request.

If it indicates that they are NOT deleting accounts that the user
deleted that is an indication of a huge problem as far as I'm concerned.
If I delete an account I expect it to be deleted.



-- 
people didn't seem to be able to remember what it was like with the
elves around. Life was certainly more interesting then, but usually
because it was shorter. And it was more colourful, if you liked the
colour of blood.  --Lords and Ladies

On Sun, 02 Oct 2011 18:25:44 -0700, Michael Vilain wrote:

> If that's where 1Password is going, thanks for the heads up.  
> I'll start looking for a replacement now.

I wonder if you'll find one? ;-)
Admittedly I've never triend another, but these guys bend over backwards to
make it work with all the browser changes and OS changes and I certainly
couldn't live without it.

In message <1k8ibxs.1wb4u5r9dmm36N%jamiekg@wizardling.geek.nz> 
  Jamie Kahn Genet <jamiekg@wizardling.geek.nz> wrote:
> I'd also add that you should _never_ login to important or private sites
> like online banking, online stores that you allow storage your credit
> card to speed purchasing, etc, or remote login to your own computers
> from strange computers or networks.

Don't trust SSL?

> If a friend comes over and wants to hop online, give them access only
> between their computer and the internet. It helps to have such network
> logins setup beforehand on your router that isolate a user from the rest
> of your LAN. After they're gone change the password for the login you
> gave them.

When my friends come over they have access to all the shared file on my
LAn so they can stream music or video on their computers.

These are my friends, after all.

> Or if you're out and about with your laptop, use VPN to secure your
> communications between your laptop and a network you DO trust.

Shame Apple forces you to use Server to setup a VPN.

> Oh - and for WiFi users - make sure you secure your network with WPA2 if
> possible, or at least WEP if you've older gear. But I'd strongly suggest
> you upgrade to WPA2 compliant hardware in a residential setting. Leaving
> aside the security implications, you have no idea how many times I have
> come across users stealing other people's WiFi.

I leave my wifi open so anyone can use it. I do name it something like
"Watchingyou" or "freeviruses" or "kittyporn" or "AllahIsGreat" which
seems to keep strangers off of it, but I prefer it be open in case
someone does need it. Of course, I do not live in an especially dense
area like a large apartment building.


-- 
Yeah, Nick. Nick's the kinda guy you can trust. Nick's your buddy Nick's
the kinda guy you drink beers with. The kinda guy that doesn't care if
you puke in his car. Nick.

On 11-10-02 11:22 PM, Lewis wrote:

> I leave my wifi open so anyone can use it.

The problem with that is that your local traffic over WiFi is not encrypted.

I really wish that the WiFi standards had allowed for a open access but
encrypted setting.

> I do name it something like
> "Watchingyou" or "freeviruses" or "kittyporn" or "AllahIsGreat" which
> seems to keep strangers off of it,

I like that.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In article <1k8kuv0.8onf7r2zompuN%jamiekg@wizardling.geek.nz>,
 jamiekg@wizardling.geek.nz (Jamie Kahn Genet) wrote:

> > Don't trust SSL?
> 
> It still gives away too much for my tastes, like what email host I'm
> using, or which bank I'm logging into. I rather give nothing away on a
> public network.

http://www.torproject.org/

-- 
Celle est une langue.     |   With the nutty taste of wild hickory nuts.
C'est francais           /|\              I'm whoever you want me to be.
et tres, tres sexuel.    \|/         Annoying Usenet one post at a time.
- China Azul              |            At least I can stay in character.

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-02 6:26 PM, Jamie Kahn Genet wrote:
> > Jeffrey Goldberg <nobody@goldmark.org> wrote:
> 
> >> Also your 1Password master password should be considered more like a PGP
> >> or SSH private key password. These are passwords for life that shouldn't
> >> be changed.
> 
> > I'm a little more paranoid - I don't completely trust other companies to
> > look after my login info for their services,
> 
> I'm sorry, but you are making the mistake where paranoia is leading you
> to make poor security decisions. But it's not your fault. It's mine,
> sort of.
> 
> Your 1Password master password isn't subject to compromise of anybody
> else's service. It *never* leaves your machine in any form. (That is,
> not even an encrypted or hashed version leaves your machine or is
> written to disk.)

Yes, I know. You're skimming over what I'm saying, I suspect :-) I'm not
talking about the master password above. I'm talking about do I trust
XYZ company (e.g. Amazon, SOE, Google, etc) to protect my login info
used for their service? It's reasonably safe on my home computer in the
keychain or 1Password for that matter. Experience tells me it is not so
safe in some company database on a login server somewhere. As I
mentioned I have had several instances where companies have contacted me
to say they've had my login info stolen. Plus I'm aware of many other
instances where this has happened, yet not directly affected me. So, no
- I do not completely trust third parties with my login info for their
services. Again - not talking about master passwords/keys.

But if I'm using a crossplatform password storage app (and I would
nowadays give my time spent in Windows *sigh*), I would still change the
master password/decryption key monthly, and make sure old backed up
copies of the encrypted login database were not easily accessible. Yeah
- both my key and the encrypted data could be stolen at once, in which
case I'm screwed. Or my key _and_ the key to my encrypted backups _and_
knowledge of the system I use to change the key periodically _and_ the
length of time between my changing of said key :-D Just kidding. But if
both the decryption key and the encrypted data were stolen at once I'm
screwed for sure. Later changing the key won't help, obviously. I know
that :-)

But if just my key is stolen and it is later used to try to decrypt my
data, so long as I've since changed said key, I'm protected.

OTOH now I think about it malware authors would likely upload both
harvested key and encrypted logins immediately, for a know password
storage app. They are crafty bastards.

Ok, I admit - it's pointless changing one's decryption key so often :-D
You've convinced me. Or rather I have by following my line of thought
above to it's logical conclusion.

But however I approach it, it's still foolhardy not to occasionally
change passwords for important services. Unlike the master password/key,
they are stored both locally and by the company running the service -
which is the weak link more than people realise.
-- 
If you're not part of the solution, you're part of the precipitate.

Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:

> In message <1k8ibxs.1wb4u5r9dmm36N%jamiekg@wizardling.geek.nz> 
>   Jamie Kahn Genet <jamiekg@wizardling.geek.nz> wrote:
> > I'd also add that you should _never_ login to important or private sites
> > like online banking, online stores that you allow storage your credit
> > card to speed purchasing, etc, or remote login to your own computers
> > from strange computers or networks.
> 
> Don't trust SSL?

It still gives away too much for my tastes, like what email host I'm
using, or which bank I'm logging into. I rather give nothing away on a
public network.

> > If a friend comes over and wants to hop online, give them access only
> > between their computer and the internet. It helps to have such network
> > logins setup beforehand on your router that isolate a user from the rest
> > of your LAN. After they're gone change the password for the login you
> > gave them.
> 
> When my friends come over they have access to all the shared file on my
> LAn so they can stream music or video on their computers.
> 
> These are my friends, after all.

I keep a couple USB keys for sharing files, or if they really need a
network connection to my machines, I have that ready to go as well. I
just prefer not to, especially if they want to network their Windows
laptop to my Windows computer. Windows to Mac or *inix I'm more ok with.
But if they only need internet access, I'm not going to open up my LAN
to them as well. Never give more access than necessary.

> > Or if you're out and about with your laptop, use VPN to secure your
> > communications between your laptop and a network you DO trust.
> 
> Shame Apple forces you to use Server to setup a VPN.

There are simpler solutions such as GoToMyPC, but VPN isn't that hard to
setup for the mildly geeky or better.

> > Oh - and for WiFi users - make sure you secure your network with WPA2 if
> > possible, or at least WEP if you've older gear. But I'd strongly suggest
> > you upgrade to WPA2 compliant hardware in a residential setting. Leaving
> > aside the security implications, you have no idea how many times I have
> > come across users stealing other people's WiFi.
> 
> I leave my wifi open so anyone can use it. I do name it something like
> "Watchingyou" or "freeviruses" or "kittyporn" or "AllahIsGreat" which
> seems to keep strangers off of it, but I prefer it be open in case
> someone does need it. Of course, I do not live in an especially dense
> area like a large apartment building.

Ah, well we pay for data here in NZ, but I like your names *chuckles*
-- 
If you're not part of the solution, you're part of the precipitate.

In article <slrnj8idod.2quk.g.kreme@ibook-g4-2.local>,
 Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:

> In message <jollyroger-6170D0.16421301102011@news.individual.net> 
>   Jolly Roger <jollyroger@pobox.com> wrote:
> > In article <vilain-3D0449.10073101102011@news.individual.net>,
> >  Michael Vilain <vilain@NOspamcop.net> wrote:
> 
> >> In article <jollyroger-1F6EF8.11271601102011@news.individual.net>,
> >>  Jolly Roger <jollyroger@pobox.com> wrote:
> >> 
> >> > In article <vilain-AD5010.08382601102011@news.individual.net>,
> >> >  Michael Vilain <vilain@NOspamcop.net> wrote:
> >> > 
> >> > > I won't go anywere near this product or Xmarks.  Ever.
> >> > 
> >> > You're silly.
> >> 
> >> Maybe I am silly.  But I tried to use their software by creating an 
> >> account using my personal email account.  One that I've had for over 15 
> >> years.  It didn't take it.  So I went onto their forums to look for a 
> >> solution.  Apparently the validation for email accounts has bugs in it.  
> >> Others had the same problem that were not addressed over 2 years ago.
> 
> > Perhaps it's an edge case that simply does not affect most users. And 
> > most people have alternative addresses. If so, I can understand it not 
> > being very high priority for them. If it affected me, I would have 
> > submitted an actual support request.
> 
> If it indicates that they are NOT deleting accounts that the user
> deleted that is an indication of a huge problem as far as I'm concerned.
> If I delete an account I expect it to be deleted.

To be honest, I'm skeptical that he actually deleted the account to 
begin with.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <slrnj8idao.2quk.g.kreme@ibook-g4-2.local>,
 Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:

> In message <jollyroger-9AEDB1.09383801102011@news.individual.net> 
>   Jolly Roger <jollyroger@pobox.com> wrote:
> > In article <slrnj8d8je.2mpt.g.kreme@ibook-g4-2.local>,
> >  Lewis <g.kreme@gmail.com.dontsendmecopies> wrote:
> 
> >> In message <SalmonEgg-3A2DFD.16124430092011@news60.forteinc.com> 
> >>   Salmon Egg <SalmonEgg@sbcglobal.net> wrote:
> >> > In article <1k8eujo.1mn7lkmvkc8awN%nospam@see.signature>,
> >> >  nospam@see.signature (Richard Maine) wrote:
> >> 
> >> >> Oh, and another source of problems is using the same password for your
> >> >> bank as for various other random sites. Then when those other sites get
> >> >> hacked and have all their passwords stolen, the hacker has a good
> >> >> candidate to try for your bank password. Yes, there has been a flood of
> >> >> that recently.
> >> 
> >> > What I do in this regard is to keep a data base for various sites. I 
> >> > have passwords that are combinations of letters, numbers, and 
> >> > punctuation. I type these out in a subjectively random fashion. I store 
> >> > them with links to the sites. Each place gets its own password. I even 
> >> > change them from time to time but probably not often enough. If I ever 
> >> > lose my data base, I will be in deep trouble.
> >> 
> >> 1Password.
> >> 
> >> Go. Now.
> >> 
> >> (and unlike someone else who I am sure will be posting, I do *not* work
> >> for them :).
> 
> > LastPass is both free and better, IMO:
> 
> > <http://lastpass.com>
> 
> LastPass is pretty nifty, especially considering it's free, but I don't
> see anyway in which it is better than 1Password.

It's definitely less buggy IME.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

On 11-10-03 2:42 AM, Jamie Kahn Genet wrote:

> But if I'm using a crossplatform password storage app (and I would
> nowadays give my time spent in Windows *sigh*), I would still change the
> master password/decryption key monthly, and make sure old backed up
> copies of the encrypted login database were not easily accessible.

You are aware of 1Password for Windows?

And here you see the design advantage of treating your master password
as an encryption password (encrypting a key) instead as an
authentication password. What get's synced (typically using Dropbox) is
the encrypted copy of the random key. So even with the syncing of your
data, I continue to say that your master password never leaves your
machine, even in a hashed or encrypted form.  Your master password only
exists in your head and for the fraction of a second needed to decrypt
the encryption key after you type it in.


> OTOH now I think about it malware authors would likely upload both
> harvested key and encrypted logins immediately, for a know password
> storage app. They are crafty bastards.

Additionally, we should figured that once a machine is compromised, it
stays compromised. A master password change after a compromise provides
no help unless the malware has been eliminated. (And if there was
malware that attacked 1Password, then you should generate a new
1Password keychain, with a new encryption key, instead of changing the
master password. Note that that is not a procedure that should be
repeated any more than absolutely necessary as it involves decrypting
and storing all of the data and then re-encrypting it with the new key.
It's slow and there is a lot of time when the decrypted data is sitting
around. That is why we don't provide a "button" to do that.)


> Ok, I admit - it's pointless changing one's decryption key so often :-D
> You've convinced me. Or rather I have by following my line of thought
> above to it's logical conclusion.

OK. Thanks.

> But however I approach it, it's still foolhardy not to occasionally
> change passwords for important services. Unlike the master password/key,
> they are stored both locally and by the company running the service -
> which is the weak link more than people realise.

Agreed. But frequent changes don't buy you additional security when the
security costs of changes are taken into account.

Cheers,

-j

-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> Agreed. But frequent changes don't buy you additional security when the
> security costs of changes are taken into account.

Yup. I've seen people's passwords be compromised *BECAUSE* of changing
them. Admitedly, that's usually in conjunction with other problems, but
the changing of the password was still an intergral part of the
compromise.

A prime example is changing a password over an unencrypted connection.
Yes, it happens; I"ve seen it. Sure the unencrypted connection was part
of the problem (a large part). But changing the password was also part.

-- 
Richard Maine                    | Good judgment comes from experience;
email: last name at domain . net | experience comes from bad judgment.
domain: summertriangle           |  -- Mark Twain

On 10-02-2011 22:06, Jeffrey Goldberg wrote:
> I have been looking at ways in which we can actually discourage people
> from changing their master passwords frequently. Maybe just text in the

You could remove the ability to do so, and explain why in the FAQ.

-- 
Wes Groleau

   There are two types of people in the world …
   http://Ideas.Lang-Learn.us/barrett?itemid=1157

On 10-03-2011 13:30, Richard Maine wrote:
> A prime example is changing a password over an unencrypted connection.

Or a phishing connection

-- 
Wes Groleau

   There are two types of people in the world …
   http://Ideas.Lang-Learn.us/barrett?itemid=1157

On 11-10-03 7:49 PM, Wes Groleau wrote:
> On 10-02-2011 22:06, Jeffrey Goldberg wrote:
>> I have been looking at ways in which we can actually discourage people
>> from changing their master passwords frequently. Maybe just text in the
> 
> You could remove the ability to do so, and explain why in the FAQ.

That means defining "too frequently" and keeping track of these things.
That is an example of the kind of additional complexity for little gain
that we try to avoid.

I've updated all of our docs on "how to change your master password".
Putting in some text in the password change dialogue box is under
consideration.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

On 11-10-03 11:13 PM, Jamie Kahn Genet wrote:

> Far too many people disable browser warnings about moving from secure
> pages to partially secure or insecure pages :-(

The culprit for this are site administrators who have mixed content and
just tell people ignore the warnings. We are training people to behave
insecurely.

My favorite example illustrating "training people to behave insecurely"
is this:

 http://www.physorg.com/news203054814.html

(I don't want to spoil the surprise, but it is an article about a scheme
to get drivers to slow down.)

The full-sized picture is here:

 http://cdn.physorg.com/newman/gfx/news/hires/canadianauth.jpg

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In article <slrnj8ic25.2quk.g.kreme@ibook-g4-2.local>, Lewis
<g.kreme@gmail.com.dontsendmecopies> wrote:

> > still to this day, there are *numerous* bugs, some of which are a
> > trivial fix (wrong keyboard comes up on the iphone, very easy to
> > change). other bugs include the list not updating properly when entries
> > are added or deleted (you have to switch out and back to get the new
> > item to show up), items showing up in the wrong order, as well as the
> > occasional crash. most of them are 100% reproducible. i reported them a
> > couple of years ago, certainly by now they could have been fixed.
> 
> Hmm. I don't think I've ever had a non-beta of 1Password.app crash.

importing exported data will crash, every time. i used to do that to
keep two ios devices in sync but now that i have more than just two, i
switched to dropbox so this bug could have been fixed (although i doubt
it).

> I don't know what you mean by the wrong keyboard in the iOS app, but I
> only use it to copy passwords on rear occasions.

1password brings up the standard qwerty keyboard, even if the field
being edited is entirely numeric, such as credit card numbers, phone
numbers, usa zip codes, etc. worse, it's in letters mode, requiring an
additional tap to get into numbers/symbols mode. this is a very trivial
change, and would take a couple of minutes to fix, if that long.

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-03 2:42 AM, Jamie Kahn Genet wrote:
> 
> > But if I'm using a crossplatform password storage app (and I would
> > nowadays give my time spent in Windows *sigh*), I would still change the
> > master password/decryption key monthly, and make sure old backed up
> > copies of the encrypted login database were not easily accessible.
> 
> You are aware of 1Password for Windows?

Not really, but I get by with my password system, keychain in OSX, and
Firefox's login storage on other OSes.

> And here you see the design advantage of treating your master password
> as an encryption password (encrypting a key) instead as an
> authentication password. What get's synced (typically using Dropbox) is
> the encrypted copy of the random key. So even with the syncing of your
> data, I continue to say that your master password never leaves your
> machine, even in a hashed or encrypted form.  Your master password only
> exists in your head and for the fraction of a second needed to decrypt
> the encryption key after you type it in.
> 
> 
> > OTOH now I think about it malware authors would likely upload both
> > harvested key and encrypted logins immediately, for a know password
> > storage app. They are crafty bastards.
> 
> Additionally, we should figured that once a machine is compromised, it
> stays compromised.

Indeed. I never trust a system once compromised. Not with rootkits and
the like.

> A master password change after a compromise provides no help unless the
> malware has been eliminated. (And if there was malware that attacked
> 1Password, then you should generate a new 1Password keychain, with a new
> encryption key, instead of changing the master password. Note that that is
> not a procedure that should be repeated any more than absolutely necessary
> as it involves decrypting and storing all of the data and then
> re-encrypting it with the new key. It's slow and there is a lot of time
> when the decrypted data is sitting around. That is why we don't provide a
> "button" to do that.)

Ah, well I can understand why, then.

> > Ok, I admit - it's pointless changing one's decryption key so often :-D
> > You've convinced me. Or rather I have by following my line of thought
> > above to it's logical conclusion.
> 
> OK. Thanks.

Heh. Well I'm a reasonable guy once I think things through logically,
though I can sometimes require a nudge in the right direction to do so
:-)

> > But however I approach it, it's still foolhardy not to occasionally
> > change passwords for important services. Unlike the master password/key,
> > they are stored both locally and by the company running the service -
> > which is the weak link more than people realise.
> 
> Agreed. But frequent changes don't buy you additional security when the
> security costs of changes are taken into account.
> 
> Cheers,
> 
> -j

For sure - having a strong unique password for important services and
only using it in secure environments, offers far more security than
changing passwords. But I'd still say with only a handful of important
services, changing passwords is worthwhile provided it's not taken to
extremes. If by security costs you mean the hassle involved leading to
users becoming sloppy, I agree. But with my system I don't feel burdened
by it, and thus don't have any inclination to get sloppy. But - yeah -
I'm with you on a strong password being the key thing.
-- 
If you're not part of the solution, you're part of the precipitate.

Richard Maine <nospam@see.signature> wrote:

> Jeffrey Goldberg <nobody@goldmark.org> wrote:
> 
> > Agreed. But frequent changes don't buy you additional security when the
> > security costs of changes are taken into account.
> 
> Yup. I've seen people's passwords be compromised *BECAUSE* of changing
> them. Admitedly, that's usually in conjunction with other problems, but
> the changing of the password was still an intergral part of the
> compromise.
> 
> A prime example is changing a password over an unencrypted connection.
> Yes, it happens; I"ve seen it. Sure the unencrypted connection was part
> of the problem (a large part). But changing the password was also part.

Far too many people disable browser warnings about moving from secure
pages to partially secure or insecure pages :-(
-- 
If you're not part of the solution, you're part of the precipitate.

Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-03 11:13 PM, Jamie Kahn Genet wrote:
> 
> > Far too many people disable browser warnings about moving from secure
> > pages to partially secure or insecure pages :-(
> 
> The culprit for this are site administrators who have mixed content and
> just tell people ignore the warnings. We are training people to behave
> insecurely.
> 
> My favorite example illustrating "training people to behave insecurely"
> is this:
> 
>  http://www.physorg.com/news203054814.html
> 
> (I don't want to spoil the surprise, but it is an article about a scheme
> to get drivers to slow down.)
> 
> The full-sized picture is here:
> 
>  http://cdn.physorg.com/newman/gfx/news/hires/canadianauth.jpg
> 
> Cheers,
> 
> -j

Oh my...
-- 
If you're not part of the solution, you're part of the precipitate.

On 11-10-03 10:44 PM, nospam wrote:
> In article <slrnj8ic25.2quk.g.kreme@ibook-g4-2.local>, Lewis
> <g.kreme@gmail.com.dontsendmecopies> wrote:

>> Hmm. I don't think I've ever had a non-beta of 1Password.app crash.
> 
> importing exported data will crash, every time. i used to do that to
> keep two ios devices in sync

Ah. So to clarify, you are talking about the iOS versions again, instead
of about 1Password for Mac.  Importing and exporting data that way was
*never* the recommend way to synchronize data between two iOS devices.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

In article <9evl3eF9suU1@mid.individual.net>, Jeffrey Goldberg
<nobody@goldmark.org> wrote:

> >> Hmm. I don't think I've ever had a non-beta of 1Password.app crash.
> > 
> > importing exported data will crash, every time. i used to do that to
> > keep two ios devices in sync
> 
> Ah. So to clarify, you are talking about the iOS versions again, instead
> of about 1Password for Mac.  Importing and exporting data that way was
> *never* the recommend way to synchronize data between two iOS devices.

recommended or not, it should not crash.

it's also the only option available to ios users unless they also buy
the mac app, which is required to configure dropbox syncing. once
dropbox sync is set up, it doesn't look like the mac app matters
anymore, so why require it at all? 

as for the mac version, edit or add an item and it won't always show up
in the list (and not always in the proper order if it does) until you
force the list to redisplay. ios has this problem too. this bug does
not always happen.

In article <9evd42Fj31U1@mid.individual.net>,
 Jeffrey Goldberg <nobody@goldmark.org> wrote:

> On 11-10-03 11:13 PM, Jamie Kahn Genet wrote:
> 
> > Far too many people disable browser warnings about moving from secure
> > pages to partially secure or insecure pages :-(
> 
> The culprit for this are site administrators who have mixed content and
> just tell people ignore the warnings. We are training people to behave
> insecurely.
> 
> My favorite example illustrating "training people to behave insecurely"
> is this:
> 
>  http://www.physorg.com/news203054814.html
> 
> (I don't want to spoil the surprise, but it is an article about a scheme
> to get drivers to slow down.)
> 
> The full-sized picture is here:
> 
>  http://cdn.physorg.com/newman/gfx/news/hires/canadianauth.jpg
> 

Such schemes can have unintended consequences.  The authorities tried a 
system of warning lights somewhere in or around London to warn if you 
were going too fast when approaching a junction.

Result? Deliberately setting off the lights became a sport for some.

-- 
Paul Sture

On 2011-10-04 04:41 , Paul Sture wrote:
> In article<9evd42Fj31U1@mid.individual.net>,
>   Jeffrey Goldberg<nobody@goldmark.org>  wrote:
>
>> On 11-10-03 11:13 PM, Jamie Kahn Genet wrote:
>>
>>> Far too many people disable browser warnings about moving from secure
>>> pages to partially secure or insecure pages :-(
>>
>> The culprit for this are site administrators who have mixed content and
>> just tell people ignore the warnings. We are training people to behave
>> insecurely.
>>
>> My favorite example illustrating "training people to behave insecurely"
>> is this:
>>
>>   http://www.physorg.com/news203054814.html
>>
>> (I don't want to spoil the surprise, but it is an article about a scheme
>> to get drivers to slow down.)
>>
>> The full-sized picture is here:
>>
>>   http://cdn.physorg.com/newman/gfx/news/hires/canadianauth.jpg
>>
>
> Such schemes can have unintended consequences.  The authorities tried a
> system of warning lights somewhere in or around London to warn if you
> were going too fast when approaching a junction.

Watching Ken Burns' "Prohibition" on PBS the last couple nights, 
conclusion is tonight.  Talk about "unintended consequences" (!).

-- 
gmail originated posts filtered due to spam.