derek328

Comments

  • derek328derek328
    edited February 22

    @gazu: KeePass have a page explaining why it is technically not possible to scrub the memory - see the last line in the screenshot at the bottom.
    Any purported programmers or 'experts' on here need to explain how to implement effective memory scrubbing

    Your post shows a clear lack of knowledge for how application security works.

    Like what @Charlie_s replied, Keepass's threat model is different because it puts sensitive information encrypted in memory.

    On the other hand, 1Password 7 has committed the entire sensitive db into memory, vulnerable to memory dumps
    AND in plaintext.
    AND even if 1Password 7 is locked.
    AND also leaks data even if the computer is not infected with malware - just a software crash triggering an overpowered telemetry log will do.

  • derek328derek328
    edited February 22

    @brenty: If there is an error we need to correct, please let us know the specifics. Otherwise it just seems like you're trolling, not having read the answers to your questions.

    OK, first things first - does AgileBits not give their employees customer relationship management training?

    this type of combative language is not professional, nor the appropriate decorum. Like others here, I'm a very concerned customer who is paying you AND is on your team. I want to see 1Password succeed as much as the next guy.

    Referring to your question, as the latest security paper (and others in this discussion also) pointed out, 1Password 7's memory hygiene is so poor that all secrets (master key + secret key + individual password entries) are exposed when in an unlocked and locked state. ISE even stated that it is possible for 1Password 7 to leak passwords from memory without an intentional attack at all.

    Now, take your marketing materials & security paper as examples:

    "Someone who has access to your devices or backups won’t be able to unlock 1Password without your Master Password, which only you know." (1, which we now know is quite misguiding since all passwords can be dumped in plaintext)

    "Among mechanisms that are cryptographically enforced are: • Unlocking a vault" (2, which we now know as per Goldberg's response that the lock out function is, it seems, mostly just a UI / visual obfuscation on Windows.

    "A potent cocktail of AES-256 encryption and PBKDF2 key derivation ensures that no one but you can see into your data." (3, which is now proven to be inaccurate, since the effort required to dump all our private information into the wrong hands (who can then exploit access into our accounts) is so low).

    "Your Master Password is never stored alongside your 1Password data" (4, while may not be stored alongside our 1Password data, it is definitely not as secure an architecture as we were told to believe. i feel 1Password 7's not much more resilient against memory dump attacks than an encrypted Excel sheet, especially in typical operations.

    Your company also had an employee that, back in 2015, wrote in an official capacity that "We do not keep your master password in memory." (5) Changing 1Password from never storing our master password in memory to yes we do is a major change (not to mention a major vulnerability), yet, I don't think a significant-enough effort was made to communicate the design shift to us customers (at least not that I know of).

    just some examples. it's not like i'm getting paid by you guys to spot your mistakes.

  • derek328derek328
    edited February 24

    @cryptochrome: @Lars it is funny how you quote your own forum guidelines and pick the part where it says "be kind and respectful", because when I look at some of the responses, particularly from Brenty, I get the feeling these guidelines only apply to your users but not yourselves.

    Point is, if you have beef with a user because he violated your forum guidelines, the least you could do is take this beef to private messaging and deal with the offender there instead of publicly discrediting and patronizing them.

    You own this house, I get that. But a more levelheaded approach in dealing with such people would instigate less drama and look more professional.

    There is at least one person on your staff that doesn't exactly choose his words very wisely. In a heated debate such as this, you really don't want to turn on your users and vise versa.

    I agree. @Lars, the comments we made were in response to users (random e.g. like this one here, "Any purported programmers or 'experts' on here") who in violation of the same ToS called our collective qualifications into question while we were providing technical solutions to try fix the problems together, as a community. Yet, such offensive comments were not dealt with in the same manner.

    Please align your team moving forward if possible, because this looks a little like favouritism. Much appreciated, thanks.

  • derek328derek328
    edited February 24

    https://discussions.agilebits.com/discussion/comment/494056/#Comment_494056
    @nikanorov: agilebits team are you really removing the comments from this thread? I am missing mine and do not see any of @derek328 for example. I have no words.

    @oneagilebits: @lars Nope, there are simply no comments left from @derek328 in this thread. Two hours ago he made good points here - you even see other people quoting him. Where are they now?

    @Charlie_s: This is very troubling. He pushed forward many concerns that many of us have.

    @oneagilebits: @Charlie_s I don't know how this forum works - could he have deleted his comments himself?

    @Charlie_s: Could be, I hope so...

    @oneagilebits: @Charlie_s I think there is more to it. I can access your own list of comments here: https://discussions.agilebits.com/profile/comments/Charlie_s. But for @derek328 access blocked with the message: "You do not have access to any comments on this page.": https://discussions.agilebits.com/profile/comments/derek328

    @Charlie_s: @oneagilebits Same. His name was derek328...

    @oneagilebits: Here are direct links to @derek328 comments that have gone missing:
    https://discussions.agilebits.com/discussion/comment/494037#Comment_494037
    https://discussions.agilebits.com/discussion/comment/494031#Comment_494031

    @MikeT: Hi guys, We're checking on derek328's status, our forum moderation sometime can kick in if it is suspected an attempt to spam. It looks like his posts have been marked, we'll get that resolved soon.

    @oneagilebits: Was his threat of suing for false advertising too much for AgileBits? Anyway, to all wading through this huge thread: There is no new threat. AgileBits knew it all along. Threat mitigation is low on the priority list, implementing fancy features like WatchTower is more important.

    https://discussions.agilebits.com/discussion/comment/494082/#Comment_494082
    @MikeT: Posts should be back, sorry about that, it was marked as spam.

    Hello everyone!

    First things first - I'd like to extend big thanks to @MikeT & @Lars for their help (undoing my forum account ban), which I also want to believe was just a system error, and not deliberate (despite the circumstances appearing a little suspect - my posts were successfully published here for some time until you guys from the community also noticed that my posts had suddenly vanished & profile was locked. afaik, most spam filters do not operate like this).

    Thank you to each & every one of you who validated my contributions here. My principles are very simple:

    • say no to BS (even if masked in technical jargon, since I also have strong, Fortune 500 technical background)
    • raise concerns for fellow users (both technical & layman), and
    • follow up with 1Password on questions I feel were avoided / not properly answered, and
    • see that 1Password succeeds in patching this vulnerability in a timely manner, a reasonable expectation for a security program like 1Password.

    I keep a local copy of everything I said on the forums, so I have backups even if something fishy happens. Just to be sure, I did not personally choose to delete any posts (forum users have no delete rights here)!!

    To the particular employee (I won't resort to names) who labelled me as a "troll that ignores replies", I do read & make copy of every reply that's been posted here. I'm a deeply concerned customer that's paid for over 3 years of service - I want to know just how weak 1Password 7 is against basic memory dumps, and when can the team update protections for us (the black hats certainly aren't stalling).

    1Password's response so far, roughly boiled down for simplicity sake, is that:

    • they knew locked state on Windows is just mostly a UI / visual obfuscation right now (see here for @jpgoldberg's reply, point 6.)
    • they are moving towards Rust (altho not willing to make commitments, which raises more concerns in my mind), and that
    • "if your computer is compromised, all bets are off."

    From a technical perspective, I think @MikeT gave a nuanced response as to why they chose to cache so much of our sensitive data into memory (to enable functions like Watchtower). While it was not a smart product design choice imo (compromising security for flashy benefits that users could have gotten through another channel), I can understand & accept his reasoning. I also tend to agree that if a machine is severely compromised, all bets should be off. Again, I'm a paying 1Password user and am on the same team here.

    However, what I'm not okay with is 1Password's marketing touting our data is secure & our Master Keys as:
    - "secret"
    - "(if strong) could take decades to crack", and that
    - "only you know" your master key.
    - and I'm also not okay with 1Password team knowing locked state (on Windows) does not always mean cryptographically enforced, but still marketing it as such in their security paper.

    It's possible I'm mistaken, and I've even used my own personal time to lay out a brief number of examples where I feel 1Password's marketing is now appearing quite misguiding / perhaps even false, but I've received no response. Instead, I was called a troll. A+ crisis management. eye roll

    As the research paper revealed, 1Password 7 will leak our **plaintext** Master Key + Secret Key + individual password entries even if a PC is 100% no virus / malware; a simple memory dump (even innocent ones triggered by legit software / driver crashes to create a telemetry log for debugging) is all it takes to have a security breach. This defies the sense of security 1Password sold to me as a customer. This is not an acceptable vulnerability.

    We're begging you to take concrete, actionable steps to provide a basic necessity (secure memory management on Windows), and that you remove any misguiding / false marketing promises your software cannot deliver on Windows at the moment. That's all.
    Like what @alexyang & so many of us have said, we're not asking for only 100% perfect solutions because none exists. Security products like 1Password need to own the corporate responsibility - to make sure all available tools & best practices at your disposal are deployed, because you're asking people to entrust their lives to you.

    Take the criticism seriously. Please give us a timeline so that we can rest assured knowing our 1Password 7 will not leak our private data on even 100% clean computers.

  • major thank you to you @Charlie_s as well, alongside @nikanorov, @oneagilebits, @UnFleshedOne, @arabbit, @riw777, @cryptochrome, @alexyang, @DMeans, @kdhooghe, and countless others here who were helping to keep track of all the posts.

  • derek328derek328
    edited February 24

    @alexyang: This vulnerability is not something like a keylogger. Many people are mentioning the scenario like the system is fully compromised. It is not.

    ^ This.

    As shown in the research paper, 1Password 7 leaks your master key + secret key + any password entries in your db in plaintext even on 100% clean, uncompromised computers without malware or any attackers involved at all.

    If 1Password had made this vulnerability clear in its marketing & security paper, I think a lot of current / potential customers would have reconsidered getting 1Password, reconsidered how they configure their 1Password use cases, or even outright decided to not use one. But what's done is done, and I'm interested in concrete, actionable solutions that protect users.


    Edit: Also, before a certain employee jumps to conclusions again about people making "threats" here, let me just repeat I'm not a legal expert. However, as a layman I definitely feel the sour taste in my mouth like 1Password has pulled a fast one over me from the security perspective (I don't mind paying 60/yr or even 60/mo if the security was indeed as marketed), and I feel 1Password's extremely lackluster memory hygiene on Windows is so far behind what's reasonably expected from 1Password, that it may quite well possibly expose AgileBits to a class-action - especially if a case comes up in the near future where a user's life is ruined due to a leak from 1Password via innocent system telemetry-triggered memory dumps (as opposed to any malware / virus / any other forms of a compromised end-point). Again, I'm not saying I personally or any user will sue AgileBits. Rather, I'm simply speaking to the exposure what I feel 1Password may well quite possibly be facing, and that I'm not sure if the team truly understands the gravity of the situation yet.

  • derek328derek328
    edited February 24

    @warpspeed - you, @notauser, @A5rypTiK and others really nailed it on the head.

    One of 1Password 7's biggest problems on Windows is that locked does not 100% mean locked, at least not in the format it is marketed (see here for jpgoldberg's reply, point 6). Right now, it appears to be mostly just a UI / visual obfuscation, but 1Password continues to market/sell the vault-unlocking function as "cryptographically enforced" - which made me feel I've been cheated even though AgileBits has been charging me money for the service.

    On this particular issue, the only answers I personally received from jpgoldberg are that:

    • it is a good and fair point,
    • as 1Password's product security lead, he does not have a good answer for this, and
    • they knew this is a problem "for years" - but deferred to fix (which felt wrong to me, because while they delayed this function, their marketing materials have been selling as if 1Password offers such protection right now)

    Personally, I'm still waiting for them to reply to my follow-ups: if we all misunderstood anything, or why there is such a major difference between their marketing & real product on Windows.

  • derek328derek328
    edited February 24

    @warpspeed completely agreed. i also want to recognize @jpgoldberg, @MikeT, @Lars for being such good sport, and addressing our concerns in an official capacity.

    like i also said before, what's done is done now. I will be changing all my passwords which will take a significant amount of time, but more importantly - I want 1Password to officially recognize that they dropped the ball on this (especially the plaintext memory dump vulnerability even on 100% clean computers, and the potential inaccuracies in their marketing materials), and give us an actionable timeline for when & how they'll improve memory management security for 1Password 7 on Windows.

    No more delays. No more shoving blame to "if your computer is compromised". 1Password 7 needs fixes ASAP, and needs them fast, not after months or years. Now that the cat is out of the bag, we can bet all the black hats will be eyeing this data treasure trove too - and they aren't stalling.

  • derek328derek328
    edited February 24

    @Unsafenow: Sad to say, after many years using 1Password, I'm not comfortable using it anymore, mostly because of the response to this issue. Frankly, I was never happy with the change away from ver 4 to the current iteration.

    Same here. The response by some employees here is at times even worse than the particular vulnerability in question, and frankly their silence over the marketing materials' inaccuracies is even more concerning - it certainly raises doubt in my mind when it comes to other things they also said. Consumer trust is hard to regain.

    @tesmi: What would you have them do? [...]

    I'm not being paid by AgileBits for the amount of time I spent on this, and frankly it's their job to figure it out. Having said that, what everyone here has been asking is very simple if you'd just scroll up a little.

    To quote a fellow user in this discussion, who summed it up better than I could've: The first major error in judgement was using a programming language that would not allow them to scrub memory. Full stop. And, like another few users said using financial / fintech sectors as examples (to similar effect, which jpgoldberg also recognized): No one expects that memory can be cleared instantly, but you can get pretty darn close. I appreciate 1Password's admission that it's stuck between a rock & a hard place, that there are many attack vectors to consider at the end-points, in-transit, or even at the servers. I felt they had done a good enough job protecting our account data from being taken off of 1Password's servers, and if 1Password is crippled as a company from the inside, or if our data is intercepted in-transit.

    However, it has also become abundantly clear that 1Password 7's local end-point security on Windows is shockingly poor. As you said, 1Password claims "coding in low level languages would allow scrubbing of memory but come with a multitude of other issues", which may be true, but that's also something countless other institutions have solved - many more successfully than 1Password. We're not asking for only 100% perfect solutions, because no such thing exists. Security products like 1Password need to own the corporate responsibility - to make sure all available tools & best practices at your disposal are deployed, because it's asking us to entrust our lives to it.

    Instead of building things like Family Share (which has its own place & value, but I digress), 1Password should've focused on ensuring our master key + secure key + individual passwords could not be dumped as plaintext as easily as it can be right now, especially considering if an end-point is already 100% malware & virus-free. Imo, if 1Password's local encryption can be so quickly bypassed without even any hackers involved, and that 1Password has really struggled with fixing this major vulnerability "for years", then it really has no business advertising itself as a "secure" product imho.

    Having suffered this vulnerability "for a long time", or "everyone else also has this vulnerability" (which btw isn't even remotely true), are not legitimate reasons for 1Password's refusal to commit to a timely & effective fix. This is part of the responsibility that AgileBits also signed up for when they happily took our money. This is a minimum service-level expectation.

    Bottom line: This is a critical, security-crippling flaw, and it is entirely 1Password's responsibility to get that fixed ASAP. I'm not sure 1Password gets the gravity of this situation.

  • brentybrenty

    Team Member
    edited February 25

    @derek328: You won't get another warning as far as adhering to the forum guidelines, but we really, really prefer not to prevent people from participating. But, by the same token, we're not going to allow others to be prevented from participating, and/or being comfortable doing so. So what I'm doing is creating this discussion just for you, where you can continue your commentary, provided you refrain from personal attacks and other rude behaviour. While you do still need to treat others appropriately, here at least there will be less of an issue with etiquette as far as staying on topic, since others who want to be able to participate in the ISE discussion will be free to do so, and if they want to follow you into this discussion as well, they can do so. To be clear, it isn't our job to provide a platform for you. But as long as you avoid being disruptive to the support process, you're welcome to stay.

    On a personal note, if I've said something that offended you, please let me know the specfics so I can take another look and apologize if appropriate. Granted, I'm not going to apologize for offending you by disagreeing with you at times, but if I legitimately said something I shouldn't have, I am sorry. :blush:

  • brentybrenty

    Team Member

    To the particular employee (I won't resort to names) who labelled me as a "troll that ignores replies", I do read & make copy of every reply that's been posted here.

    @derek328: That isn't what I said. This is:

    If there is an error we need to correct, please let us know the specifics. Otherwise it just seems like you're trolling, not having read the answers to your questions.

    I am sure that you are familiar with the meaning of the term "trolling". Ironically, you taking umbrage to my complaint about your trolling is a form of trolling in and of itself. If this were a general-purpose internet forum instead of one meant for technical support, I'd probably just stop right here and applaud you for pulling off that move. :lol:

    I'm a deeply concerned customer that's paid for over 3 years of service - I want to know just how weak 1Password 7 is against basic memory dumps, and when can the team update protections for us (the black hats certainly aren't stalling).

    I understand that and don't blame you. The researchers we're very thorough in their report though, and it's been discussed at length here in the forum as well, including by you. Given the authoritative certainty of your earlier comments, it sounds like you have a pretty good handle on the situation, and we've already talked about some of the things we're working on in this area -- and of course you're free to experiment with your own tools.

    Re: this:

    @Lars, the comments we made were in response to users (random e.g. like this one here, "Any purported programmers or 'experts' on here") who in violation of the same ToS called our collective qualifications into question while we were providing technical solutions to try fix the problems together, as a community. Yet, such offensive comments were not dealt with in the same manner.

    If you'll direct me to the "offensive comments" you're referring to, I'll review them with the team and we'll see what needs to be done regarding those particular cases. I don't think that's a valid defense of your own bad behaviour though. When I was a kid, I totally used the "But mom, he did that!" strategy on my brother when I was in trouble for something and wanted to shift the attention away from myself...but that's not really appropriate here. :) Anyway, if we missed something, two wrongs don't make a right, but I'm sorry about that and we'll look into it.

    Please align your team moving forward if possible, because this looks a little like favouritism. Much appreciated, thanks.

    We do, admittedly, show favouritism toward those who participate in this support forum without stifling others participation, and offer comments, criticism, and suggestions without being rude to anyone. I'm not going to apologize for that. But I will make sure we continue to review your complaints just as we have with those we've gotten from others about you. This is not a journalistic or public-works endeavor, but we do try to be fair.

    Re: this:

    Personally, I'm still waiting for them to reply to my follow-ups: if we all misunderstood anything, or why there is such a major difference between their marketing & real product on Windows.

    and this:

    The response by some employees here is at times even worse than the particular vulnerability in question, and frankly their silence over the marketing materials' inaccuracies is even more concerning - it certainly raises doubt in my mind when it comes to other things they also said.

    Unfortunately you're waiting on me waiting on you here a bit. Earlier I said:

    If there is an error we need to correct, please let us know the specifics.

    To which you replied:

    just some examples. it's not like i'm getting paid by you guys to spot your mistakes.

    I appreciate that. But the examples you did give were a bit hyperbolic, as they were true statements in that context which you're trying to twist. You've already more than demonstrated that you're smart enough to understand this. I think perhaps it's worth expanding upon some of those statements to make them clearer, but mainly from a legal perspective. While I am not a law professional, I can certainly imagine that someone, at least in the US (I am a US citizen, so I have no qualms about poking fun at its overly-litigious society! :tongue: ), at some point might try to make a case that "your Master Password, which only you know" is untrue after they told their spouse their Master Password, to potentially comical effect.

    You also referenced this:

    "Among mechanisms that are cryptographically enforced are: • Unlocking a vault" (2, which we now know as per Goldberg's response that the lock out function is, it seems, mostly just a UI / visual obfuscation on Windows.

    I think you've got it backward. Unlocking is cryptographically enforced in all cases; rather, it's the locking which cannot always guarantee when memory is cleared.

    Similarly, you took exception to "ensures that no one but you can see into your data", if you've let someone into your computer. The same can be said of a property sold with privacy hedges as a feature, if you let someone into the yard. Sure, you probably don't want to sunbathe in the nude if the inlaws are coming over, but I hardly think it's fair to blame the realtor in that case.

    "Your Master Password is never stored alongside your 1Password data" (4, while may not be stored alongside our 1Password data, it is definitely not as secure an architecture as we were told to believe. i feel 1Password 7's not much more resilient against memory dump attacks than an encrypted Excel sheet, especially in typical operations.

    You may feel that 1Password is less secure than a spreadsheet at the moment -- that's on us, and I'm sorry about that -- but in reality you will find it otherwise. No one is getting into your 1Password data without you logging into the machine, unlocking 1Password, and handing it over to them. I have difficulty believing that you do not understand this.

    Anyway, I will agree that it's worthwhile to review for semantics as well, to make sure that our meaning is clear to as many people as possible. And when something is unclear, it's helpful to know that so we can take another look. If there's anything else, please let me know. Thank you.

  • dancodanco Senior Member Community Moderator

    I have to agree with Derek that the use of the word purported and the quote marks round expert imply that Derek's knowledge and experience (and that of others) is being called into question; it is not just a legitimate request for his qualifications for making his remarks. This could well be regarded as offensive.

    And, not knowing anything about Windows, the specific point I have taken from the discussion is that a memory dump can be taken and transmitted in the normal course of events without any user interaction. This could be used by an evil employee of a respectable firm, in the same way that, when one gives credit card details over the phone to a legitimate business, there is no guarantee that the employee is not keeping all those details for a nefarious purpose.

  • derek328derek328
    edited February 26

    @brenty: 1Password does not do this, and I haven't seen concrete examples of where this would occur, but it is possible that other software running on your system could do a memory dump, and that could potentially include 1Password data in memory at the time. That should not happen, but it is not a given that it could not.

    Thanks for finally getting back to us, @brenty. I'm not sure why you specifically took my posts to be removed into a new separate thread (despite most users here & even jpgoldberg finding my posts to be valid and constructive), or how they were "disruptive to the support process", but I'll respect that you are in the position to pull authority and say "it isn't our job to provide a platform for you".

    Regarding what you said about how 1Password behaves in a memory dump scenario caused by driver crashes, of course we don't expect 1Password to cause a memory dump proactively.

    The main point of concern that we raised in need of an urgent fix, is that 1Password's memory can currently be read without admin privileges, and dumped in plaintext if a fellow software / driver crashes on Windows. Of course that's not ideal, but as per the researchers + all the proven talent in this discussion, it unfortunately is very common, requires no specific targeting, and mitigations against this type of situations are very, very basic. They can be done, and have been done.. so when is 1Password gonna do it?

    If 1Password wants to market itself as "secure", this is a basic functional requirement, and it needs a fix fast.

  • @danco I completely agree. It's a major cause for concern how the forum ToS isnt being enforced fairly across all users (the link was already provided to you in my original post), and that memory dump in plaintext issue is really undermining 1Password's reputation in my mind. This needs a fix asap.

  • brentybrenty

    Team Member

    I have to agree with Derek that the use of the word purported and the quote marks round expert imply that Derek's knowledge and experience (and that of others) is being called into question; it is not just a legitimate request for his qualifications for making his remarks. This could well be regarded as offensive.

    @danco: I'm going to have to disagree here. If quotation marks are considered offensive now, we're all in trouble. :) I agree it's not a legitimate request for qualifications, but as far as I can tell no one who used the term "experts" (with quotes) singled out derek328. "Purported", on the other hand, is completely fair when people are, quite literally, presenting themselves one way -- purporting to have qualifications. I understand that there may be good reasons for withholding that information, but the price of anonymity is that people only see who you "purport" to be, and you cannot back it up. The comment also seems to have been directed at someone else entirely, re: BitWarden.

    And, not knowing anything about Windows, the specific point I have taken from the discussion is that a memory dump can be taken and transmitted in the normal course of events without any user interaction. This could be used by an evil employee of a respectable firm, in the same way that, when one gives credit card details over the phone to a legitimate business, there is no guarantee that the employee is not keeping all those details for a nefarious purpose.

    That is true.

  • brentybrenty

    Team Member

    I completely agree. It's a major cause for concern how the forum ToS isnt being enforced fairly across all users (the link was already provided to you in my original post), and that memory dump in plaintext issue is really undermining 1Password's reputation in my mind. This needs a fix asap.

    @derek328: I apologize, because I thought this was about something else entirely. Given that you have been the one making threats and demands, it seems a bit odd to me that you'd take offense to quotes around the word "expert" and/or the use of the word "purported". After all, you have publicly accepted the designation of "expert" (quotes used to clarify that I'm referencing what someone else said), so I'm not sure it's reasonable to complain about someone referring to you that way. Also, they did not refer to you by name in the post you pointed out, and multiple people in the thread used the term "experts" (with the quotes), so I'm not sure why you're taking offense to that one in particular -- especially given that the comments preceding that were from me and from others, not from you, and the commentor was addressing claims about BitWarden, which I don't see you mentioning at all throughout the entire discussion. So I really think you're taking personal offense to comments directed at someone else entirely, perhaps because you're so clearly invested in the discussion. Just keep in mind that not everything is about you. But we will keep an eye on things and remind others of the forum guidelines off necessary -- if they have not already been reminded of them when it was brought up there earlier.

  • brentybrenty

    Team Member

    Thanks for finally getting back to us, @brenty.

    @derek328: "Finally" seems a bit unfair, given the only day I haven't replied was Saturday (Toronto time) because it was my day off. Friday, Sunday, and Monday I've been here. But I can't spend all day every day in a single thread, especially when we're just kind of going in circles at this point. There are other people that have waited longer than 24 hours for a reply. I hope you'll consider that going forward.

    I'm not sure why you specifically took my posts to be removed into a new separate thread (despite most users here & even jpgoldberg finding my posts to be valid and constructive), or how they were "disruptive to the support process", but I'll respect that you are in the position to pull authority and say "it isn't our job to provide a platform for you".

    You're right. You deserve an explanation. I was just hoping to move forward. If you go back to the other thread, you'll note that your substantive posts are all still there. What I have moved to this thread are posts which contain the following:

    • Trolling
    • Personal attacks
    • Repetition of earlier comments
    • Irrelevant / off-topic commentary
    • Dismissal of others who don't agree and/or aren't as articulate

    Or any combination of the above. Comments that are not on-topic for the discussion, are re-iterating something you or someone else has already said in an attempt to monopolize the discussion, or which offer no benefit to others will not remain there. There are a lot of people besides you who are interested in the topic, and while you offered some thoughtful insights early on, it's not really to anyone's benefit to continue to feed a fed horse -- and, as you yourself noted, you're not going to be paid for the time to put in here anyway. ;)

    Regarding what you said about how 1Password behaves in a memory dump scenario caused by driver crashes, of course we don't expect 1Password to cause a memory dump proactively.

    Of course. I was replying to someone else, so I apologize if I didn't make myself clear enough for you as well. What I'm saying is that 1Password does not save a memory dump to include as, say, part of a diagnostics report, which we sometimes ask customers for in order to troubleshoot certain issues.

    The main point of concern that we raised in need of an urgent fix, is that 1Password's memory can currently be read without admin privileges, and dumped in plaintext if a fellow software / driver crashes on Windows. Of course that's not ideal, but as per the researchers + all the proven talent in this discussion, it unfortunately is very common, requires no specific targeting, and mitigations against this type of situations are very, very basic. They can be done, and have been done.. so when is 1Password gonna do it? If 1Password wants to market itself as "secure", this is a basic functional requirement, and it needs a fix fast.

    Understood. Thanks for your thoughts and suggestions in this area. Unfortunately, as mentioned previously, we're not able to offer release dates for unreleased stuff. Once we have something to share publicly though we will provide an update.

  • derek328derek328
    edited February 26

    @fritzophrenic: 1Password is aware of the problem and is working on it. We even know the internal name for it now which they use to tag all their related issues (LML).

    To be fair, they've known this issue "for years" according to jpgoldbrg and still haven't shipped it time and again.. so pardon us if we have our reservations lol.

    @RogerD: Thanks, dev team, for allowing an open discussion here!

    @brenty, regarding the suggestion above about Secure Strings, I think I saw earlier than 1Password7 is C#? .Net does have a SecureString class, and in fact I reported a similar vulnerability a few years ago to the maker of a corporate, IIS-based password manager, and they were able to fix the problem entirely by switching to use this string class. Could be worth a look.

    I agree. It's definitely worth a very solid look before being dismissed.

    @gazu: 1Password data can only be read from the memory if you are an administrator (same as KeePassXC)

    @UnFleshedOne: This is incorrect, on windows you don't need to be an admin to read 1Password memory, you only need to run in the same user context. And then you have access to the whole database.

    Completely agreed with @UnFleshedOne. This is a major differentiator.

  • derek328derek328
    edited February 27

    @mzman: [...] There have been some good points since my posts earlier, but some discussions of real-world-risk miss the point. The point is, the encryption here is providing very little value. We shouldn't even pretend it exists, as far as most users are concerned. Reading clear text passwords is of course necessary if we want to use them, but protection can't end with that observation. If it did, there would be little to no case for encryption of the vault at all. [...]

    Exactly our thoughts as well! 1Password came out swinging when the Wapo article first published, but as our discussion continued (then discovering issues like potential false advertising, class action lawsuit exposure, etc), they started responding less, and that's worrying. it makes me wonder if there's some other misguiding / shady stuff that they are trying to hide.

    it's not easy to think why are the 1Password devs so defensive when this shouldn't even be an argument to begin with - if 1Password's memory is so flat out open for reading (even on 100% uncompromised machines), it's frankly in my opinion irresponsible to advertise 1Password as a secure product. they may be an improvement over storing my passwords in Notepad, but then again, Notepad isn't costing me 30/yr just to dupe me with a false sense of security.

    @warpspeed: The blog post that says 1Password 7 for Windows: "The Best Ever" is absolutely not true in this (most important) regard [...] It also significantly offends me that the whole Lock-means-Lock (LML) thing is even an issue. That should never ever have been an issue in the first case and it significantly disappoints me that AgileBits have allowed this to go on for as long as it has.

    I know what you mean. I can't imagine how this is even a justifiable product decision. The 100% product-crippling bug was allowed to exist (and they've known about it) for years.

    @XIII: After having done that I now know that (some) passwords are visible as JSON in the dump. And they are even marked as password in that JSON data...

    Surely you are lying! jpgoldbrg even said this type of vulnerability / exposure is very rare narrow and that fixing it would be worse than not fixing it (apparently)!!!! You are a paid actor!!

    /s jokes aside, it is a very serious concern. I'm not sure from one infosec specialist to another how jpgoldberg can justify years of delaying 1Password from practicing safe, secure memory hygiene - but still sell 1Password everyday as a secure service. Is this the barometer of secure in 2019 lol?

    @oneagilebits: Wow, this makes retrieving unknown passwords from memory unbelievably easy. Is there an easy possibility to automate the readout with the tools readily available? This would make for a nice Proof-of-concept for @jpgoldberg and @MikeT.

    A lot of us have pinged them in the past 2-3 days, but their responses have been going less, all relatively shorter (than the combination of our inquiries) and selective in what concerns they want to reply to (despite all of them being hugely valid, like the seemingly false advertising questions we're asking).

    I guess some people won't see what they don't want to see.

  • @ppiixx fortunately 1Password will leak our data even with a 100% clean PC. staying ahead of the curve, people! /s

  • brentybrenty

    Team Member
    edited February 27

    As I've mentioned already, trolling isn't acceptable behaviour here on the 1Password support forum, even if it may make for a good time in other corners of the internet. Apart from thinly veiled threats, insinuations, and other antisocial behaviour, repeating others' comments and your own without offering anything substantive or new is a poor use of everyone's time, including yours. Please stop repeating yourself and others after the point has already been made.

    Regarding the "secure string" proposal, I'll follow up on that in the original thread. Spoiler: it isn't what you seem to think it is.

  • @alexyang: It has been over a week since the research paper came out and news report emerged. I now have just three simple yes-no questions for 1Password team. @jpgoldberg
    1. Is 1Password team currently working on a fix or mitigation of the issue reported? (I’m not talking about Rust, which no one promised)
    2. Will there be a formal communication from 1Password to the general users informing about this vulnerability and how to take some actions to protect themselves? (I’m talking about a blog post or email communication to all registered users)
    3. Will 1Password hire an independent security firm to audit and do penetration testing of the latest Windows app?

    Thanks.

    I completely agree. As I'm sure any reasonable infosec expert or customers would agree, knowing about a vulnerability for years isn't a reasonable or acceptable explanation for why LML has been delayed for all this time, let alone one as crippling as this (leaking master key + secret key + individial passwords on a 100% clean Windows computer).

    While I'm confident that you are a well knowledged developer yourself, it is clear those responsible for Windows in 1Password may not have the necessary risk assessment capability or technical skillset to properly deliver a secure Windows client. I, too, think 1Password needs to get a proper 3rd party audit.

  • I have a serious suggestion for everyone who is upset about this -- post a review for the 1password app in the windows store, the extension in the chrome store, etc. I did, and almost immediately received a response: "if the computer is compromised, all bets are all."

    Given: security is never perfect. Yes, there are always tradeoffs. I've even written on this and published videos about it. On the other hand, the reason given here -- "if your computer is compromised, we cannot protect you," is either one of two things. First, it could be a shrug. It could be saying "sure, but this is only a problem if you (the user) are dumb enough to allow your computer to be compromised, etc." It could be pushing the problem back on the user. Second, it could be a wink. It could be saying "sure, this is a problem, but we expect the environment to solve this problem so we do not need to."

    Personally, out of this entire episode, I find this response to be the most troubling. DMA attacks are easy to execute and widespread. Even if they weren't, the principles of reducing your attack surface to the smallest point possible across space and time and defense in depth still hold. I'm not a security professional -- I work primarily in the area of networks and networked systems -- but I have dealt with enough secure networks and large scale attacks against networks and networked systems to know storing the one password that can unlock all other passwords -- permanently -- in plain text -- in memory, and then saying "well, so long as the system isn't compromised, it's all good," is not the way to go about things. If I said to someone "it's okay, you can pass around unencrypted credit card and medical data on your network -- after all, if the firewall is compromised, all bets are off" -- there would (rightfully) be major kicking and screaming. Yes, people make these kinds of choices. But they also always end up paying for them in the end.

    This does not need to be personal. It does not need to be taken as beating up on anyone. No-one (that I know of) is saying "person x is a horrible person."

    We just want this fixed so we can trust this software once again. The lame "compromised system" excuse is just that -- it's a lame excuse. It's not helping anything. Just make the software right. That's all.

  • BenBen AWS Team

    Team Member

    Hi everyone. We appreciate everyone's participation, but I'd point once again to our public statement on the matter:

    Managing 1Password Secrets in Memory

    ...and reiterate my request in the original thread that

    If you have specific questions that have not been addressed in this thread or in the above article, or if you'd like clarification on any points, please feel to reach out directly to our security team at [email protected]

    Thank you.

    Ben

This discussion has been closed.