....currently using .... 1Password, LastPass, Roboform....... you should pick an alternative ???

Steve Gibson's Security Now podcast Episode 514 talked about https://www.privacytools.io (1 hour 0 minutes 20 seconds into the podcast)

Steve spoke very highly about the site in relation to VPN’s, Browsers etc etc

But site says:

"If you are currently using a password manager software like 1Password, LastPass, Roboform or iCloud Keychain you should pick an alternative here" and then goes on to list a number of alternatives.

This is pretty disturbing... SG seems to have a good reputation in ICT security... and this is odd given SG's public support of Lastpass (recently hacked) and now of this privacy tools.io site.

Does anyone at Agile have an opinion about this or re-assuring advice?


1Password Version: 5.3 App Store
Extension Version: 4.4.0
OS Version: 10.10.4
Sync Type: iCloud

Comments

  • brentybrenty

    Team Member

    @toasted: Well, first and foremost, I've been an SN listener since the beginning. It's a great resource. However, I'm afraid I don't understand what you're asking exactly. I even listened to that segment and visited the site again! :lol:

    1Password isn't a privacy tool, and we at AgileBits don't collect private information about our customers (except for the basic license information you provide when you purchase from us: name, email, etc.) Additionally, AgileBits is a Canadian company, and 1Password isn't a monolithic service that stores your data. We don't have it, so we can't give it to anyone else — including you if you lose your vault or Master Password!

    So...if I've completely misunderstood, be sure to clarify so I can perhaps give a more useful answer. :)

  • Sure.

    Password managers contain information that the user wants to be kept private so I think its kind of a privacy tool.

    SG endorses the site. The site says "If you are currently using a password manager software like 1Password, LastPass, Roboform or iCloud Keychain you should pick an alternative"

    I agree, being Canadian, the sites statement (parra 2 on the webpage https://www.privacytools.io ) that "Services based in the United States are not recommended because of the country’s surveillance programs" but I guess the site is including 1P because of (parra 1 of privacy tools) "agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence" etc etc

    I was hoping that Agile might have an opinion or comment.

    One can simply dismiss the site, its statement about not using 1password etc and Steve Gibson's endorsement as rubbish I guess.

  • hawkmothhawkmoth
    edited July 2015

    I don't see how an intelligence agency could access my 1Password data at all by going through AgileBits. AgileBits doesn't have anyone's data, ever, to be accessed. Intelligence exchange agreement don't matter.

  • MrCMrC Community Moderator
    edited July 2015

    Please consider that S.G. is to the tech world as the National Enquirer is to the field of journalism.

  • MikeTMikeT Agile Samurai

    Team Member
    edited July 2015

    I believe the reason for this is because 1Password isn't an open source or at the very least, doesn't share its security source code for auditing (we do provide a highly technical guide on how we encrypt your data here). As long as we don't do this, we can't meet the requirements of privacytools.io and SG. We do understand this logic and we're trying to figure out how to approach this in the future. However, because we have a public document on how our format is used, many folks can actually create their own open-source tools to read their 1Password vaults and some has done that already.

    For many, this is a valid concern that a closed-source tool doesn't share its implementation but open source doesn't automatically mean it's more secure, just that you can have a more reasonable expectation that it is doing something right based on assumptions (or valid audit reports) that more people are looking at the code.

    The reason this is a problem is that the NSA and other state-sponsored cyber-related agencies are looking for bugs and exploits in the implementations, not attacking the encryption itself. In other words, it doesn't matter that 1Password and a few others are using the same trusted and proven AES encryption algorithm, it's how it is implemented that is more important. After all, it is still humans writing codes and risky mistakes can happen.

    1Password doesn't use its own custom cryptographic libraries, we depend on the OS to prove us many of the libraries, which you can find out more from our security design: https://support.1password.com/opvault-design

    @toasted:

    Password managers contain information that the user wants to be kept private so I think its kind of a privacy tool.

    That's not the right way to approach this, the password managers are not truly active that it serves to protect you as you use the program, they're semi-passive in ways that they only store what you gave them to store. It does not take steps to ensure these data don't exist anywhere else on your hard drive, it does not take steps to prevent sites from stealing that information and so on.

    1Password does try to be as active as it can be, such as preventing filling on insecure http:// pages, preventing your Logins from showing up on incorrect URLs (phishing) and so on.

    1Password and other password managers are a single tool to be used as part of your overall security and privacy infrastructure but not as a single privacy tool.

  • MikeT, thank you for your thoughtful response.

    I agree with your comments about open source and that implementation matters too. I don't see how handing over your code, so they can see its implementation and try to break it, helps. That 1P doesn't divulge its implementation is of no concern (to me at least). Your approach, supported by the technical guide and reasoning is quite different to 'security thru obscurity'.

    As far as privacytools.io and SG goes, I see no indication that their recommended password managers have valid audit reports, have been written so the implementation cannot be broken, or that an implementation weakness has not already been found and is used when needed.

    Thank you again.

  • edited July 2015

    @toasted

    SG endorses the site. The site says "If you are currently using a password manager software like 1Password, LastPass, Roboform or iCloud Keychain you should pick an alternative"

    This line of thinking is fallacious. Just because SG endorses a site do not imply that he has read every article on it, or that he has given any detailed thought to the issues being discussed. He may have done, but it's not a given.

  • MrCMrC Community Moderator

    Google SG and nanoprobes. Have fun reading. He's the Dr. Oz of security.

  • brentybrenty

    Team Member
    edited July 2015

    SG endorses the site. [...] One can simply dismiss the site, its statement about not using 1password etc and Steve Gibson's endorsement as rubbish I guess.

    @toasted: I'm not sure that saying "this site exists and has useful information" can really be considered an endorsement. It's impossible to really dismiss since it isn't clear what's even being said in regard to 1Password. But as MikeT mentioned, 1Password is not open source, so that may give it a black mark in the view of some.

    This line of thinking is fallacious. Just because SG endorses a site do not imply that he has read every article on it, or that he has given any detailed thought to the issues being discussed. He may have done, but it's not a given.

    @RichardPayne: Agreed. As with anything, we have to gather information from different sources and evaluate it accordingly to form our own opinions and understanding.

    Google SG and nanoprobes. Have fun reading. He's the Dr. Oz of security.

    @MrC: lol he sure loves hi science fiction. But I enjoy the podcast nevertheless, as there's a lot of good information there too.

    Thanks to everyone for this great discussion! :)

  • @RichardPayne, @brenty, I agree that SG is not formally endorsing the site and its entire contents.

    In my initial post I said "Steve spoke very highly about the site in relation to VPN’s, Browsers etc etc" and later I used the term "endorses" to portray SG's apparently excited support for the site.

    Perhaps these SG quotes from the podcast might help:

    “a truly fabulous site of privacy tools”

    “absolute number 1 recommendation”

    “oh my goodness is it wonderful”

    “a cornucopia of things that we have recommended and, and, like it’s a one stop shopping for the best privacy tools in the industry”

    “this site has it all…I cannot recommend it highly enough”

    At no stage does SG say anything about password managers in this segment of the podcast. He may not even be aware of the section addressing password managers on the site for all I know.

    However, the site, (in my opinion so substantially recommended by SG), does say "If you are currently using a password manager software like 1Password, LastPass, Roboform or iCloud Keychain you should pick an alternative here" and then goes on to list a number of alternatives. So I decided not to simply dismiss the sites statement about password managers out of hand .....but rather sought comments and input from folk at 1P and the 1P forum members.

    Hence my question.

    Clearly I should have been more exact in my question and provided greater substantiation for that question at the get go.

    Thanks again to @MikeT for your response.

  • MeganMegan 1Password Alumni

    Hi @toasted ,

    So I decided not to simply dismiss the sites statement about password managers out of hand .....but rather sought comments and input from folk at 1P and the 1P forum members.

    Seeking out comments is a great way to learn! Of course, I'm biased, but I think we do have some really smart people in our forums - both team members, and awesomely dedicated users. It's great to hear that you come here when you have questions about 1Password, or security in general. I find I learn a lot just by reading some of the discussions that go on here.

    Thanks for asking the questions! :)

  • edited July 2015

    At no stage does SG say anything about password managers in this segment of the podcast. He may not even be aware of the section addressing password managers on the site for all I know.
    However, the site, (in my opinion so substantially recommended by SG), does say "If you are currently using a password manager software like 1Password, LastPass, Roboform or iCloud Keychain you should pick an alternative here" and then goes on to list a number of alternatives

    The site has 3 different offerings in the password manager section. The closest to 1Password is Keepass and, frankly, if they're comparing it to 1Password then their recommendation can only be based on the open/closed source issue. Keepass is fine as a standalone manager (although it looks and feels dated) but it is missing any sort of browser integration. There are some 3rd party plugins that attempt to integrate it from Chrome and Firefox but I've never managed to get them to work properly.

  • @RichardPayne I think your right with your comment "...can only be based on the open/closed source issue". @MikeT put his finger on it when he suggested the site has excluded the password managers they cite because they are either US origin or not open source.

    Supporting this in a small way, look at the subreddit someone asked why Lastpass was excluded and got two responses. One said "Most importantly, it's not free open source software and you can't self-host it." and the next said "I asked the same question here a couple of months ago and was told that it's because they are a US-based company." I acknowledge that this is just posters on Reddit and not necessarily anyone responsible for privacy tools.io...... http://www.reddit.com/r/privacytoolsIO/comments/3cakda/password_managers/

    Regardless, the infatuation with open source seems unwarranted unless there are valid 3rd party audit reports.

    Reliable audit data these seems hard to come by at the best of times. I am sure you know all about Truecrypt as an example. (There many articles and sites devoted to this matter but http://www.theregister.co.uk/2015/04/02/truecrypt_security_audit/ is a quick overview)

  • brentybrenty

    Team Member

    Regardless, the infatuation with open source seems unwarranted unless there are valid 3rd party audit reports.

    I couldn't agree more. I don't know about you, but I don't have the time or expertise to audit the code myself. And unless you do, it doesn't really matter whether it's an open source solution (like KeyPass) or proprietary (like 1Password), because you're making the same call to trust someone else to tell you what's secure and what isn't. Peripherally, I find the TrueCrypt saga equally fascinating.

  • @brenty absolutely. No way I could audit the code.
    In this situation, in making a call to trust someone, I am much, much happier to trust a professional crew based out of Canada, a crew who does this for a living - Agile folk.

  • brentybrenty

    Team Member

    In this situation, in making a call to trust someone, I am much, much happier to trust a professional crew based out of Canada, a crew who does this for a living - Agile folk.

    Wow. Well, I thank you kindly for that, because it is much easier said than done! I forget who said it, but...

    Trust comes on foot and leaves on horseback.

    It's so true, and we at AgileBits strive to continually earn your trust. Thanks for your support, and for holding us to such a high standard! :chuffed:

  • I couldn't agree more. I don't know about you, but I don't have the time or expertise to audit the code myself. And unless you do, it doesn't really matter whether it's an open source solution (like KeyPass) or proprietary (like 1Password), because you're making the same call to trust someone else to tell you what's secure and what isn't. Peripherally, I find the TrueCrypt saga equally fascinating.

    I disagree with that. Having it open source allows for two things:

    1. Audits that are not initiated by the developer.
    2. Community observation of ongoing checkins.

    It also makes it harder for the developer to be coerced into compromising the security of their product.

    You don't have to audit the code yourself to benefit from open source although you do need an active and engaged community.

  • @RichardPayne in the ideal world open source would be lovely cause lots of smart people would be able to audit the code and I presume that this is what you mean by 'community observation of ongoing checkins' - trouble is that doesn't appear to be what happens.

    Folk seem to assume the code is OK cause is open source.... but obviously that doesn't mean its been reliably audited.

    Eg: seems TrueCrypt existed for around 10 years (since 2004) before it was audited...before the audit did take place everyone was happy to say its open source so its got to be good - aint no back doors here.

    Auditing code this complex ain't simple or quick either. Took two years (2013-2015) to do TrueCrypt.

    There is no indication of audits of KeePass, Encryptr or Mitro. Though there is this https://threatpost.com/researcher-warns-security-hole-keepass-password-manager-062712/76738 and this https://news.ycombinator.com/item?id=9727297 which makes for interesting reading.

    I concur "you do need an active and engaged community"

  • brentybrenty

    Team Member

    @RichardPayne: To be sure, there are certainly other benefits to open source software, but I was referring to a specific dynamic: that of code auditing. I apologize if I oversimplified.

    I guess when we talk about this, my mind always goes back to the Heartbleed fiasco. In theory all of this is well and good, but in practice the benefits of open source are often not realized — sometimes with staggering repercussions.

  • @toasted I didn't say or imply that auditing is guaranteed to happen for all open source software. I was countering @brenty's specific claim that it doesn't matter if it's open source or not. Clearly an open source program can be audited much more easily that a closed source one. The former can be done at any time, by anyone where as the latter requires the developer's involvement and consent.

    With reference to Heartbleed, no auditing is a guarantee of bug free code but what open source means is that when a fault is found, you do not have to rely on the vendor to fix it. Of course, most of the time they do, but if they don't then you can fix it yourself or pay someone else to do it.
    For example, let's pretend that the Heartbleed bug directly affected 1Password and that no one was bothering to fix it. Agilebits would then be in the position of either switching out a core library (which is a complete nightmare), allowing their users to remain vulnerable (business suicide) or fixing the bug themselves. That latter option is only available with open source.

    In general, open source is always better than closed source. Is it a panacea of security? No, of course not but it helps.

  • My first reaction upon seeing the "don't use" advice on the page was that the real threat was that Agile, or LastPass, or Apple, could be silently compelled into providing a backdoor into any of their databases. Not the closed source issue per se, although that could provide a canary for those type of code changes. I have a limited understanding of this but would it not be theoretically possible for 1P to encrypt a vault using TWO master passwords? One from an end user, and another predefined by Agile. Similar to encrypting a file using public keys from 2 different people, such that either can decrypt with their unique private keys.

    The notion of an app wide super-master-password in ANYONE's hands is somewhat scary, so I hope I'm just being dumb and paranoid.

  • @broken42 the 2 master passwords scenario is plausible but in 1Password's case there is something that makes it unlikely (the others I don't know well enough to say).
    That thing is that the data format IS open. The agilekeychain and opvault formats are both publicly documented and used by third parties. If they were to introduce an extra encrypted copy of the master key then it would be spotted relatively easily by those of us who nose around in the vault files directly.

    There is another risk in that they could be compelled to add a back door into their software (as opposed to their database). This is why some people (like privacytools.io) take such a hard line stance on closed source. The advantage with 1Password is that it never needs to communicate outside your machine so it is relatively simple to monitor what it is doing on the network. I would imagine that this is closed to impossible for online based password managers.

  • brentybrenty

    Team Member

    @toasted I didn't say or imply that auditing is guaranteed to happen for all open source software. I was countering @brenty's specific claim that it doesn't matter if it's open source or not. Clearly an open source program can be audited much more easily that a closed source one. The former can be done at any time, by anyone where as the latter requires the developer's involvement and consent.

    @RichardPayne: Agreed. Sorry if I was too flippant about it. My point was that for my purposes (since I will not be auditing anyone's code, ever), I'm still going to have to put my trust in someone else to tell me if software is secure — open source or not.

    To me it seems similar to free-range or organic food: I'm glad such things exist, but ultimately I'm trusting someone else to do the work for me, rather than visiting farms myself.

    For others with the time and expertise to devote to in-depth research and review, clearly open source has a great deal of value. And after all, it's basically running the internet. But while I respect and use open source software, as an end user this status means little to me compared to whether or not it meets my needs. Obviously there's a lot more to it than this, but I just wanted to clarify my earlier comments.

    And most importantly, since AgileBits isn't "sharing your house" (storing your data in ours, or accessing yours), we can't add a back door or grant someone else access to it. And while 1Password can benefit from the presence of an internet connection, it doesn't depend on it.

This discussion has been closed.