From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 899FC1390EB for ; Wed, 22 Jul 2015 17:41:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5E0101401E; Wed, 22 Jul 2015 17:41:35 +0000 (UTC) Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2E9D9E08AB for ; Wed, 22 Jul 2015 17:41:34 +0000 (UTC) Received: by wibxm9 with SMTP id xm9so173840041wib.0 for ; Wed, 22 Jul 2015 10:41:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=8xBlaT8R2a3WsXadaUNZaH8f2dRPYmVmRjPGEc9ZLMU=; b=FJ3oglgesDepxvPUZ38hlBMRtKt2nvCgjezRcWm4F0jikBnajipW+0QiuoYdGmDdiJ vY5cE4Bu4vyJb9NEoLPinX0iiNfJ0M9+p+Jm8gbLrWdI6WhKTv7Hvg2v2GOgECFVm1UG fTUFqpN3VLJ0ubmLaFN5wBTqlJg82CzRVwo9/CJfnNMfWkI6odi/c8Jf7EgubRxkkLhP dzBfUlbqdDUTqatc7XhiPhbD5c9PPpko7O4YqRs3mc4B1r8HNitPSYDx0g+YE1PWZrt5 n5AeT86yJMt9jxjIC+4+zVnFVGRiIBv+RuIarwUOU1nI8OjpekVs/e9W8DgJCyz5WYNE GT6A== X-Received: by 10.180.37.133 with SMTP id y5mr43963229wij.34.1437586893095; Wed, 22 Jul 2015 10:41:33 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id fa8sm4423646wib.14.2015.07.22.10.41.31 for (version=TLS1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 22 Jul 2015 10:41:32 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function Date: Wed, 22 Jul 2015 18:41:17 +0100 User-Agent: KMail/1.13.7 (Linux/4.0.5-gentoo; KDE/4.14.8; x86_64; ; ) References: <20150720161844.1db1d485@a6> <201507212120.34766.michaelkintzios@gmail.com> <55AEE48A.8040301@gmail.com> In-Reply-To: <55AEE48A.8040301@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5408101.ykNGaIIOPp"; protocol="application/pgp-signature"; micalg=pgp-sha256 Content-Transfer-Encoding: 7bit Message-Id: <201507221841.27230.michaelkintzios@gmail.com> X-Archives-Salt: 902d3187-81e5-4a73-bafb-d871a920c9a6 X-Archives-Hash: c964031cf661ae470f8d5f13dd2e9251 --nextPart5408101.ykNGaIIOPp Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wednesday 22 Jul 2015 01:32:10 Dale wrote: > Mick wrote: > > On Tuesday 21 Jul 2015 18:35:27 Dale wrote: > >> From what I recall about Lasspass, it does encrypt the data locally th= en > >> uploads it. I recall reading that if you lose your master password, > >> they can't get in it either. All they get is encrypted data. Of all > >> the things I read about when looking for a password manager, Lastpass > >> was the only thing that came close to what I wanted. After using it a > >> while, it is all I need. > >>=20 > >> https://lastpass.com/how-it-works > >=20 > > Right, your data may be encrypted locally, but if you use a browser to > > decrypt it (after it is downloaded to your PC) then there are attack > > vectors (e.g. XSS) for the decrypted data to be leaked out of your > > machine. >=20 > Well, couldn't the same be said if it is encrypted on a USB stick? > Anytime you encrypt something, you have decrypt it to use it and that > has to be done somewhere. Of course, but if it is done using an application which its main purpose is= =20 not to connect to the Internet (i.e. your browser) the real estate exposed = to=20 a potential attack reduces significantly. > >> I've had USB sticks break before. They are also easy to lose. I'd > >> prefer not to store something that important on a USB stick. > >>=20 > >> Dale > >>=20 > >> :-) :-) > >=20 > > I didn't clarify that you should use something like gpg to encrypt your > > file(s) on the USB stick, as I do this with all sensitive files not just > > passwords. I more or less assumed that it is the done thing. Broken U= SB > > sticks you can drive a drill through, or throw in a fire. Stolen USB > > sticks will at least be encrypted. > >=20 > > If you are really paranoid you could also use dm-crypt to additionally > > encrypt the whole USB partition. >=20 > My point is, if you put the info on a USB stick and lose it, you have > now lost all your passwords. If it fails, same problem. =20 In either of these failure modes your solution is to forget about your firs= t=20 USB stick and go dig out your second USB stick. > The way > Lastpass works, even if your computer dies from say a house fire, once > you login to Lastpass with your new puter, you are back in business. >=20 > Dale In the case of a house fire we are in a DR scenario. You head straight to= =20 your brother's place. You'll need a place to stay anyway, if your house bu= rnt=20 down, you might as well check that back up USB you left there. ;-) =2D-=20 Regards, Mick --nextPart5408101.ykNGaIIOPp Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJVr9XHAAoJELAdA+zwE4YeeXEH/RgI6qZCoGGiCOowpG4fDrvv xOYsdyHtTvqshiWmdZ/IK3LnFZUukudziKG42HLANnSu6x76ta9Z4C7MkHAAEsiM BsYIvNBNn4LGDieIcip7wjr4IX0BNoQorKA/Or3ydQymImd/3Byf5Rk/AspVp6io CUKIj3KMeURqlmh+hWs6oEJY3TNE8IzSNMj5kduRvXw+DAIxfgYVINf830ulJHiC ImPtubrwqWCihOmORRbDddvnBiT1gLJzcQ1dOBhMdgWRKVC5Ul0cou+4hgwZZ2Z5 2jLG/SwyarRfsBN1mHqY8mWUCaayW+1cPEeDfkmFUp7BZXHqoYfOffSmY+VfjpI= =hEJT -----END PGP SIGNATURE----- --nextPart5408101.ykNGaIIOPp--