From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-165621-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 899FC1390EB
	for <garchives@archives.gentoo.org>; Wed, 22 Jul 2015 17:41:41 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5E0101401E;
	Wed, 22 Jul 2015 17:41:35 +0000 (UTC)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 2E9D9E08AB
	for <gentoo-user@lists.gentoo.org>; Wed, 22 Jul 2015 17:41:34 +0000 (UTC)
Received: by wibxm9 with SMTP id xm9so173840041wib.0
        for <gentoo-user@lists.gentoo.org>; Wed, 22 Jul 2015 10:41:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:reply-to:to:subject:date:user-agent:references:in-reply-to
         :mime-version:content-type:content-transfer-encoding:message-id;
        bh=8xBlaT8R2a3WsXadaUNZaH8f2dRPYmVmRjPGEc9ZLMU=;
        b=FJ3oglgesDepxvPUZ38hlBMRtKt2nvCgjezRcWm4F0jikBnajipW+0QiuoYdGmDdiJ
         vY5cE4Bu4vyJb9NEoLPinX0iiNfJ0M9+p+Jm8gbLrWdI6WhKTv7Hvg2v2GOgECFVm1UG
         fTUFqpN3VLJ0ubmLaFN5wBTqlJg82CzRVwo9/CJfnNMfWkI6odi/c8Jf7EgubRxkkLhP
         dzBfUlbqdDUTqatc7XhiPhbD5c9PPpko7O4YqRs3mc4B1r8HNitPSYDx0g+YE1PWZrt5
         n5AeT86yJMt9jxjIC+4+zVnFVGRiIBv+RuIarwUOU1nI8OjpekVs/e9W8DgJCyz5WYNE
         GT6A==
X-Received: by 10.180.37.133 with SMTP id y5mr43963229wij.34.1437586893095;
        Wed, 22 Jul 2015 10:41:33 -0700 (PDT)
Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230])
        by smtp.gmail.com with ESMTPSA id fa8sm4423646wib.14.2015.07.22.10.41.31
        for <gentoo-user@lists.gentoo.org>
        (version=TLS1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 22 Jul 2015 10:41:32 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Date: Wed, 22 Jul 2015 18:41:17 +0100
User-Agent: KMail/1.13.7 (Linux/4.0.5-gentoo; KDE/4.14.8; x86_64; ; )
References: <20150720161844.1db1d485@a6> <201507212120.34766.michaelkintzios@gmail.com> <55AEE48A.8040301@gmail.com>
In-Reply-To: <55AEE48A.8040301@gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart5408101.ykNGaIIOPp";
  protocol="application/pgp-signature";
  micalg=pgp-sha256
Content-Transfer-Encoding: 7bit
Message-Id: <201507221841.27230.michaelkintzios@gmail.com>
X-Archives-Salt: 902d3187-81e5-4a73-bafb-d871a920c9a6
X-Archives-Hash: c964031cf661ae470f8d5f13dd2e9251

--nextPart5408101.ykNGaIIOPp
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wednesday 22 Jul 2015 01:32:10 Dale wrote:
> Mick wrote:
> > On Tuesday 21 Jul 2015 18:35:27 Dale wrote:

> >> From what I recall about Lasspass, it does encrypt the data locally th=
en
> >> uploads it.  I recall reading that if you lose your master password,
> >> they can't get in it either.  All they get is encrypted data.  Of all
> >> the things I read about when looking for a password manager, Lastpass
> >> was the only thing that came close to what I wanted.  After using it a
> >> while, it is all I need.
> >>=20
> >> https://lastpass.com/how-it-works
> >=20
> > Right, your data may be encrypted locally, but if you use a browser to
> > decrypt it (after it is downloaded to your PC) then there are attack
> > vectors (e.g. XSS) for the decrypted data to be leaked out of your
> > machine.
>=20
> Well, couldn't the same be said if it is encrypted on a USB stick?
> Anytime you encrypt something, you have decrypt it to use it and that
> has to be done somewhere.

Of course, but if it is done using an application which its main purpose is=
=20
not to connect to the Internet (i.e. your browser) the real estate exposed =
to=20
a potential attack reduces significantly.


> >> I've had USB sticks break before.  They are also easy to lose.  I'd
> >> prefer not to store something that important on a USB stick.
> >>=20
> >> Dale
> >>=20
> >> :-)  :-)
> >=20
> > I didn't clarify that you should use something like gpg to encrypt your
> > file(s) on the USB stick, as I do this with all sensitive files not just
> > passwords.  I more or less assumed that it is the done thing.  Broken U=
SB
> > sticks you can drive a drill through, or throw in a fire.  Stolen USB
> > sticks will at least be encrypted.
> >=20
> > If you are really paranoid you could also use dm-crypt to additionally
> > encrypt the whole USB partition.
>=20
> My point is, if you put the info on a USB stick and lose it, you have
> now lost all your passwords.  If it fails, same problem. =20

In either of these failure modes your solution is to forget about your firs=
t=20
USB stick and go dig out your second USB stick.

> The way
> Lastpass works, even if your computer dies from say a house fire, once
> you login to Lastpass with your new puter, you are back in business.
>=20
> Dale

In the case of a house fire we are in a DR scenario.  You head straight to=
=20
your brother's place.  You'll need a place to stay anyway, if your house bu=
rnt=20
down, you might as well check that back up USB you left there.  ;-)

=2D-=20
Regards,
Mick

--nextPart5408101.ykNGaIIOPp
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABCAAGBQJVr9XHAAoJELAdA+zwE4YeeXEH/RgI6qZCoGGiCOowpG4fDrvv
xOYsdyHtTvqshiWmdZ/IK3LnFZUukudziKG42HLANnSu6x76ta9Z4C7MkHAAEsiM
BsYIvNBNn4LGDieIcip7wjr4IX0BNoQorKA/Or3ydQymImd/3Byf5Rk/AspVp6io
CUKIj3KMeURqlmh+hWs6oEJY3TNE8IzSNMj5kduRvXw+DAIxfgYVINf830ulJHiC
ImPtubrwqWCihOmORRbDddvnBiT1gLJzcQ1dOBhMdgWRKVC5Ul0cou+4hgwZZ2Z5
2jLG/SwyarRfsBN1mHqY8mWUCaayW+1cPEeDfkmFUp7BZXHqoYfOffSmY+VfjpI=
=hEJT
-----END PGP SIGNATURE-----

--nextPart5408101.ykNGaIIOPp--