[gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[walt]

I suspect most people don't even know firefox has a ProfileManager, but
I'm here to warn you not to use it.  It just cost me years of bookmarks
and saved passwords.

For testing purposes I invoked firefox-bin with the -ProfileManager
flag (don't do this, it's broken!) and created a fresh firefox profile
with the name "temp" as I've been doing for years.

I ran the "temp" profile while doing my testing, quit firefox and then
re-invoked firefox with the -ProfileManager flag and used it to delete
the "temp" profile because I didn't need it any more.

Unfortunately, deleting "temp" also deleted the "default" profile I've
been using for years, which had all of my bookmarks and saved passwords
and maybe other stuff I haven't even thought about yet.

I'm copying an old firefox profile from another machine that's four
years out of date.  Maybe I can rescue an ort here or there.

What a fscking disaster.

Lesson learned:  if you need to start firefox with a fresh profile,
just move your ~/.mozilla directory out of the way and let firefox
create a new one from scratch.

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[wabenbau]

walt <w41ter@gmail.com> wrote:

> I suspect most people don't even know firefox has a ProfileManager,
> but I'm here to warn you not to use it.  It just cost me years of
> bookmarks and saved passwords.
> 
> For testing purposes I invoked firefox-bin with the -ProfileManager
> flag (don't do this, it's broken!) and created a fresh firefox profile
> with the name "temp" as I've been doing for years.
> 
> I ran the "temp" profile while doing my testing, quit firefox and then
> re-invoked firefox with the -ProfileManager flag and used it to delete
> the "temp" profile because I didn't need it any more.
> 
> Unfortunately, deleting "temp" also deleted the "default" profile I've
> been using for years, which had all of my bookmarks and saved
> passwords and maybe other stuff I haven't even thought about yet.
> 
> I'm copying an old firefox profile from another machine that's four
> years out of date.  Maybe I can rescue an ort here or there.
> 
> What a fscking disaster.
> 
> Lesson learned:  if you need to start firefox with a fresh profile,
> just move your ~/.mozilla directory out of the way and let firefox
> create a new one from scratch.

THX for your hint. But there is a much more important lesson to learn: 
Always backup your important data on a regular basis! 

--
Regards
wabe

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

walt wrote:
> I suspect most people don't even know firefox has a ProfileManager, but
> I'm here to warn you not to use it.  It just cost me years of bookmarks
> and saved passwords.
>
> For testing purposes I invoked firefox-bin with the -ProfileManager
> flag (don't do this, it's broken!) and created a fresh firefox profile
> with the name "temp" as I've been doing for years.
>
> I ran the "temp" profile while doing my testing, quit firefox and then
> re-invoked firefox with the -ProfileManager flag and used it to delete
> the "temp" profile because I didn't need it any more.
>
> Unfortunately, deleting "temp" also deleted the "default" profile I've
> been using for years, which had all of my bookmarks and saved passwords
> and maybe other stuff I haven't even thought about yet.
>
> I'm copying an old firefox profile from another machine that's four
> years out of date.  Maybe I can rescue an ort here or there.
>
> What a fscking disaster.
>
> Lesson learned:  if you need to start firefox with a fresh profile,
> just move your ~/.mozilla directory out of the way and let firefox
> create a new one from scratch.
>
>
>
>


This wouldn't help with some of the things you lost but it will with
your passwords at least.  For passwords, this will help and you can use
it somewhere else as well since it is portable, sort of.

https://lastpass.com/

I use that because I use Seamonkey, Firefox and other browsers.  Also,
if I am somewhere else, I can use that to get my passwords.  If my hard
drive dies and I lose everything, all I have to do is install the plugin
after the repairs and re-install, type in my email and master password
and I'm back in business.  I been using it for a good while and so far,
it works fairly well.  Every once in a while I run up on a site that
doesn't fill in automatically but it does when I right click and tell it
too. 

It may at least be something worth looking at. 

Dale

:-)  :-) 

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Rich Freeman]

On Mon, Jul 20, 2015 at 8:20 PM, Dale <rdalek1967@gmail.com> wrote:
>
> This wouldn't help with some of the things you lost but it will with
> your passwords at least.  For passwords, this will help and you can use
> it somewhere else as well since it is portable, sort of.
>
> https://lastpass.com/
>

++

I was chatting with somebody in my LUG about it and I described it as
the most secure password solution people are likely to actually use.
You can do better, but most don't.  I now have separate
random-generated passwords for virtually every service I use now, and
when one gets compromised I just log in and change it to a new
random-generated password.  I periodically backup the list in a csv
file to someplace safe.

-- 
Rich

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

Rich Freeman wrote:
> On Mon, Jul 20, 2015 at 8:20 PM, Dale <rdalek1967@gmail.com> wrote:
>> This wouldn't help with some of the things you lost but it will with
>> your passwords at least.  For passwords, this will help and you can use
>> it somewhere else as well since it is portable, sort of.
>>
>> https://lastpass.com/
>>
> ++
>
> I was chatting with somebody in my LUG about it and I described it as
> the most secure password solution people are likely to actually use.
> You can do better, but most don't.  I now have separate
> random-generated passwords for virtually every service I use now, and
> when one gets compromised I just log in and change it to a new
> random-generated password.  I periodically backup the list in a csv
> file to someplace safe.
>


I use the random generator too.  Some older sites, forums or something
that isn't really sensitive, may still have my old passwords but sites
like banking and such each have their own random generated one.  I also
try to generate the longest and most complex password the site will
allow.  Some sites don't allow the characters above the number keys. 

Another thing, I was at my brothers once and needed to login to a site. 
I installed lastpass, typed in my email and master password and I could
go anywhere I wanted just as if I was sitting at my own puter.   If it
wasn't for lastpass, I would have had to come home and do what needed
doing. 

So far, this is the best solution I have found and I only use the free
part.  ;-)

Dale

:-)  :-) 

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Jc García]

2015-07-20 17:18 GMT-06:00 walt <w41ter@gmail.com>:
>
> Lesson learned:  if you need to start firefox with a fresh profile,
> just move your ~/.mozilla directory out of the way and let firefox
> create a new one from scratch.
>

Using firefox sync is also an option, and If you don't want Mozilla
having stored the info(According to what I have read it is encrypted),
you can run the sync server on your own(I been wanting to put together
the ebuilds necessary to emerge it easily but always procrastinate
about it.)

[gentoo-user] Re: Catastrophic bug in the firefox 'ProfileManager' function

[»Q«]

On Mon, 20 Jul 2015 16:18:44 -0700
walt <w41ter@gmail.com> wrote:

> I suspect most people don't even know firefox has a ProfileManager,
> but I'm here to warn you not to use it.  It just cost me years of
> bookmarks and saved passwords.
> 
> For testing purposes I invoked firefox-bin with the -ProfileManager
> flag (don't do this, it's broken!) and created a fresh firefox profile
> with the name "temp" as I've been doing for years.
> 
> I ran the "temp" profile while doing my testing, quit firefox and then
> re-invoked firefox with the -ProfileManager flag and used it to delete
> the "temp" profile because I didn't need it any more.
> 
> Unfortunately, deleting "temp" also deleted the "default" profile I've
> been using for years, which had all of my bookmarks and saved
> passwords and maybe other stuff I haven't even thought about yet.

I'm sorry you had this trouble, and I can't explain it.

I've used the profile manager to delete temporary profiles at least once
a twice a week for the past many years without problems.  I compile
firefox instead of using firefox-bin, but that shouldn't make any
difference.

I guess you've already looked, but just in case, make sure the
default profile directory is really gone.  If you're very lucky, only
the profile.ini file got corrupted.

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2126 bytes --]

On Tuesday 21 Jul 2015 02:40:54 Dale wrote:
> Rich Freeman wrote:
> > On Mon, Jul 20, 2015 at 8:20 PM, Dale <rdalek1967@gmail.com> wrote:
> >> This wouldn't help with some of the things you lost but it will with
> >> your passwords at least.  For passwords, this will help and you can use
> >> it somewhere else as well since it is portable, sort of.
> >> 
> >> https://lastpass.com/
> > 
> > ++
> > 
> > I was chatting with somebody in my LUG about it and I described it as
> > the most secure password solution people are likely to actually use.
> > You can do better, but most don't.  I now have separate
> > random-generated passwords for virtually every service I use now, and
> > when one gets compromised I just log in and change it to a new
> > random-generated password.  I periodically backup the list in a csv
> > file to someplace safe.
> 
> I use the random generator too.  Some older sites, forums or something
> that isn't really sensitive, may still have my old passwords but sites
> like banking and such each have their own random generated one.  I also
> try to generate the longest and most complex password the site will
> allow.  Some sites don't allow the characters above the number keys.
> 
> Another thing, I was at my brothers once and needed to login to a site.
> I installed lastpass, typed in my email and master password and I could
> go anywhere I wanted just as if I was sitting at my own puter.   If it
> wasn't for lastpass, I would have had to come home and do what needed
> doing.
> 
> So far, this is the best solution I have found and I only use the free
> part.  ;-)
> 
> Dale
> 
> :-)  :-)

A better, as in more secure, solution should involve local encryption and IMHO 
local air-gapped storage.  A USB key will do nicely and you can have a second 
USB key stored in your brother's premises, for disaster recovery scenarios.  
This is because cloud storage:

 a) creates a honey pot which attracts attacks[1] and 
 b) most of cloud storage is in the US.

[1] https://en.wikipedia.org/wiki/LastPass#Security_issues

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

On Tue, 21 Jul 2015 08:53:42 +0100, Mick wrote:

> A better, as in more secure, solution should involve local encryption
> and IMHO local air-gapped storage.  A USB key will do nicely and you
> can have a second USB key stored in your brother's premises, for
> disaster recovery scenarios.

Something like KeePass. It has Linux, Windows and Android clients and
because the file is encrypted locally, you can store it in a cloud
service, although I now use Syncthing to keep it on all my devices, now
that my life is free of Dropbox.


-- 
Neil Bothwick

If man ruled the world:
Daisy Duke shorts would never go out of fashion.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[wraeth]

[-- Attachment #1: Type: text/plain, Size: 857 bytes --]

On Tue, Jul 21, 2015 at 10:38:50AM +0100, Neil Bothwick wrote:
> Something like KeePass. It has Linux, Windows and Android clients and
> because the file is encrypted locally, you can store it in a cloud
> service, although I now use Syncthing to keep it on all my devices, now
> that my life is free of Dropbox.

I also use KeePass, including both GUI and Python (dev-python/keepassx)
front-ends and sync it with a self-hosted ownCloud server - keeps my
data _my_ data.

Unfortunately it doesn't have the integration you get with something
like LastPass, but it does mean it would take one heck of a catastrophic
event to make me loose my passwords.

That being said, not everyone wants or otherwise needs something like
ownCloud, so you could also do it through scp and cron, etc.

-- 
wraeth <wraeth@wraeth.id.au>
GnuPG Key: B2D9F759

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 213 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1305 bytes --]

On Tue, 21 Jul 2015 20:27:32 +1000, wraeth wrote:

> > Something like KeePass. It has Linux, Windows and Android clients and
> > because the file is encrypted locally, you can store it in a cloud
> > service, although I now use Syncthing to keep it on all my devices,
> > now that my life is free of Dropbox.  
> 
> I also use KeePass, including both GUI and Python (dev-python/keepassx)
> front-ends and sync it with a self-hosted ownCloud server - keeps my
> data _my_ data.
> 
> Unfortunately it doesn't have the integration you get with something
> like LastPass, but it does mean it would take one heck of a catastrophic
> event to make me loose my passwords.

On the other hand, it does allow you to store extra information, like
memorable words, and the auto-type feature gives enough integration for
me.
 
> That being said, not everyone wants or otherwise needs something like
> ownCloud, so you could also do it through scp and cron, etc.

Have you tried Syncthing - http://syncthing.net/ ? I only discovered it
recently and it is a really nice syncing solution if you just want to
keep files available in multiple locations without the complexity of
ownCloud or the limitations of Dropbox.


-- 
Neil Bothwick

Evolution stops when stupidity is no longer fatal!

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[wraeth]

[-- Attachment #1: Type: text/plain, Size: 1995 bytes --]

On Tue, Jul 21, 2015 at 11:41:03AM +0100, Neil Bothwick wrote:
> On Tue, 21 Jul 2015 20:27:32 +1000, wraeth wrote:
> 
> > > Something like KeePass. It has Linux, Windows and Android clients and
> > > because the file is encrypted locally, you can store it in a cloud
> > > service, although I now use Syncthing to keep it on all my devices,
> > > now that my life is free of Dropbox.  
> > 
> > I also use KeePass, including both GUI and Python (dev-python/keepassx)
> > front-ends and sync it with a self-hosted ownCloud server - keeps my
> > data _my_ data.
> > 
> > Unfortunately it doesn't have the integration you get with something
> > like LastPass, but it does mean it would take one heck of a catastrophic
> > event to make me loose my passwords.
> 
> On the other hand, it does allow you to store extra information, like
> memorable words, and the auto-type feature gives enough integration for
> me.

Yes, I didn't mean to imply that it was _lacking_ in features, just that
the main feature mentioned so far has been browser integration (with
fair reason, too).

> > That being said, not everyone wants or otherwise needs something like
> > ownCloud, so you could also do it through scp and cron, etc.
> 
> Have you tried Syncthing - http://syncthing.net/ ? I only discovered it
> recently and it is a really nice syncing solution if you just want to
> keep files available in multiple locations without the complexity of
> ownCloud or the limitations of Dropbox.

No I haven't, but one of the main reasons for that is because I mostly
bypassed online (read: not controlled by myself) services for any sort
of syncing - I eyed a couple, but my primary thought was to retain
proper control of my data. Besides, I was setting up a host for a mail
server anyway and was looking for online calendaring and contact
management for syncing between devices, so it wasn't that far out of my
way.

-- 
wraeth <wraeth@wraeth.id.au>
GnuPG Key: B2D9F759

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 213 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1095 bytes --]

On Tue, 21 Jul 2015 21:09:38 +1000, wraeth wrote:

> > Have you tried Syncthing - http://syncthing.net/ ? I only discovered
> > it recently and it is a really nice syncing solution if you just want
> > to keep files available in multiple locations without the complexity
> > of ownCloud or the limitations of Dropbox.  
> 
> No I haven't, but one of the main reasons for that is because I mostly
> bypassed online (read: not controlled by myself) services for any sort
> of syncing - I eyed a couple, but my primary thought was to retain
> proper control of my data. Besides, I was setting up a host for a mail
> server anyway and was looking for online calendaring and contact
> management for syncing between devices, so it wasn't that far out of my
> way.

Syncthing is peer-to-peer. You can use their discovery server (or run
your own) for clients to find one another, but data always takes the
direct route. However, it is only for syncing, if you need the extra
features, ownCloud works well.

-- 
Neil Bothwick

Mosquito - designed to make houseflies look better.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1914 bytes --]

Mick wrote:
> On Tuesday 21 Jul 2015 02:40:54 Dale wrote:
>>
>>
>> I use the random generator too.  Some older sites, forums or something
>> that isn't really sensitive, may still have my old passwords but sites
>> like banking and such each have their own random generated one.  I also
>> try to generate the longest and most complex password the site will
>> allow.  Some sites don't allow the characters above the number keys.
>>
>> Another thing, I was at my brothers once and needed to login to a site.
>> I installed lastpass, typed in my email and master password and I could
>> go anywhere I wanted just as if I was sitting at my own puter.   If it
>> wasn't for lastpass, I would have had to come home and do what needed
>> doing.
>>
>> So far, this is the best solution I have found and I only use the free
>> part.  ;-)
>>
>> Dale
>>
>> :-)  :-)
>
> A better, as in more secure, solution should involve local encryption
and IMHO
> local air-gapped storage.  A USB key will do nicely and you can have a
second
> USB key stored in your brother's premises, for disaster recovery
scenarios. 
> This is because cloud storage:
>
>  a) creates a honey pot which attracts attacks[1] and
>  b) most of cloud storage is in the US.
>
> [1] https://en.wikipedia.org/wiki/LastPass#Security_issues
>


From what I recall about Lasspass, it does encrypt the data locally then
uploads it.  I recall reading that if you lose your master password,
they can't get in it either.  All they get is encrypted data.  Of all
the things I read about when looking for a password manager, Lastpass
was the only thing that came close to what I wanted.  After using it a
while, it is all I need.

https://lastpass.com/how-it-works 

I've had USB sticks break before.  They are also easy to lose.  I'd
prefer not to store something that important on a USB stick.

Dale

:-)  :-)


[-- Attachment #2: Type: text/html, Size: 2947 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Chris Spackman]

On 2015/07/21 at 02:59pm, Neil Bothwick wrote:
> On Tue, 21 Jul 2015 21:09:38 +1000, wraeth wrote:

> > > Have you tried Syncthing - http://syncthing.net/ ?

> > No I haven't, but one of the main reasons for that is because I
> > mostly bypassed online (read: not controlled by myself) services
> > for any sort of syncing - I eyed a couple, but my primary thought
> > was to retain proper control of my data.

> Syncthing is peer-to-peer. You can use their discovery server (or
> run your own) for clients to find one another, but data always takes
> the direct route. However, it is only for syncing, if you need the
> extra features, ownCloud works well.

I have been using Syncthing also, for maybe a year now. It works well
once you get it set up. Recently, the Android app (in F-Droid) has
also been working well - for a while it couldn't find any of my
machines.

Like Neil said, though, Syncthing has no extra features - it just
syncs between devices. The machines have to be online at the same time
or no syncing happens, because there is no server in the middle to
keep the data. Maybe because of this, I have had far fewer issues with
conflicting file versions with Syncthing than I had with Dropbox.

FWIW, I tried ownCloud a couple of times and could never get it up and
running properly.

-- 
Chris Spackman

GNU Terry Pratchett

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2755 bytes --]

On Tuesday 21 Jul 2015 18:35:27 Dale wrote:
> Mick wrote:
> > On Tuesday 21 Jul 2015 02:40:54 Dale wrote:
> >> I use the random generator too.  Some older sites, forums or something
> >> that isn't really sensitive, may still have my old passwords but sites
> >> like banking and such each have their own random generated one.  I also
> >> try to generate the longest and most complex password the site will
> >> allow.  Some sites don't allow the characters above the number keys.
> >> 
> >> Another thing, I was at my brothers once and needed to login to a site.
> >> I installed lastpass, typed in my email and master password and I could
> >> go anywhere I wanted just as if I was sitting at my own puter.   If it
> >> wasn't for lastpass, I would have had to come home and do what needed
> >> doing.
> >> 
> >> So far, this is the best solution I have found and I only use the free
> >> part.  ;-)
> >> 
> >> Dale
> >> 
> >> :-)  :-)
> > 
> > A better, as in more secure, solution should involve local encryption
> 
> and IMHO
> 
> > local air-gapped storage.  A USB key will do nicely and you can have a
> 
> second
> 
> > USB key stored in your brother's premises, for disaster recovery
> 
> scenarios.
> 
> > This is because cloud storage:
> >  a) creates a honey pot which attracts attacks[1] and
> >  b) most of cloud storage is in the US.
> > 
> > [1] https://en.wikipedia.org/wiki/LastPass#Security_issues
> 
> From what I recall about Lasspass, it does encrypt the data locally then
> uploads it.  I recall reading that if you lose your master password,
> they can't get in it either.  All they get is encrypted data.  Of all
> the things I read about when looking for a password manager, Lastpass
> was the only thing that came close to what I wanted.  After using it a
> while, it is all I need.
> 
> https://lastpass.com/how-it-works

Right, your data may be encrypted locally, but if you use a browser to decrypt 
it (after it is downloaded to your PC) then there are attack vectors (e.g. 
XSS) for the decrypted data to be leaked out of your machine.


> I've had USB sticks break before.  They are also easy to lose.  I'd
> prefer not to store something that important on a USB stick.
> 
> Dale
> 
> :-)  :-)

I didn't clarify that you should use something like gpg to encrypt your 
file(s) on the USB stick, as I do this with all sensitive files not just 
passwords.  I more or less assumed that it is the done thing.  Broken USB 
sticks you can drive a drill through, or throw in a fire.  Stolen USB sticks 
will at least be encrypted.

If you are really paranoid you could also use dm-crypt to additionally encrypt 
the whole USB partition.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[covici]

Chris Spackman <chris@osugisakae.com> wrote:

> On 2015/07/21 at 02:59pm, Neil Bothwick wrote:
> > On Tue, 21 Jul 2015 21:09:38 +1000, wraeth wrote:
> 
> > > > Have you tried Syncthing - http://syncthing.net/ ?
> 
> > > No I haven't, but one of the main reasons for that is because I
> > > mostly bypassed online (read: not controlled by myself) services
> > > for any sort of syncing - I eyed a couple, but my primary thought
> > > was to retain proper control of my data.
> 
> > Syncthing is peer-to-peer. You can use their discovery server (or
> > run your own) for clients to find one another, but data always takes
> > the direct route. However, it is only for syncing, if you need the
> > extra features, ownCloud works well.
> 
> I have been using Syncthing also, for maybe a year now. It works well
> once you get it set up. Recently, the Android app (in F-Droid) has
> also been working well - for a while it couldn't find any of my
> machines.
> 
> Like Neil said, though, Syncthing has no extra features - it just
> syncs between devices. The machines have to be online at the same time
> or no syncing happens, because there is no server in the middle to
> keep the data. Maybe because of this, I have had far fewer issues with
> conflicting file versions with Syncthing than I had with Dropbox.
> 
> FWIW, I tried ownCloud a couple of times and could never get it up and
> running properly.

I have owncloud working just fine, although I don't use it for passwords
-- for those I just have a pgp key and individual files and I have an
iphone app which can decrypt them.


-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

[gentoo-user] Re: Catastrophic bug in the firefox 'ProfileManager' function

[walt]

On Tue, 21 Jul 2015 08:53:42 +0100
Mick <michaelkintzios@gmail.com> wrote:

> On Tuesday 21 Jul 2015 02:40:54 Dale wrote:

> > >> This wouldn't help with some of the things you lost but it will
> > >> with your passwords at least.  For passwords, this will help and
> > >> you can use it somewhere else as well since it is portable, sort
> > >> of.
> > >> 
> > >> https://lastpass.com/
<snipped for brevity>

First, thanks to everyone who replied to this thread.  As usual in this
group, I learned something from every reply.

I've actually been using lastpass for about two years, so I lost a lot
less than I would have otherwise.   I had another scary moment, though,
when I couldn't remember my lastpass master password.

After about twenty guesses I remembered that I just recently changed my
lastpass password exactly because of the 'possible' data breach at
lastpass (the security issues Mick mentions below).

I asked lastpass to email me my password hint, which I made vague on
purpose so bad guys would have trouble using it -- and that meant I had
trouble using it too :)  But after another ten guesses I finally got
the new password right.  Whew...


> A better, as in more secure, solution should involve local encryption
> and IMHO local air-gapped storage.  A USB key will do nicely and you
> can have a second USB key stored in your brother's premises, for
> disaster recovery scenarios. This is because cloud storage:
> 
>  a) creates a honey pot which attracts attacks[1] and 
>  b) most of cloud storage is in the US.
> 
> [1] https://en.wikipedia.org/wiki/LastPass#Security_issues

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 467 bytes --]

On Tue, 21 Jul 2015 16:31:52 -0400, covici@ccs.covici.com wrote:

> I have owncloud working just fine, although I don't use it for passwords
> -- for those I just have a pgp key and individual files and I have an
> iphone app which can decrypt them.

Have you tried KeePass? It doe what you are doing but with a decent
interface and the ability to type the details into web pages for you.


-- 
Neil Bothwick

We are upping our standards - so up yours.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 497 bytes --]

On Tue, 21 Jul 2015 12:35:27 -0500, Dale wrote:

> From what I recall about Lasspass, it does encrypt the data locally then
> uploads it.  I recall reading that if you lose your master password,
> they can't get in it either.  All they get is encrypted data.

Unless the source is available, there is no evidence his is true..


-- 
Neil Bothwick

Documentation: (n.) a novel sold with software, designed to entertain the
               operator during episodes of bugs or glitches.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Volker Armin Hemmann]

Am 21.07.2015 um 01:18 schrieb walt:
> I suspect most people don't even know firefox has a ProfileManager, but
> I'm here to warn you not to use it.  It just cost me years of bookmarks
> and saved passwords.
>
> For testing purposes I invoked firefox-bin with the -ProfileManager
> flag (don't do this, it's broken!) and created a fresh firefox profile
> with the name "temp" as I've been doing for years.
>
> I ran the "temp" profile while doing my testing, quit firefox and then
> re-invoked firefox with the -ProfileManager flag and used it to delete
> the "temp" profile because I didn't need it any more.
>
> Unfortunately, deleting "temp" also deleted the "default" profile I've
> been using for years, which had all of my bookmarks and saved passwords
> and maybe other stuff I haven't even thought about yet.
>
> I'm copying an old firefox profile from another machine that's four
> years out of date.  Maybe I can rescue an ort here or there.
>
> What a fscking disaster.
>
> Lesson learned:  if you need to start firefox with a fresh profile,
> just move your ~/.mozilla directory out of the way and let firefox
> create a new one from scratch.
>
>
>
>

you know, a simple cronjob copying your home directory every odd day
would have prevented all that.

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

Mick wrote:
> On Tuesday 21 Jul 2015 18:35:27 Dale wrote:
>> Mick wrote:
>>> On Tuesday 21 Jul 2015 02:40:54 Dale wrote:
>>>> I use the random generator too.  Some older sites, forums or something
>>>> that isn't really sensitive, may still have my old passwords but sites
>>>> like banking and such each have their own random generated one.  I also
>>>> try to generate the longest and most complex password the site will
>>>> allow.  Some sites don't allow the characters above the number keys.
>>>>
>>>> Another thing, I was at my brothers once and needed to login to a site.
>>>> I installed lastpass, typed in my email and master password and I could
>>>> go anywhere I wanted just as if I was sitting at my own puter.   If it
>>>> wasn't for lastpass, I would have had to come home and do what needed
>>>> doing.
>>>>
>>>> So far, this is the best solution I have found and I only use the free
>>>> part.  ;-)
>>>>
>>>> Dale
>>>>
>>>> :-)  :-)
>>> A better, as in more secure, solution should involve local encryption
>> and IMHO
>>
>>> local air-gapped storage.  A USB key will do nicely and you can have a
>> second
>>
>>> USB key stored in your brother's premises, for disaster recovery
>> scenarios.
>>
>>> This is because cloud storage:
>>>  a) creates a honey pot which attracts attacks[1] and
>>>  b) most of cloud storage is in the US.
>>>
>>> [1] https://en.wikipedia.org/wiki/LastPass#Security_issues
>> From what I recall about Lasspass, it does encrypt the data locally then
>> uploads it.  I recall reading that if you lose your master password,
>> they can't get in it either.  All they get is encrypted data.  Of all
>> the things I read about when looking for a password manager, Lastpass
>> was the only thing that came close to what I wanted.  After using it a
>> while, it is all I need.
>>
>> https://lastpass.com/how-it-works
> Right, your data may be encrypted locally, but if you use a browser to decrypt 
> it (after it is downloaded to your PC) then there are attack vectors (e.g. 
> XSS) for the decrypted data to be leaked out of your machine.
>

Well, couldn't the same be said if it is encrypted on a USB stick? 
Anytime you encrypt something, you have decrypt it to use it and that
has to be done somewhere. 


>> I've had USB sticks break before.  They are also easy to lose.  I'd
>> prefer not to store something that important on a USB stick.
>>
>> Dale
>>
>> :-)  :-)
> I didn't clarify that you should use something like gpg to encrypt your 
> file(s) on the USB stick, as I do this with all sensitive files not just 
> passwords.  I more or less assumed that it is the done thing.  Broken USB 
> sticks you can drive a drill through, or throw in a fire.  Stolen USB sticks 
> will at least be encrypted.
>
> If you are really paranoid you could also use dm-crypt to additionally encrypt 
> the whole USB partition.
>

My point is, if you put the info on a USB stick and lose it, you have
now lost all your passwords.  If it fails, same problem.  The way
Lastpass works, even if your computer dies from say a house fire, once
you login to Lastpass with your new puter, you are back in business. 

Dale

:-)  :-) 

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

Neil Bothwick wrote:
> On Tue, 21 Jul 2015 12:35:27 -0500, Dale wrote:
>
>> From what I recall about Lasspass, it does encrypt the data locally then
>> uploads it.  I recall reading that if you lose your master password,
>> they can't get in it either.  All they get is encrypted data.
> Unless the source is available, there is no evidence his is true..
>
>

One of the people from Lastpass discussed this a long time ago.  I'm
pretty sure it was on this mailing list.   I archive this mailing list
but I don't do it for that long.  It's likely still archived on gmane or
something tho. 

Dale

:-)  :-)

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[covici]

Neil Bothwick <neil@digimed.co.uk> wrote:

> On Tue, 21 Jul 2015 16:31:52 -0400, covici@ccs.covici.com wrote:
> 
> > I have owncloud working just fine, although I don't use it for passwords
> > -- for those I just have a pgp key and individual files and I have an
> > iphone app which can decrypt them.
> 
> Have you tried KeePass? It doe what you are doing but with a decent
> interface and the ability to type the details into web pages for you.

But does it store the data on someone's server?  Where they could have a
data breech?


-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[wraeth]

[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]

On Tue, Jul 21, 2015 at 10:05:57PM -0400, covici@ccs.covici.com wrote:
> Neil Bothwick <neil@digimed.co.uk> wrote:
> > 
> > Have you tried KeePass? It doe what you are doing but with a decent
> > interface and the ability to type the details into web pages for you.
> 
> But does it store the data on someone's server?  Where they could have a
> data breech?
> 

As discussed in a related subthread (at least, it's inferred, though not
explicitly stated) KeePass uses file-based storage on the local machine
it's running on - passwords are stored in a *.kdb file - so you're not
sharing your passwords, encrypted or otherwise, with any third party.

This can be extended using some filesharing service - either commercial
or personally run - to allow syncing of passwords between devices (or
more accurately, syncing of KeePass databases between devices).

KeePass is Qt based and has a client at least for Linux and Windows, as
well as an Android app (DroidPass). I personally sync my .kdb using an
ownCloud instance, whereas Neil uses SyncThing, a peer-to-peer sync
service.

Utilities available in Gentoo are:

  app-admin/keepassx
  dev-python/keepassx
  dev-perl/File-KeePass

One I'm not certain of but, judging from the name may also be related,
is:

  app-admin/keepass
-- 
wraeth <wraeth@wraeth.id.au>
GnuPG Key: B2D9F759

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 213 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

On Tue, 21 Jul 2015 22:05:57 -0400, covici@ccs.covici.com wrote:

> > Have you tried KeePass? It doe what you are doing but with a decent
> > interface and the ability to type the details into web pages for
> > you.  
> 
> But does it store the data on someone's server?  Where they could have a
> data breech?

It stores it in a single, encrypted file, wherever you put it. You can put
the file on a cloud server if you wish, but it's just a file, useless
without the decryption key.


-- 
Neil Bothwick

"God created the world in six days.  On the seventh day he also decided
to create England... just to try out his Practical Joke Weather Machine."

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 318 bytes --]

On Wed, 22 Jul 2015 13:00:10 +1000, wraeth wrote:

> KeePass is Qt based and has a client at least for Linux and Windows, as
> well as an Android app (DroidPass).

There are several Android clients, I use Keepass2Android.


-- 
Neil Bothwick

A pessimist complains about the noise when opportunity knocks.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2547 bytes --]

On Wednesday 22 Jul 2015 01:32:10 Dale wrote:
> Mick wrote:
> > On Tuesday 21 Jul 2015 18:35:27 Dale wrote:

> >> From what I recall about Lasspass, it does encrypt the data locally then
> >> uploads it.  I recall reading that if you lose your master password,
> >> they can't get in it either.  All they get is encrypted data.  Of all
> >> the things I read about when looking for a password manager, Lastpass
> >> was the only thing that came close to what I wanted.  After using it a
> >> while, it is all I need.
> >> 
> >> https://lastpass.com/how-it-works
> > 
> > Right, your data may be encrypted locally, but if you use a browser to
> > decrypt it (after it is downloaded to your PC) then there are attack
> > vectors (e.g. XSS) for the decrypted data to be leaked out of your
> > machine.
> 
> Well, couldn't the same be said if it is encrypted on a USB stick?
> Anytime you encrypt something, you have decrypt it to use it and that
> has to be done somewhere.

Of course, but if it is done using an application which its main purpose is 
not to connect to the Internet (i.e. your browser) the real estate exposed to 
a potential attack reduces significantly.


> >> I've had USB sticks break before.  They are also easy to lose.  I'd
> >> prefer not to store something that important on a USB stick.
> >> 
> >> Dale
> >> 
> >> :-)  :-)
> > 
> > I didn't clarify that you should use something like gpg to encrypt your
> > file(s) on the USB stick, as I do this with all sensitive files not just
> > passwords.  I more or less assumed that it is the done thing.  Broken USB
> > sticks you can drive a drill through, or throw in a fire.  Stolen USB
> > sticks will at least be encrypted.
> > 
> > If you are really paranoid you could also use dm-crypt to additionally
> > encrypt the whole USB partition.
> 
> My point is, if you put the info on a USB stick and lose it, you have
> now lost all your passwords.  If it fails, same problem.  

In either of these failure modes your solution is to forget about your first 
USB stick and go dig out your second USB stick.

> The way
> Lastpass works, even if your computer dies from say a house fire, once
> you login to Lastpass with your new puter, you are back in business.
> 
> Dale

In the case of a house fire we are in a DR scenario.  You head straight to 
your brother's place.  You'll need a place to stay anyway, if your house burnt 
down, you might as well check that back up USB you left there.  ;-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

Mick wrote:
> On Wednesday 22 Jul 2015 01:32:10 Dale wrote:
>> Mick wrote:
>>> On Tuesday 21 Jul 2015 18:35:27 Dale wrote:
>>>> From what I recall about Lasspass, it does encrypt the data locally then
>>>> uploads it.  I recall reading that if you lose your master password,
>>>> they can't get in it either.  All they get is encrypted data.  Of all
>>>> the things I read about when looking for a password manager, Lastpass
>>>> was the only thing that came close to what I wanted.  After using it a
>>>> while, it is all I need.
>>>>
>>>> https://lastpass.com/how-it-works
>>> Right, your data may be encrypted locally, but if you use a browser to
>>> decrypt it (after it is downloaded to your PC) then there are attack
>>> vectors (e.g. XSS) for the decrypted data to be leaked out of your
>>> machine.
>> Well, couldn't the same be said if it is encrypted on a USB stick?
>> Anytime you encrypt something, you have decrypt it to use it and that
>> has to be done somewhere.
> Of course, but if it is done using an application which its main purpose is 
> not to connect to the Internet (i.e. your browser) the real estate exposed to 
> a potential attack reduces significantly.
>


So, don't use something that is within your browser but then go and type
that password . . . in your browser?  Yea, that'll work.  Heck, if I
really wanted something that secure, I'd unplug the ethernet cable and
turn off my modem.  Then I might be secure. 


>>>> I've had USB sticks break before.  They are also easy to lose.  I'd
>>>> prefer not to store something that important on a USB stick.
>>>>
>>>> Dale
>>>>
>>>> :-)  :-)
>>> I didn't clarify that you should use something like gpg to encrypt your
>>> file(s) on the USB stick, as I do this with all sensitive files not just
>>> passwords.  I more or less assumed that it is the done thing.  Broken USB
>>> sticks you can drive a drill through, or throw in a fire.  Stolen USB
>>> sticks will at least be encrypted.
>>>
>>> If you are really paranoid you could also use dm-crypt to additionally
>>> encrypt the whole USB partition.
>> My point is, if you put the info on a USB stick and lose it, you have
>> now lost all your passwords.  If it fails, same problem.  
> In either of these failure modes your solution is to forget about your first 
> USB stick and go dig out your second USB stick.

Just how many of these sticks do I need?  Are we looking at a dozen or
more which will have to be all kept up to date as well?  Come on, be
realistic here.  I doubt anyone is going to spend the time to do all that. 


>
>> The way
>> Lastpass works, even if your computer dies from say a house fire, once
>> you login to Lastpass with your new puter, you are back in business.
>>
>> Dale
> In the case of a house fire we are in a DR scenario.  You head straight to 
> your brother's place.  You'll need a place to stay anyway, if your house burnt 
> down, you might as well check that back up USB you left there.  ;-)
>


But with Lastpass, I don't have to worry about that.  I can go to my
brothers house, put my email and password in Lastpass and carry on with
life.  No need for a USB stick at all or having to wonder when was the
last time I updated the passwords on it either. 

I'm trying to be realistic here.  I try to be as secure as I can but
within REASON.  As I mentioned above, if I really need and must be that
secure, I'd unplug the ethernet cable and turn off my modem.  Then I
wouldn't have to worry about it unless someone broke into my home.  Of
course, I wouldn't have the benefit of using the internet either. 

Dale

:-)  :-)

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[covici]

Neil Bothwick <neil@digimed.co.uk> wrote:

> On Tue, 21 Jul 2015 22:05:57 -0400, covici@ccs.covici.com wrote:
> 
> > > Have you tried KeePass? It doe what you are doing but with a decent
> > > interface and the ability to type the details into web pages for
> > > you.  
> > 
> > But does it store the data on someone's server?  Where they could have a
> > data breech?
> 
> It stores it in a single, encrypted file, wherever you put it. You can put
> the file on a cloud server if you wish, but it's just a file, useless
> without the decryption key.

Is there a command line interface to keepasss?  I don't want to be tied
down to some gui which may or may not work for me.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 3027 bytes --]

On Wednesday 22 Jul 2015 19:43:43 Dale wrote:

> So, don't use something that is within your browser but then go and type
> that password . . . in your browser?  Yea, that'll work.  Heck, if I
> really wanted something that secure, I'd unplug the ethernet cable and
> turn off my modem.  Then I might be secure.

LOL!  No, I meant that you decrypt your passwd containing text file, sql file, 
localc file, or whatever file you use.  Then you use something like cat, or 
less, or localc to view/search it.  It can all be scripted so that you run a 
single command alias in a terminal and it asks you for your gpg passphrase, 
before it opens the file for you.

A terminal is unlikely to suffer from XSS, javascript injection, sql 
injection, et al. but a browser could.  Then you can copy & paste whichever 
account passwd you needed into a browser, but this will NOT be your master 
passphrase.  Even if the passwd you paste into a browser ends up being 
compromised, it will only be one passwd and a single account, rather than your 
master passphrase and all your accounts.


> Just how many of these sticks do I need?  Are we looking at a dozen or
> more which will have to be all kept up to date as well?  Come on, be
> realistic here.  I doubt anyone is going to spend the time to do all that.

You need more than one, if you want to keep your passwds file stored off your 
machine.  I keep mine on a PC which is air-gapped and a second copy on a USB 
stick.  You may need a third copy kept at different premises, if you want to 
guard against DR.


> But with Lastpass, I don't have to worry about that.  I can go to my
> brothers house, put my email and password in Lastpass and carry on with
> life.  No need for a USB stick at all or having to wonder when was the
> last time I updated the passwords on it either.
> 
> I'm trying to be realistic here.  I try to be as secure as I can but
> within REASON.  As I mentioned above, if I really need and must be that
> secure, I'd unplug the ethernet cable and turn off my modem.  Then I
> wouldn't have to worry about it unless someone broke into my home.  Of
> course, I wouldn't have the benefit of using the internet either.

Sure, security and convenience are not always best bedfellows.  We are 
discussing about hypothetical risks here and different users' risk tolerances.  
If you encrypt the file separately with a strong key before you upload it, and 
this encryption key is different to your authentication key on the Lastpass 
website, then the risk of your encrypted file being cracked is rather low.  
When people discovered that their Lastpass account had been compromised, this 
did not necessarily mean that their encrypted file had been compromised too.  
However, I don't know exactly what the security architecture of Lastpass is to 
comment on the specifics.  All I'm saying is that I wouldn't trust storing my 
passwds on the cloud for the sake of convenience.

YMMV.  :-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

Mick wrote:
> On Wednesday 22 Jul 2015 19:43:43 Dale wrote:
>
>> So, don't use something that is within your browser but then go and type
>> that password . . . in your browser?  Yea, that'll work.  Heck, if I
>> really wanted something that secure, I'd unplug the ethernet cable and
>> turn off my modem.  Then I might be secure.
> LOL!  No, I meant that you decrypt your passwd containing text file, sql file, 
> localc file, or whatever file you use.  Then you use something like cat, or 
> less, or localc to view/search it.  It can all be scripted so that you run a 
> single command alias in a terminal and it asks you for your gpg passphrase, 
> before it opens the file for you.
>
> A terminal is unlikely to suffer from XSS, javascript injection, sql 
> injection, et al. but a browser could.  Then you can copy & paste whichever 
> account passwd you needed into a browser, but this will NOT be your master 
> passphrase.  Even if the passwd you paste into a browser ends up being 
> compromised, it will only be one passwd and a single account, rather than your 
> master passphrase and all your accounts.
>


You seem to miss my point.   I still have to type my passwords into a
browser.  If as you say, that is not secure, then what point is there to
having a password or accessing my bank or other sites via the internet? 
I have to put that password in my browser to access my bank, credit card
or other websites.  The point is, that exact same browser has to have
that exact same password typed into it.   I might also add, copy & paste
would then leave my password in my Klipper program that manages copy &
paste unencrypted.  Click on the Klipper icon and there sits my password
in PLAIN text.  How secure is that exactly? 

Lastpass already encrypts the password ON MY MACHINE not on their end. 
Why would I want to disable and stop using Lastpass just to do the same
thing but harder and more time consuming locally and lose the ability to
use Lastpass while I am somewhere else?  I would also lose the ability
to access that info in the case of say a computer meltdown.  I might
add, if I do it your way and lose that USB stick or whatever, I'm still
toast.  Heck, I may be in even worse shape than I would be by losing my
Lastpass password. 


>> Just how many of these sticks do I need?  Are we looking at a dozen or
>> more which will have to be all kept up to date as well?  Come on, be
>> realistic here.  I doubt anyone is going to spend the time to do all that.
> You need more than one, if you want to keep your passwds file stored off your 
> machine.  I keep mine on a PC which is air-gapped and a second copy on a USB 
> stick.  You may need a third copy kept at different premises, if you want to 
> guard against DR.
>

Sorry, I have had USB sticks go bad to much for me to trust with this
sort of thing, not to mention the ones I have lost.  I'm not going out
and buy a whole bunch of those things and then depending on them to hold
the keys to my financial and every other password.  I also don't have
time to make sure they are all kept up to date and such either. 


>> But with Lastpass, I don't have to worry about that.  I can go to my
>> brothers house, put my email and password in Lastpass and carry on with
>> life.  No need for a USB stick at all or having to wonder when was the
>> last time I updated the passwords on it either.
>>
>> I'm trying to be realistic here.  I try to be as secure as I can but
>> within REASON.  As I mentioned above, if I really need and must be that
>> secure, I'd unplug the ethernet cable and turn off my modem.  Then I
>> wouldn't have to worry about it unless someone broke into my home.  Of
>> course, I wouldn't have the benefit of using the internet either.
> Sure, security and convenience are not always best bedfellows.  We are 
> discussing about hypothetical risks here and different users' risk tolerances.  
> If you encrypt the file separately with a strong key before you upload it, and 
> this encryption key is different to your authentication key on the Lastpass 
> website, then the risk of your encrypted file being cracked is rather low.  
> When people discovered that their Lastpass account had been compromised, this 
> did not necessarily mean that their encrypted file had been compromised too.  
> However, I don't know exactly what the security architecture of Lastpass is to 
> comment on the specifics.  All I'm saying is that I wouldn't trust storing my 
> passwds on the cloud for the sake of convenience.
>
> YMMV.  :-)
>


Well again, if I am not going to trust my passwords anywhere then I need
to unplug from the internet all together and tell my bank, credit card
company, social sites and everything else that requires a password to be
disabled all together.  Then, I would be secure because even I can't
access my info, password or not.  That would make it so that I am not at
risk and secure.  Thing is, that's not a situation that I plan to be in
if I can help it.

I actually went through this with my brother many years ago.  He didn't
trust going online to his bank.  Thing is, for ages, he didn't even have
it set up.  If a person went to the bank's website, knew enough about
him to get past the security questions, they could set it up and control
his account and him never know anything about until his statement came
in.  What I told him to do is this.  Call the bank and disable internet
access to your account and he did.  They then disabled any and all
internet access to his account.  If he changed his mind, he would have
to go in person to get them to enable that access.  That made him secure. 

Interesting read:

https://blog.flameeyes.eu/#gsc.tab=0 

Dale

:-)  :-) 

Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function

[wraeth]

[-- Attachment #1: Type: text/plain, Size: 1231 bytes --]

On Wed, Jul 22, 2015 at 04:15:30PM -0400, covici@ccs.covici.com wrote:
> Neil Bothwick <neil@digimed.co.uk> wrote:
> 
> > On Tue, 21 Jul 2015 22:05:57 -0400, covici@ccs.covici.com wrote:
> > 
> > > > Have you tried KeePass? It doe what you are doing but with a decent
> > > > interface and the ability to type the details into web pages for
> > > > you.  
> > > 
> > > But does it store the data on someone's server?  Where they could have a
> > > data breech?
> > 
> > It stores it in a single, encrypted file, wherever you put it. You can put
> > the file on a cloud server if you wish, but it's just a file, useless
> > without the decryption key.
> 
> Is there a command line interface to keepasss?  I don't want to be tied
> down to some gui which may or may not work for me.

I mentioned in the other part of this subthread that there is a python-based
utility for using it:

  dev-python/keepassx

This provides the utility `kp` which allows for using the kdb file. There is one
issue I've logged upstream with this utility where it's attempting and failing
to copy the password to clipboard, but I don't know the scope of this issue yet.

-- 
wraeth <wraeth@wraeth.id.au>
GnuPG Key: B2D9F759

[-- Attachment #2: Type: application/pgp-signature, Size: 213 bytes --]

[gentoo-user] Re: [gone O/T] Catastrophic bug in the firefox 'ProfileManager' function

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 3601 bytes --]

On Thursday 23 Jul 2015 00:09:09 Dale wrote:

> You seem to miss my point.   I still have to type my passwords into a
> browser.  If as you say, that is not secure, then what point is there to
> having a password or accessing my bank or other sites via the internet?

I don't know if I am missing your point, or you mine.  :-)

Your browser's risk exposure to vulnerabilities and attacks is not constant, 
but it changes.  If it has not been patched, or an unpublished vulnerability 
is lurking around for a month or two then you are more exposed.  If you have 
another web page open at the same time you are visiting your bank and the 
other web page is running some suspicious script, you are again temporarily 
exposed.  I can't give you a statistical chance of the risk you might be 
exposed to on an average day, but although I expect it to be very low, it is 
still greater than zero.


> I have to put that password in my browser to access my bank, credit card
> or other websites.  The point is, that exact same browser has to have
> that exact same password typed into it.

That's one passwd at a time, rather than all of them EACH time.  I appreciate 
that in the minimal hypothetical case of possessing only a single account 
passwd, then there is no discernible difference in risk exposure.  In this 
case, if you master passwd is compromised you would only lose one passwd.


> I might also add, copy & paste
> would then leave my password in my Klipper program that manages copy &
> paste unencrypted.  Click on the Klipper icon and there sits my password
> in PLAIN text.  How secure is that exactly?

I understand that klipper saves entries on disk and therefore it is less 
secure than the *nix cliboard, which you should clear once you middle clicked 
to paste its sensitive content.


> Lastpass already encrypts the password ON MY MACHINE not on their end.
> Why would I want to disable and stop using Lastpass just to do the same
> thing but harder and more time consuming locally and lose the ability to
> use Lastpass while I am somewhere else?  

Because you are reducing the risk by keeping your whole keyring off line, 
although I acknowledged that in this way you are also reducing your 
convenience.


> I would also lose the ability
> to access that info in the case of say a computer meltdown.  I might
> add, if I do it your way and lose that USB stick or whatever, I'm still
> toast.  Heck, I may be in even worse shape than I would be by losing my
> Lastpass password.

Meltdown and the like brings us to the Disaster Recovery scenario, which I 
have covered.


> Sorry, I have had USB sticks go bad to much for me to trust with this
> sort of thing, not to mention the ones I have lost.  I'm not going out
> and buy a whole bunch of those things and then depending on them to hold
> the keys to my financial and every other password.  I also don't have
> time to make sure they are all kept up to date and such either.

You need more than one USB stick/off line storage to reduce the chance of your 
regular USB stick going bad, or being lost.

Look I am not trying to convince you to change your habits.  I am just stating 
that I would not store all *my* sensitive data online and in a single place.  
If you think that the risk is low enough for you and the convenience of 
Lastpass quite high, then carrying on with your approach clearly makes sense.

I didn't mean to hijack the OP's thread and I think we've covered this topic 
to death, so I'll shut up now.  :-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Re: [gone O/T] Catastrophic bug in the firefox 'ProfileManager' function

[Dale]

[-- Attachment #1: Type: text/plain, Size: 5156 bytes --]

Mick wrote:
> On Thursday 23 Jul 2015 00:09:09 Dale wrote:
>
>> You seem to miss my point.   I still have to type my passwords into a
>> browser.  If as you say, that is not secure, then what point is there to
>> having a password or accessing my bank or other sites via the internet?
>
> I don't know if I am missing your point, or you mine.  :-)
>
> Your browser's risk exposure to vulnerabilities and attacks is not
constant,
> but it changes.  If it has not been patched, or an unpublished
vulnerability
> is lurking around for a month or two then you are more exposed.  If
you have
> another web page open at the same time you are visiting your bank and the
> other web page is running some suspicious script, you are again
temporarily
> exposed.  I can't give you a statistical chance of the risk you might be
> exposed to on an average day, but although I expect it to be very low,
it is
> still greater than zero.
>


But I suspect it is closer to zero than some other high number that I'm
not worried about.


>
>> I have to put that password in my browser to access my bank, credit card
>> or other websites.  The point is, that exact same browser has to have
>> that exact same password typed into it.
>
> That's one passwd at a time, rather than all of them EACH time.  I
appreciate
> that in the minimal hypothetical case of possessing only a single account
> passwd, then there is no discernible difference in risk exposure.  In
this
> case, if you master passwd is compromised you would only lose one passwd.
>
>


Well, as I have said, if I can't trust my browser even that much, I need
to unplug.


>> I might also add, copy & paste
>> would then leave my password in my Klipper program that manages copy &
>> paste unencrypted.  Click on the Klipper icon and there sits my password
>> in PLAIN text.  How secure is that exactly?
>
> I understand that klipper saves entries on disk and therefore it is less
> secure than the *nix cliboard, which you should clear once you middle
clicked
> to paste its sensitive content.
>


Thing is, I never clear that history because I use that history for
other things.  I even have it set to remember the last 30 or 40
entries.  Again, that would be inconvenient for me.


>
>> Lastpass already encrypts the password ON MY MACHINE not on their end.
>> Why would I want to disable and stop using Lastpass just to do the same
>> thing but harder and more time consuming locally and lose the ability to
>> use Lastpass while I am somewhere else? 
>
> Because you are reducing the risk by keeping your whole keyring off line,
> although I acknowledged that in this way you are also reducing your
> convenience.
>
>

For me, it is about convenience as much as it is about security.  Before
Lastpass, I had three passwords.  One for financial stuff, one for
important but not crucial stuff and one for stuff I could care less
about like social sites or something.  Now, I have a unique password for
each site.  I'm already more secure than I once was.


>> I would also lose the ability
>> to access that info in the case of say a computer meltdown.  I might
>> add, if I do it your way and lose that USB stick or whatever, I'm still
>> toast.  Heck, I may be in even worse shape than I would be by losing my
>> Lastpass password.
>
> Meltdown and the like brings us to the Disaster Recovery scenario,
which I
> have covered.
>

And as I said, I don't have time to be running around updating USB
sticks that I don't trust anyway.  For me, that is NOT a option.


>
>> Sorry, I have had USB sticks go bad to much for me to trust with this
>> sort of thing, not to mention the ones I have lost.  I'm not going out
>> and buy a whole bunch of those things and then depending on them to hold
>> the keys to my financial and every other password.  I also don't have
>> time to make sure they are all kept up to date and such either.
>
> You need more than one USB stick/off line storage to reduce the chance
of your
> regular USB stick going bad, or being lost.
>
> Look I am not trying to convince you to change your habits.  I am just
stating
> that I would not store all *my* sensitive data online and in a single
place. 
> If you think that the risk is low enough for you and the convenience of
> Lastpass quite high, then carrying on with your approach clearly makes
sense.
>
> I didn't mean to hijack the OP's thread and I think we've covered this
topic
> to death, so I'll shut up now.  :-)
>


Again, I don't trust them or myself that much with a USB stick.  Heck,
I've lost a couple and have no clue where they are.  Plus, it takes time
and energy to keep all that up to date.  Lastpass does what I need and
then some plus it is very convenient as well.

I might add, all the people got from what I read is the encrypted
password.  Basically, once people change their master password, what
they have is useless.  I don't know how long it would take to crack
those passwords but I suspect that by the time they do, they won't have
anything of use.

Dale

:-)  :-)


[-- Attachment #2: Type: text/html, Size: 7112 bytes --]