Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Wednesday 22 Jul 2015 01:32:10 Dale wrote: Mick wrote: On Tuesday 21 Jul 2015 18:35:27 Dale wrote: From what I recall about Lasspass, it does encrypt the data locally then uploads it. I recall reading that if you lose your master password, they can't get in it either. All they get is encrypted data. Of all the things I read about when looking for a password manager, Lastpass was the only thing that came close to what I wanted. After using it a while, it is all I need. https://lastpass.com/how-it-works Right, your data may be encrypted locally, but if you use a browser to decrypt it (after it is downloaded to your PC) then there are attack vectors (e.g. XSS) for the decrypted data to be leaked out of your machine. Well, couldn't the same be said if it is encrypted on a USB stick? Anytime you encrypt something, you have decrypt it to use it and that has to be done somewhere. Of course, but if it is done using an application which its main purpose is not to connect to the Internet (i.e. your browser) the real estate exposed to a potential attack reduces significantly. I've had USB sticks break before. They are also easy to lose. I'd prefer not to store something that important on a USB stick. Dale :-) :-) I didn't clarify that you should use something like gpg to encrypt your file(s) on the USB stick, as I do this with all sensitive files not just passwords. I more or less assumed that it is the done thing. Broken USB sticks you can drive a drill through, or throw in a fire. Stolen USB sticks will at least be encrypted. If you are really paranoid you could also use dm-crypt to additionally encrypt the whole USB partition. My point is, if you put the info on a USB stick and lose it, you have now lost all your passwords. If it fails, same problem. In either of these failure modes your solution is to forget about your first USB stick and go dig out your second USB stick. The way Lastpass works, even if your computer dies from say a house fire, once you login to Lastpass with your new puter, you are back in business. Dale In the case of a house fire we are in a DR scenario. You head straight to your brother's place. You'll need a place to stay anyway, if your house burnt down, you might as well check that back up USB you left there. ;-) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Mick wrote: On Wednesday 22 Jul 2015 01:32:10 Dale wrote: Mick wrote: On Tuesday 21 Jul 2015 18:35:27 Dale wrote: From what I recall about Lasspass, it does encrypt the data locally then uploads it. I recall reading that if you lose your master password, they can't get in it either. All they get is encrypted data. Of all the things I read about when looking for a password manager, Lastpass was the only thing that came close to what I wanted. After using it a while, it is all I need. https://lastpass.com/how-it-works Right, your data may be encrypted locally, but if you use a browser to decrypt it (after it is downloaded to your PC) then there are attack vectors (e.g. XSS) for the decrypted data to be leaked out of your machine. Well, couldn't the same be said if it is encrypted on a USB stick? Anytime you encrypt something, you have decrypt it to use it and that has to be done somewhere. Of course, but if it is done using an application which its main purpose is not to connect to the Internet (i.e. your browser) the real estate exposed to a potential attack reduces significantly. So, don't use something that is within your browser but then go and type that password . . . in your browser? Yea, that'll work. Heck, if I really wanted something that secure, I'd unplug the ethernet cable and turn off my modem. Then I might be secure. I've had USB sticks break before. They are also easy to lose. I'd prefer not to store something that important on a USB stick. Dale :-) :-) I didn't clarify that you should use something like gpg to encrypt your file(s) on the USB stick, as I do this with all sensitive files not just passwords. I more or less assumed that it is the done thing. Broken USB sticks you can drive a drill through, or throw in a fire. Stolen USB sticks will at least be encrypted. If you are really paranoid you could also use dm-crypt to additionally encrypt the whole USB partition. My point is, if you put the info on a USB stick and lose it, you have now lost all your passwords. If it fails, same problem. In either of these failure modes your solution is to forget about your first USB stick and go dig out your second USB stick. Just how many of these sticks do I need? Are we looking at a dozen or more which will have to be all kept up to date as well? Come on, be realistic here. I doubt anyone is going to spend the time to do all that. The way Lastpass works, even if your computer dies from say a house fire, once you login to Lastpass with your new puter, you are back in business. Dale In the case of a house fire we are in a DR scenario. You head straight to your brother's place. You'll need a place to stay anyway, if your house burnt down, you might as well check that back up USB you left there. ;-) But with Lastpass, I don't have to worry about that. I can go to my brothers house, put my email and password in Lastpass and carry on with life. No need for a USB stick at all or having to wonder when was the last time I updated the passwords on it either. I'm trying to be realistic here. I try to be as secure as I can but within REASON. As I mentioned above, if I really need and must be that secure, I'd unplug the ethernet cable and turn off my modem. Then I wouldn't have to worry about it unless someone broke into my home. Of course, I wouldn't have the benefit of using the internet either. Dale :-) :-)
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Neil Bothwick n...@digimed.co.uk wrote: On Tue, 21 Jul 2015 22:05:57 -0400, cov...@ccs.covici.com wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? It stores it in a single, encrypted file, wherever you put it. You can put the file on a cloud server if you wish, but it's just a file, useless without the decryption key. Is there a command line interface to keepasss? I don't want to be tied down to some gui which may or may not work for me. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Wed, 22 Jul 2015 13:00:10 +1000, wraeth wrote: KeePass is Qt based and has a client at least for Linux and Windows, as well as an Android app (DroidPass). There are several Android clients, I use Keepass2Android. -- Neil Bothwick A pessimist complains about the noise when opportunity knocks. pgpEvAp9i9lzL.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 22:05:57 -0400, cov...@ccs.covici.com wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? It stores it in a single, encrypted file, wherever you put it. You can put the file on a cloud server if you wish, but it's just a file, useless without the decryption key. -- Neil Bothwick God created the world in six days. On the seventh day he also decided to create England... just to try out his Practical Joke Weather Machine. pgpiHU7CV7gJ3.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Wednesday 22 Jul 2015 19:43:43 Dale wrote: So, don't use something that is within your browser but then go and type that password . . . in your browser? Yea, that'll work. Heck, if I really wanted something that secure, I'd unplug the ethernet cable and turn off my modem. Then I might be secure. LOL! No, I meant that you decrypt your passwd containing text file, sql file, localc file, or whatever file you use. Then you use something like cat, or less, or localc to view/search it. It can all be scripted so that you run a single command alias in a terminal and it asks you for your gpg passphrase, before it opens the file for you. A terminal is unlikely to suffer from XSS, javascript injection, sql injection, et al. but a browser could. Then you can copy paste whichever account passwd you needed into a browser, but this will NOT be your master passphrase. Even if the passwd you paste into a browser ends up being compromised, it will only be one passwd and a single account, rather than your master passphrase and all your accounts. Just how many of these sticks do I need? Are we looking at a dozen or more which will have to be all kept up to date as well? Come on, be realistic here. I doubt anyone is going to spend the time to do all that. You need more than one, if you want to keep your passwds file stored off your machine. I keep mine on a PC which is air-gapped and a second copy on a USB stick. You may need a third copy kept at different premises, if you want to guard against DR. But with Lastpass, I don't have to worry about that. I can go to my brothers house, put my email and password in Lastpass and carry on with life. No need for a USB stick at all or having to wonder when was the last time I updated the passwords on it either. I'm trying to be realistic here. I try to be as secure as I can but within REASON. As I mentioned above, if I really need and must be that secure, I'd unplug the ethernet cable and turn off my modem. Then I wouldn't have to worry about it unless someone broke into my home. Of course, I wouldn't have the benefit of using the internet either. Sure, security and convenience are not always best bedfellows. We are discussing about hypothetical risks here and different users' risk tolerances. If you encrypt the file separately with a strong key before you upload it, and this encryption key is different to your authentication key on the Lastpass website, then the risk of your encrypted file being cracked is rather low. When people discovered that their Lastpass account had been compromised, this did not necessarily mean that their encrypted file had been compromised too. However, I don't know exactly what the security architecture of Lastpass is to comment on the specifics. All I'm saying is that I wouldn't trust storing my passwds on the cloud for the sake of convenience. YMMV. :-) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Wed, Jul 22, 2015 at 04:15:30PM -0400, cov...@ccs.covici.com wrote: Neil Bothwick n...@digimed.co.uk wrote: On Tue, 21 Jul 2015 22:05:57 -0400, cov...@ccs.covici.com wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? It stores it in a single, encrypted file, wherever you put it. You can put the file on a cloud server if you wish, but it's just a file, useless without the decryption key. Is there a command line interface to keepasss? I don't want to be tied down to some gui which may or may not work for me. I mentioned in the other part of this subthread that there is a python-based utility for using it: dev-python/keepassx This provides the utility `kp` which allows for using the kdb file. There is one issue I've logged upstream with this utility where it's attempting and failing to copy the password to clipboard, but I don't know the scope of this issue yet. -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 pgpYxAFysFafU.pgp Description: PGP signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Mick wrote: On Wednesday 22 Jul 2015 19:43:43 Dale wrote: So, don't use something that is within your browser but then go and type that password . . . in your browser? Yea, that'll work. Heck, if I really wanted something that secure, I'd unplug the ethernet cable and turn off my modem. Then I might be secure. LOL! No, I meant that you decrypt your passwd containing text file, sql file, localc file, or whatever file you use. Then you use something like cat, or less, or localc to view/search it. It can all be scripted so that you run a single command alias in a terminal and it asks you for your gpg passphrase, before it opens the file for you. A terminal is unlikely to suffer from XSS, javascript injection, sql injection, et al. but a browser could. Then you can copy paste whichever account passwd you needed into a browser, but this will NOT be your master passphrase. Even if the passwd you paste into a browser ends up being compromised, it will only be one passwd and a single account, rather than your master passphrase and all your accounts. You seem to miss my point. I still have to type my passwords into a browser. If as you say, that is not secure, then what point is there to having a password or accessing my bank or other sites via the internet? I have to put that password in my browser to access my bank, credit card or other websites. The point is, that exact same browser has to have that exact same password typed into it. I might also add, copy paste would then leave my password in my Klipper program that manages copy paste unencrypted. Click on the Klipper icon and there sits my password in PLAIN text. How secure is that exactly? Lastpass already encrypts the password ON MY MACHINE not on their end. Why would I want to disable and stop using Lastpass just to do the same thing but harder and more time consuming locally and lose the ability to use Lastpass while I am somewhere else? I would also lose the ability to access that info in the case of say a computer meltdown. I might add, if I do it your way and lose that USB stick or whatever, I'm still toast. Heck, I may be in even worse shape than I would be by losing my Lastpass password. Just how many of these sticks do I need? Are we looking at a dozen or more which will have to be all kept up to date as well? Come on, be realistic here. I doubt anyone is going to spend the time to do all that. You need more than one, if you want to keep your passwds file stored off your machine. I keep mine on a PC which is air-gapped and a second copy on a USB stick. You may need a third copy kept at different premises, if you want to guard against DR. Sorry, I have had USB sticks go bad to much for me to trust with this sort of thing, not to mention the ones I have lost. I'm not going out and buy a whole bunch of those things and then depending on them to hold the keys to my financial and every other password. I also don't have time to make sure they are all kept up to date and such either. But with Lastpass, I don't have to worry about that. I can go to my brothers house, put my email and password in Lastpass and carry on with life. No need for a USB stick at all or having to wonder when was the last time I updated the passwords on it either. I'm trying to be realistic here. I try to be as secure as I can but within REASON. As I mentioned above, if I really need and must be that secure, I'd unplug the ethernet cable and turn off my modem. Then I wouldn't have to worry about it unless someone broke into my home. Of course, I wouldn't have the benefit of using the internet either. Sure, security and convenience are not always best bedfellows. We are discussing about hypothetical risks here and different users' risk tolerances. If you encrypt the file separately with a strong key before you upload it, and this encryption key is different to your authentication key on the Lastpass website, then the risk of your encrypted file being cracked is rather low. When people discovered that their Lastpass account had been compromised, this did not necessarily mean that their encrypted file had been compromised too. However, I don't know exactly what the security architecture of Lastpass is to comment on the specifics. All I'm saying is that I wouldn't trust storing my passwds on the cloud for the sake of convenience. YMMV. :-) Well again, if I am not going to trust my passwords anywhere then I need to unplug from the internet all together and tell my bank, credit card company, social sites and everything else that requires a password to be disabled all together. Then, I would be secure because even I can't access my info, password or not. That would make it so that I am not at risk and secure. Thing is, that's not a situation that I plan to be in if I can help it. I actually went through this with my brother many years ago. He didn't
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Neil Bothwick wrote: On Tue, 21 Jul 2015 12:35:27 -0500, Dale wrote: From what I recall about Lasspass, it does encrypt the data locally then uploads it. I recall reading that if you lose your master password, they can't get in it either. All they get is encrypted data. Unless the source is available, there is no evidence his is true.. One of the people from Lastpass discussed this a long time ago. I'm pretty sure it was on this mailing list. I archive this mailing list but I don't do it for that long. It's likely still archived on gmane or something tho. Dale :-) :-)
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, Jul 21, 2015 at 10:05:57PM -0400, cov...@ccs.covici.com wrote: Neil Bothwick n...@digimed.co.uk wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? As discussed in a related subthread (at least, it's inferred, though not explicitly stated) KeePass uses file-based storage on the local machine it's running on - passwords are stored in a *.kdb file - so you're not sharing your passwords, encrypted or otherwise, with any third party. This can be extended using some filesharing service - either commercial or personally run - to allow syncing of passwords between devices (or more accurately, syncing of KeePass databases between devices). KeePass is Qt based and has a client at least for Linux and Windows, as well as an Android app (DroidPass). I personally sync my .kdb using an ownCloud instance, whereas Neil uses SyncThing, a peer-to-peer sync service. Utilities available in Gentoo are: app-admin/keepassx dev-python/keepassx dev-perl/File-KeePass One I'm not certain of but, judging from the name may also be related, is: app-admin/keepass -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 signature.asc Description: Digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Mick wrote: On Tuesday 21 Jul 2015 02:40:54 Dale wrote: I use the random generator too. Some older sites, forums or something that isn't really sensitive, may still have my old passwords but sites like banking and such each have their own random generated one. I also try to generate the longest and most complex password the site will allow. Some sites don't allow the characters above the number keys. Another thing, I was at my brothers once and needed to login to a site. I installed lastpass, typed in my email and master password and I could go anywhere I wanted just as if I was sitting at my own puter. If it wasn't for lastpass, I would have had to come home and do what needed doing. So far, this is the best solution I have found and I only use the free part. ;-) Dale :-) :-) A better, as in more secure, solution should involve local encryption and IMHO local air-gapped storage. A USB key will do nicely and you can have a second USB key stored in your brother's premises, for disaster recovery scenarios. This is because cloud storage: a) creates a honey pot which attracts attacks[1] and b) most of cloud storage is in the US. [1] https://en.wikipedia.org/wiki/LastPass#Security_issues From what I recall about Lasspass, it does encrypt the data locally then uploads it. I recall reading that if you lose your master password, they can't get in it either. All they get is encrypted data. Of all the things I read about when looking for a password manager, Lastpass was the only thing that came close to what I wanted. After using it a while, it is all I need. https://lastpass.com/how-it-works I've had USB sticks break before. They are also easy to lose. I'd prefer not to store something that important on a USB stick. Dale :-) :-)
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Am 21.07.2015 um 01:18 schrieb walt: I suspect most people don't even know firefox has a ProfileManager, but I'm here to warn you not to use it. It just cost me years of bookmarks and saved passwords. For testing purposes I invoked firefox-bin with the -ProfileManager flag (don't do this, it's broken!) and created a fresh firefox profile with the name temp as I've been doing for years. I ran the temp profile while doing my testing, quit firefox and then re-invoked firefox with the -ProfileManager flag and used it to delete the temp profile because I didn't need it any more. Unfortunately, deleting temp also deleted the default profile I've been using for years, which had all of my bookmarks and saved passwords and maybe other stuff I haven't even thought about yet. I'm copying an old firefox profile from another machine that's four years out of date. Maybe I can rescue an ort here or there. What a fscking disaster. Lesson learned: if you need to start firefox with a fresh profile, just move your ~/.mozilla directory out of the way and let firefox create a new one from scratch. you know, a simple cronjob copying your home directory every odd day would have prevented all that.
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Mick wrote: On Tuesday 21 Jul 2015 18:35:27 Dale wrote: Mick wrote: On Tuesday 21 Jul 2015 02:40:54 Dale wrote: I use the random generator too. Some older sites, forums or something that isn't really sensitive, may still have my old passwords but sites like banking and such each have their own random generated one. I also try to generate the longest and most complex password the site will allow. Some sites don't allow the characters above the number keys. Another thing, I was at my brothers once and needed to login to a site. I installed lastpass, typed in my email and master password and I could go anywhere I wanted just as if I was sitting at my own puter. If it wasn't for lastpass, I would have had to come home and do what needed doing. So far, this is the best solution I have found and I only use the free part. ;-) Dale :-) :-) A better, as in more secure, solution should involve local encryption and IMHO local air-gapped storage. A USB key will do nicely and you can have a second USB key stored in your brother's premises, for disaster recovery scenarios. This is because cloud storage: a) creates a honey pot which attracts attacks[1] and b) most of cloud storage is in the US. [1] https://en.wikipedia.org/wiki/LastPass#Security_issues From what I recall about Lasspass, it does encrypt the data locally then uploads it. I recall reading that if you lose your master password, they can't get in it either. All they get is encrypted data. Of all the things I read about when looking for a password manager, Lastpass was the only thing that came close to what I wanted. After using it a while, it is all I need. https://lastpass.com/how-it-works Right, your data may be encrypted locally, but if you use a browser to decrypt it (after it is downloaded to your PC) then there are attack vectors (e.g. XSS) for the decrypted data to be leaked out of your machine. Well, couldn't the same be said if it is encrypted on a USB stick? Anytime you encrypt something, you have decrypt it to use it and that has to be done somewhere. I've had USB sticks break before. They are also easy to lose. I'd prefer not to store something that important on a USB stick. Dale :-) :-) I didn't clarify that you should use something like gpg to encrypt your file(s) on the USB stick, as I do this with all sensitive files not just passwords. I more or less assumed that it is the done thing. Broken USB sticks you can drive a drill through, or throw in a fire. Stolen USB sticks will at least be encrypted. If you are really paranoid you could also use dm-crypt to additionally encrypt the whole USB partition. My point is, if you put the info on a USB stick and lose it, you have now lost all your passwords. If it fails, same problem. The way Lastpass works, even if your computer dies from say a house fire, once you login to Lastpass with your new puter, you are back in business. Dale :-) :-)
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Neil Bothwick n...@digimed.co.uk wrote: On Tue, 21 Jul 2015 16:31:52 -0400, cov...@ccs.covici.com wrote: I have owncloud working just fine, although I don't use it for passwords -- for those I just have a pgp key and individual files and I have an iphone app which can decrypt them. Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On 2015/07/21 at 02:59pm, Neil Bothwick wrote: On Tue, 21 Jul 2015 21:09:38 +1000, wraeth wrote: Have you tried Syncthing - http://syncthing.net/ ? No I haven't, but one of the main reasons for that is because I mostly bypassed online (read: not controlled by myself) services for any sort of syncing - I eyed a couple, but my primary thought was to retain proper control of my data. Syncthing is peer-to-peer. You can use their discovery server (or run your own) for clients to find one another, but data always takes the direct route. However, it is only for syncing, if you need the extra features, ownCloud works well. I have been using Syncthing also, for maybe a year now. It works well once you get it set up. Recently, the Android app (in F-Droid) has also been working well - for a while it couldn't find any of my machines. Like Neil said, though, Syncthing has no extra features - it just syncs between devices. The machines have to be online at the same time or no syncing happens, because there is no server in the middle to keep the data. Maybe because of this, I have had far fewer issues with conflicting file versions with Syncthing than I had with Dropbox. FWIW, I tried ownCloud a couple of times and could never get it up and running properly. -- Chris Spackman GNU Terry Pratchett
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tuesday 21 Jul 2015 18:35:27 Dale wrote: Mick wrote: On Tuesday 21 Jul 2015 02:40:54 Dale wrote: I use the random generator too. Some older sites, forums or something that isn't really sensitive, may still have my old passwords but sites like banking and such each have their own random generated one. I also try to generate the longest and most complex password the site will allow. Some sites don't allow the characters above the number keys. Another thing, I was at my brothers once and needed to login to a site. I installed lastpass, typed in my email and master password and I could go anywhere I wanted just as if I was sitting at my own puter. If it wasn't for lastpass, I would have had to come home and do what needed doing. So far, this is the best solution I have found and I only use the free part. ;-) Dale :-) :-) A better, as in more secure, solution should involve local encryption and IMHO local air-gapped storage. A USB key will do nicely and you can have a second USB key stored in your brother's premises, for disaster recovery scenarios. This is because cloud storage: a) creates a honey pot which attracts attacks[1] and b) most of cloud storage is in the US. [1] https://en.wikipedia.org/wiki/LastPass#Security_issues From what I recall about Lasspass, it does encrypt the data locally then uploads it. I recall reading that if you lose your master password, they can't get in it either. All they get is encrypted data. Of all the things I read about when looking for a password manager, Lastpass was the only thing that came close to what I wanted. After using it a while, it is all I need. https://lastpass.com/how-it-works Right, your data may be encrypted locally, but if you use a browser to decrypt it (after it is downloaded to your PC) then there are attack vectors (e.g. XSS) for the decrypted data to be leaked out of your machine. I've had USB sticks break before. They are also easy to lose. I'd prefer not to store something that important on a USB stick. Dale :-) :-) I didn't clarify that you should use something like gpg to encrypt your file(s) on the USB stick, as I do this with all sensitive files not just passwords. I more or less assumed that it is the done thing. Broken USB sticks you can drive a drill through, or throw in a fire. Stolen USB sticks will at least be encrypted. If you are really paranoid you could also use dm-crypt to additionally encrypt the whole USB partition. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Chris Spackman ch...@osugisakae.com wrote: On 2015/07/21 at 02:59pm, Neil Bothwick wrote: On Tue, 21 Jul 2015 21:09:38 +1000, wraeth wrote: Have you tried Syncthing - http://syncthing.net/ ? No I haven't, but one of the main reasons for that is because I mostly bypassed online (read: not controlled by myself) services for any sort of syncing - I eyed a couple, but my primary thought was to retain proper control of my data. Syncthing is peer-to-peer. You can use their discovery server (or run your own) for clients to find one another, but data always takes the direct route. However, it is only for syncing, if you need the extra features, ownCloud works well. I have been using Syncthing also, for maybe a year now. It works well once you get it set up. Recently, the Android app (in F-Droid) has also been working well - for a while it couldn't find any of my machines. Like Neil said, though, Syncthing has no extra features - it just syncs between devices. The machines have to be online at the same time or no syncing happens, because there is no server in the middle to keep the data. Maybe because of this, I have had far fewer issues with conflicting file versions with Syncthing than I had with Dropbox. FWIW, I tried ownCloud a couple of times and could never get it up and running properly. I have owncloud working just fine, although I don't use it for passwords -- for those I just have a pgp key and individual files and I have an iphone app which can decrypt them. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 16:31:52 -0400, cov...@ccs.covici.com wrote: I have owncloud working just fine, although I don't use it for passwords -- for those I just have a pgp key and individual files and I have an iphone app which can decrypt them. Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. -- Neil Bothwick We are upping our standards - so up yours. pgpXHzBJrbXEU.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 12:35:27 -0500, Dale wrote: From what I recall about Lasspass, it does encrypt the data locally then uploads it. I recall reading that if you lose your master password, they can't get in it either. All they get is encrypted data. Unless the source is available, there is no evidence his is true.. -- Neil Bothwick Documentation: (n.) a novel sold with software, designed to entertain the operator during episodes of bugs or glitches. pgpQk7DGU5hyx.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, Jul 21, 2015 at 10:38:50AM +0100, Neil Bothwick wrote: Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. I also use KeePass, including both GUI and Python (dev-python/keepassx) front-ends and sync it with a self-hosted ownCloud server - keeps my data _my_ data. Unfortunately it doesn't have the integration you get with something like LastPass, but it does mean it would take one heck of a catastrophic event to make me loose my passwords. That being said, not everyone wants or otherwise needs something like ownCloud, so you could also do it through scp and cron, etc. -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 signature.asc Description: Digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 20:27:32 +1000, wraeth wrote: Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. I also use KeePass, including both GUI and Python (dev-python/keepassx) front-ends and sync it with a self-hosted ownCloud server - keeps my data _my_ data. Unfortunately it doesn't have the integration you get with something like LastPass, but it does mean it would take one heck of a catastrophic event to make me loose my passwords. On the other hand, it does allow you to store extra information, like memorable words, and the auto-type feature gives enough integration for me. That being said, not everyone wants or otherwise needs something like ownCloud, so you could also do it through scp and cron, etc. Have you tried Syncthing - http://syncthing.net/ ? I only discovered it recently and it is a really nice syncing solution if you just want to keep files available in multiple locations without the complexity of ownCloud or the limitations of Dropbox. -- Neil Bothwick Evolution stops when stupidity is no longer fatal! pgpagETXQOWEH.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tuesday 21 Jul 2015 02:40:54 Dale wrote: Rich Freeman wrote: On Mon, Jul 20, 2015 at 8:20 PM, Dale rdalek1...@gmail.com wrote: This wouldn't help with some of the things you lost but it will with your passwords at least. For passwords, this will help and you can use it somewhere else as well since it is portable, sort of. https://lastpass.com/ ++ I was chatting with somebody in my LUG about it and I described it as the most secure password solution people are likely to actually use. You can do better, but most don't. I now have separate random-generated passwords for virtually every service I use now, and when one gets compromised I just log in and change it to a new random-generated password. I periodically backup the list in a csv file to someplace safe. I use the random generator too. Some older sites, forums or something that isn't really sensitive, may still have my old passwords but sites like banking and such each have their own random generated one. I also try to generate the longest and most complex password the site will allow. Some sites don't allow the characters above the number keys. Another thing, I was at my brothers once and needed to login to a site. I installed lastpass, typed in my email and master password and I could go anywhere I wanted just as if I was sitting at my own puter. If it wasn't for lastpass, I would have had to come home and do what needed doing. So far, this is the best solution I have found and I only use the free part. ;-) Dale :-) :-) A better, as in more secure, solution should involve local encryption and IMHO local air-gapped storage. A USB key will do nicely and you can have a second USB key stored in your brother's premises, for disaster recovery scenarios. This is because cloud storage: a) creates a honey pot which attracts attacks[1] and b) most of cloud storage is in the US. [1] https://en.wikipedia.org/wiki/LastPass#Security_issues -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, Jul 21, 2015 at 11:41:03AM +0100, Neil Bothwick wrote: On Tue, 21 Jul 2015 20:27:32 +1000, wraeth wrote: Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. I also use KeePass, including both GUI and Python (dev-python/keepassx) front-ends and sync it with a self-hosted ownCloud server - keeps my data _my_ data. Unfortunately it doesn't have the integration you get with something like LastPass, but it does mean it would take one heck of a catastrophic event to make me loose my passwords. On the other hand, it does allow you to store extra information, like memorable words, and the auto-type feature gives enough integration for me. Yes, I didn't mean to imply that it was _lacking_ in features, just that the main feature mentioned so far has been browser integration (with fair reason, too). That being said, not everyone wants or otherwise needs something like ownCloud, so you could also do it through scp and cron, etc. Have you tried Syncthing - http://syncthing.net/ ? I only discovered it recently and it is a really nice syncing solution if you just want to keep files available in multiple locations without the complexity of ownCloud or the limitations of Dropbox. No I haven't, but one of the main reasons for that is because I mostly bypassed online (read: not controlled by myself) services for any sort of syncing - I eyed a couple, but my primary thought was to retain proper control of my data. Besides, I was setting up a host for a mail server anyway and was looking for online calendaring and contact management for syncing between devices, so it wasn't that far out of my way. -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 signature.asc Description: Digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 08:53:42 +0100, Mick wrote: A better, as in more secure, solution should involve local encryption and IMHO local air-gapped storage. A USB key will do nicely and you can have a second USB key stored in your brother's premises, for disaster recovery scenarios. Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. -- Neil Bothwick If man ruled the world: Daisy Duke shorts would never go out of fashion. pgpvwaVbdKY7M.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 21:09:38 +1000, wraeth wrote: Have you tried Syncthing - http://syncthing.net/ ? I only discovered it recently and it is a really nice syncing solution if you just want to keep files available in multiple locations without the complexity of ownCloud or the limitations of Dropbox. No I haven't, but one of the main reasons for that is because I mostly bypassed online (read: not controlled by myself) services for any sort of syncing - I eyed a couple, but my primary thought was to retain proper control of my data. Besides, I was setting up a host for a mail server anyway and was looking for online calendaring and contact management for syncing between devices, so it wasn't that far out of my way. Syncthing is peer-to-peer. You can use their discovery server (or run your own) for clients to find one another, but data always takes the direct route. However, it is only for syncing, if you need the extra features, ownCloud works well. -- Neil Bothwick Mosquito - designed to make houseflies look better. pgpz0IQfXVYsH.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Rich Freeman wrote: On Mon, Jul 20, 2015 at 8:20 PM, Dale rdalek1...@gmail.com wrote: This wouldn't help with some of the things you lost but it will with your passwords at least. For passwords, this will help and you can use it somewhere else as well since it is portable, sort of. https://lastpass.com/ ++ I was chatting with somebody in my LUG about it and I described it as the most secure password solution people are likely to actually use. You can do better, but most don't. I now have separate random-generated passwords for virtually every service I use now, and when one gets compromised I just log in and change it to a new random-generated password. I periodically backup the list in a csv file to someplace safe. I use the random generator too. Some older sites, forums or something that isn't really sensitive, may still have my old passwords but sites like banking and such each have their own random generated one. I also try to generate the longest and most complex password the site will allow. Some sites don't allow the characters above the number keys. Another thing, I was at my brothers once and needed to login to a site. I installed lastpass, typed in my email and master password and I could go anywhere I wanted just as if I was sitting at my own puter. If it wasn't for lastpass, I would have had to come home and do what needed doing. So far, this is the best solution I have found and I only use the free part. ;-) Dale :-) :-)
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
2015-07-20 17:18 GMT-06:00 walt w41...@gmail.com: Lesson learned: if you need to start firefox with a fresh profile, just move your ~/.mozilla directory out of the way and let firefox create a new one from scratch. Using firefox sync is also an option, and If you don't want Mozilla having stored the info(According to what I have read it is encrypted), you can run the sync server on your own(I been wanting to put together the ebuilds necessary to emerge it easily but always procrastinate about it.)
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Mon, Jul 20, 2015 at 8:20 PM, Dale rdalek1...@gmail.com wrote: This wouldn't help with some of the things you lost but it will with your passwords at least. For passwords, this will help and you can use it somewhere else as well since it is portable, sort of. https://lastpass.com/ ++ I was chatting with somebody in my LUG about it and I described it as the most secure password solution people are likely to actually use. You can do better, but most don't. I now have separate random-generated passwords for virtually every service I use now, and when one gets compromised I just log in and change it to a new random-generated password. I periodically backup the list in a csv file to someplace safe. -- Rich
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
walt w41...@gmail.com wrote: I suspect most people don't even know firefox has a ProfileManager, but I'm here to warn you not to use it. It just cost me years of bookmarks and saved passwords. For testing purposes I invoked firefox-bin with the -ProfileManager flag (don't do this, it's broken!) and created a fresh firefox profile with the name temp as I've been doing for years. I ran the temp profile while doing my testing, quit firefox and then re-invoked firefox with the -ProfileManager flag and used it to delete the temp profile because I didn't need it any more. Unfortunately, deleting temp also deleted the default profile I've been using for years, which had all of my bookmarks and saved passwords and maybe other stuff I haven't even thought about yet. I'm copying an old firefox profile from another machine that's four years out of date. Maybe I can rescue an ort here or there. What a fscking disaster. Lesson learned: if you need to start firefox with a fresh profile, just move your ~/.mozilla directory out of the way and let firefox create a new one from scratch. THX for your hint. But there is a much more important lesson to learn: Always backup your important data on a regular basis! -- Regards wabe
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
walt wrote: I suspect most people don't even know firefox has a ProfileManager, but I'm here to warn you not to use it. It just cost me years of bookmarks and saved passwords. For testing purposes I invoked firefox-bin with the -ProfileManager flag (don't do this, it's broken!) and created a fresh firefox profile with the name temp as I've been doing for years. I ran the temp profile while doing my testing, quit firefox and then re-invoked firefox with the -ProfileManager flag and used it to delete the temp profile because I didn't need it any more. Unfortunately, deleting temp also deleted the default profile I've been using for years, which had all of my bookmarks and saved passwords and maybe other stuff I haven't even thought about yet. I'm copying an old firefox profile from another machine that's four years out of date. Maybe I can rescue an ort here or there. What a fscking disaster. Lesson learned: if you need to start firefox with a fresh profile, just move your ~/.mozilla directory out of the way and let firefox create a new one from scratch. This wouldn't help with some of the things you lost but it will with your passwords at least. For passwords, this will help and you can use it somewhere else as well since it is portable, sort of. https://lastpass.com/ I use that because I use Seamonkey, Firefox and other browsers. Also, if I am somewhere else, I can use that to get my passwords. If my hard drive dies and I lose everything, all I have to do is install the plugin after the repairs and re-install, type in my email and master password and I'm back in business. I been using it for a good while and so far, it works fairly well. Every once in a while I run up on a site that doesn't fill in automatically but it does when I right click and tell it too. It may at least be something worth looking at. Dale :-) :-)
