See comments below

 

From: [email protected] 
[mailto:[email protected]] On Behalf Of Jonathan
Sent: Monday, July 06, 2015 7:05 PM
To: [email protected]
Subject: Re: [MLO] Local security

 

 Dwight, thank you for a clear and helpful comment. 

 

The MLO profile as it sits on Windows is not clear text but it’s not encrypted 
either

 

when you say "profile" - do you mean one single file of MLO, or are you talking 
about MLO`s application that seats on my computer in jeneral

and also - how can one get to the un-clear text ? 

 

 

I am talking about the “one single file of MLO.” – if you use file>open you 
will see a list of your available profile files, it’s anything ending in “.ml” 
– you can look at the raw contents of any file by using any file dump utility, 
the easiest was for someone new is to open the file in the Notepad utility. 
Caution: if you do anything to modify or save the file it will probably damage 
it.

 

If someone gets a copy of your profile and does not know what it is, dumping 
out the contents will not reveal anything

 

how can a person get a copy?

you said "anyone who knows my userID", but why whould anyone will have that 
unless i want him to?...

I`m not following you here

 

I suppose that what I am trying to say is this: there are two aspects of 
security in this discussion: (1) preventing anyone from seeing your data, and 
(2) making your data useless to anyone who does succeed in seeing it. To say it 
a different way (1) access controls and (2) encryption. You are suggesting that 
your access controls are adequate. Perhaps they are, but as a general rule a 
determined attacker can usually defeat access controls. I’m not going to try to 
provide any tutorial on how access controls can be defeated, I just want to 
make the point that if all you have to protect your data are access controls, 
then if someone wants you data badly enough they will succeed in getting it. 
See 
http://www.theguardian.com/technology/2015/jun/04/us-government-massive-data-breach-employee-records-security-clearances

if they manage to figure out that the file belongs to MLO (not too challenging 
to do) anyone can get a free copy of MLO and use it to print out all of your 
tasks and projects

 

again, how is that possible?

is I have a local password as well? (-->tools-->options-->password protection)

 

Sorry, I had forgotten about that password. My mistake. I forgot about it 
because I have a low opinion of passwords, however, a profile protected by a 
password like this is clearly better protected than one without the password. 
It would be enough to discourage a casual snoop from getting your data. If 
someone wants your data badly enough, there is usually a way of cracking your 
password. See https://en.wikipedia.org/wiki/Password_cracking 

 

There may be solutions where you can encrypt certain files such as your MLO 
profile, and then arrange for the MLO program to see a decrypted image of the 
file. I have no knowledge of such solutions so I cannot comment on their 
feasibility or their adequacy, however, I could note that if the file itself is 
protected by encryption, then any backups would presumably be encrypted as well.

 

 Anyone who does have a recommendation about this/

disadventages about using one of the encryption software or maybe other 
suggestens?

or should I not trust the system for that purpose?

 My wish is to make sure that nobody but myself and poeple who know the 
password (both the ID password or the entry password) will have access

 

You have mentioned several times that what you want to protect is your profile 
data. In order to do a proper security analysis you would also need to discuss 
what you want to protect it _from._ What makes you think that anyone would want 
to see your task list? Does it contain passwords to other valuable assets? Are 
there competitive issues? Is it just a matter of personal privacy? From this 
you can consider potential attackers. How many are there? How much time and 
money do you think they would be willing to invest in gaining access to your 
information. If it is one curious individual who is just being nosy and who 
does not have a lot of spare time or money, the password may be adequate. If 
you are working on a project that involves massive economic value and you have 
well-financed agents trying to uncover your plans, well, you need something way 
beyond what MLO can do. If you have the password to your bank account, as I 
said earlier, I would suggest using an encrypted password management system.

 

MLO is amazing

This forum is very helpful as well and I want to thank you one more time,

Dwight

all

tnks

 

 

 

 

 

 

בתאריך יום שני, 6 ביולי 2015 בשעה 07:36:39 UTC+3, מאת Dwight Arthur:

Hi, Jonathan.

In general, MLO data is not encrypted. When you use MLO cloud sync, the data is 
encrypted while in transit from your device to the cloud, and while in transit 
from the cloud back to your device. This encryption is because MLO Cloud Sync 
uses Secure Sockets Layer (SSL) or maybe its successor, Transport Layer 
Security (TLS). SSL or TLS are very respectable but are not unbreakable. You 
can learn more about them at 
https://en.wikipedia.org/wiki/Transport_Layer_Security 
<https://www.google.com/url?q=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FTransport_Layer_Security&sa=D&sntz=1&usg=AFQjCNHL6dSi2GGi7WWxTF-xTnHMHRf0Eg>
 . Are they adequate? The answer depends on how much security you need, and 
from whom. If you are trying to keep something secret from the US National 
Security Agency, then it’s not adequate. If you want to keep your coworkers 
from eavesdropping and getting a copy of your project plans, this is probably 
more than adequate.

 

The cloud sync database itself is stored inside of the cloud computing service 
known as Amazon Web Services, which is a well respected provider of cloud 
computing. The database is not encrypted but it is protected by AWS’s standard 
login security. There are applications that are much more sensitive than MLO 
running on AWS. Again, the question of adequacy depends on what security you 
need. If I had a project plan  that had a reasonable chance of bankrupting 
Amazon Corporation, and Amazon knew about it, I would not trust MLO cloud 
security to keep it secret, If I was worried about my family members or 
coworkers, I would not be concerned about the cloud storage.

 

The weakest link is your computer. The MLO profile as it sits on Windows is not 
clear text but it’s not encrypted either. If someone gets a copy of your 
profile and does not know what it is, dumping out the contents will not reveal 
anything. However, I would guess that a reasonably skilled hacker with a lot of 
time or some good tools could figure out your projects from a copy of your 
file. Even worse, if they manage to figure out that the file belongs to MLO 
(not too challenging to do) anyone can get a free copy of MLO and use it to 
print out all of your tasks and projects. So the question is. Who would be able 
to get a copy of your file if you have a good password on your user ID. Answer: 
anyone who knows the password on your userid. Also, if your pc is on a 
corporate network, then the system administrators of your network. Or, if your 
PC is shared among several family members, then anyone who knows the Admin 
password, which probably means any smart teenaged children in your family. 
Also, as you mention, backups are a concern: Anyone who can restore your MLO 
profile to their own computer from your backup can just get a free copy of MLO 
and look at your whole profile.

 

There may be solutions where you can encrypt certain files such as your MLO 
profile, and then arrange for the MLO program to see a decrypted image of the 
file. I have no knowledge of such solutions so I cannot comment on their 
feasibility or their adequacy, however, I could note that if the file itself is 
protected by encryption, then any backups would presumably be encrypted as well.

 

You mention systems that would make encrypted backups. I believe that this is 
feasible, however it would not do anything to mitigate the risk of someone 
accessing your computer to obtain a copy of the profile. If you believe that 
there is no significant risk of someone breaching your compute itself, and no 
one but you would be taking backups, but you believe there’s a risk of someone 
obtaining copies of backups after they are made, then an encrypted backup would 
be a solution. This sounds to me like it would probably not be effective, it 
would be like having strong locks on all the windows but leaving the front door 
open.

 

The bottom line for me is that there are a number of things that I would not 
put into MLO, including my date of birth and my social security number, my 
planned gifts for my wife’s birthday, the account numbers and passwords for my 
bank accounts and insurance accounts. I keep that stuff in a password manager 
(https://en.wikipedia.org/wiki/Password_manager) and when needed I put a link 
into MLO pointing to the relevant record in the password manager. I believe 
that MLO security is adequate for non-sensitive information but not adequate 
for sensitive information. I should note that there are very few applications 
and systems available today that I consider adequate for sensitive information, 
and MLO’s security is in my opinion equal to or better than the majority of all 
productivity apps, most of which I consider inadequate. I do not believe that 
there has been any announcement or suggestion that MLO will be enhanced in the 
near future to provide radically better security. From the other direction, 
there have recently been a number of user requests for a web interface to allow 
MLO users to view, change and create tasks, this would be a secured public 
interface to the cloud database. In my view if the MLO developers build such a 
thing it will effectively lower the level of security available for your data.

-Dwight

 

 

 

From: [email protected] <javascript:>  
[mailto:[email protected] <javascript:> ] On Behalf Of Jonathan

Sent: Friday, July 03, 2015 9:33 PM

To: [email protected] <javascript:> 

Subject: [MLO] Local security

 

Hello,

 

please forgive me for possible mistakes in english

 

I was looking for similar posts but couldn`t find a spesific answer to my small 
issue -

 

I understand from earlyer posts that the data is backuped and encrypted between 
devises on MLO`s cloud service

 

but since I`m not a computer export I wanted to ask a more basic question:

 

assuming that I use the password protect feature, How secure is the encryption 
on the computer itself, if any?

 

1. MLO data file

2. Local Backups

3. advenced backups

 

*** I use 2 differente computers on work and prefer not to use it on a flash 
drive

 

if one have access to the computer and wish to see my data, by mistake or by 
porpuse, or a computer technician have access to computer/s etc - how can they 
see the data if they relly want to?

 

I olso have my own MLO Pro in my home and it whoud even help me there, as I`d 
like to be as relaxed as I can about this (even if it`s just paranoia, which is 
not)

 

soppose It`s not good enough for my needs - do you have better recomodations 
about better solution such as Axcrypt / Boxcrypter / Truecrypt etc ?

 

(and I`m talking about backups too!)

 

if so - whould it not mess-up my wifi / cloud sync (right now I use cloud 
service but this can change) or something?

 

I hope I was clear enough

 

THANKYOU in advence

 

regards

-- 

You received this message because you are subscribed to the Google Groups 
"MyLifeOrganized" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected] <javascript:> .

To post to this group, send email to [email protected] <javascript:> .

Visit this group at http://groups.google.com/group/mylifeorganized.

To view this discussion on the web visit 
https://groups.google.com/d/msgid/mylifeorganized/a00952c0-308e-498d-a323-c0909ab784c7%40googlegroups.com
 
<https://groups.google.com/d/msgid/mylifeorganized/a00952c0-308e-498d-a323-c0909ab784c7%40googlegroups.com?utm_medium=email&utm_source=footer>
 .

For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"MyLifeOrganized" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/mylifeorganized.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/mylifeorganized/d7830168-58db-4a60-8aa1-e00c6edafc9e%40googlegroups.com
 
<https://groups.google.com/d/msgid/mylifeorganized/d7830168-58db-4a60-8aa1-e00c6edafc9e%40googlegroups.com?utm_medium=email&utm_source=footer>
 .
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"MyLifeOrganized" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/mylifeorganized.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/mylifeorganized/005101d0b8d0%247ea957c0%247bfc0740%24%40dwightarthur.us.
For more options, visit https://groups.google.com/d/optout.

Reply via email to