↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
Who | What | When |
---|---|---|
*** | EhtyarWRK has quit IRC (Quit: I was raided by the FBI and all I got to keep was this lousy quit message!) | [00:13] |
............................. (idle for 2h20mn) | ||
ivan-kanis has joined #arpnetworks | [02:33] | |
...... (idle for 28mn) | ||
milki has quit IRC (Ping timeout: 240 seconds) | [03:01] | |
....... (idle for 33mn) | ||
heavysixer_ has joined #arpnetworks
ChanServ sets mode: +o heavysixer_ heavysixer has quit IRC (Ping timeout: 240 seconds) heavysixer_ is now known as heavysixer | [03:34] | |
........ (idle for 39mn) | ||
milki has joined #arpnetworks | [04:15] | |
...... (idle for 27mn) | ||
ivan-kanis has quit IRC (Remote host closed the connection) | [04:42] | |
ivan-kanis has joined #arpnetworks | [04:54] | |
....................... (idle for 1h53mn) | ||
fink has joined #arpnetworks | [06:47] | |
heavysixer has quit IRC (Quit: heavysixer) | [06:53] | |
.......................... (idle for 2h9mn) | ||
phreak- has joined #arpnetworks
key has quit IRC (Ping timeout: 246 seconds) | [09:02] | |
.......... (idle for 45mn) | ||
HighJinx has quit IRC (Ping timeout: 258 seconds) | [09:49] | |
.... (idle for 15mn) | ||
ivan-kanis has quit IRC (Remote host closed the connection) | [10:04] | |
..... (idle for 21mn) | ||
HighJinx has joined #arpnetworks | [10:25] | |
phreak- is now known as phreak | [10:38] | |
................ (idle for 1h16mn) | ||
phreak has quit IRC (Quit: sleep) | [11:54] | |
.... (idle for 15mn) | ||
fink has quit IRC (Ping timeout: 252 seconds) | [12:09] | |
........ (idle for 36mn) | ||
fink has joined #arpnetworks | [12:45] | |
RandalSchwartz | RandalSchwartz stares lazily into the irc screen | [12:50] |
.... (idle for 16mn) | ||
reardencode | how would the channel feel about me pimping an unrelated project that I've recently released in alpha? | [13:06] |
fink | reardencode: i'm excited already | [13:07] |
reardencode | haha, http://github.com/reardencode/freekey http://reardencode.github.com/freekey
password management, for free, entirely in browser, stored to S3 I think it's pretty cool. | [13:07] |
fink | oh, github | [13:09] |
reardencode | what about it? | [13:09] |
fink | reardencode: ok, i already told somebody about it
reardencode: will you have tshirts? | [13:09] |
reardencode | hahaha, if it gets popular, absolutely. | [13:09] |
RandalSchwartz | freekey is like lastpass? | [13:09] |
reardencode | RandalSchwartz: roughly yeah | [13:10] |
RandalSchwartz | do you encrypt entirely on client side? | [13:10] |
reardencode | RandalSchwartz: yep | [13:10] |
RandalSchwartz | with seeded hashes on server side? | [13:10] |
reardencode | using JSCL AES256
nothing server side er you mean initialization values? | [13:10] |
RandalSchwartz | what is "S3" in the above sententec?
sounds like "server" to me | [13:10] |
reardencode | it stores to your own Amazon S3 account
FreeKey itself is just a 130k HTML/javascript file | [13:10] |
RandalSchwartz | what does it store there? | [13:11] |
reardencode | your encrypted password data (and the IVs needed to decrypt it) | [13:11] |
RandalSchwartz | Ahh, then not at all like lastpass | [13:11] |
reardencode | what does lastpass do? | [13:11] |
RandalSchwartz | in lastpass, the cloud storage is impenetrable
only a client side password will decrypt it | [13:11] |
reardencode | RandalSchwartz: same in FreeKey | [13:12] |
RandalSchwartz | so now I'm not following
you are not being clear | [13:12] |
reardencode | RandalSchwartz: your password, processed by pbkdf2 encrypts everythign that is saved | [13:12] |
RandalSchwartz | you've just contradicted yourself | [13:12] |
reardencode | can you state my contradition so I can clarify wherever I've been unclear? | [13:13] |
RandalSchwartz | ... <reardencode> your encrypted password data (and the IVs needed to decrypt it) | [13:13] |
reardencode | IVs meaning the random data used to seed the encryption -- required to decrypt | [13:13] |
RandalSchwartz | how is that not the opposite of "only a client side password will decrypt it"
either there is enough in the cloud to decrypt, or not | [13:13] |
reardencode | there is not enough in the cloud to decrypt
the password is required, period. | [13:14] |
RandalSchwartz | ok - then you misled me | [13:14] |
reardencode | the IVs are required, not sufficient to decrypt
I apologize for the confusion -- most folks don't bother mentioning IVs when talkign about encryption, I tend to call them out, to my detriment in this case | [13:14] |
RandalSchwartz | if you want to sell this to lay people, might note that :) | [13:15] |
reardencode | yep :)
not really looking to sell -- just looking to stop the flood of non-free software password management solutions and to do it better (I'll probably also have to put up my own storage solution to make it popular as lay people won't want to sign up for S3 necessarily) | [13:15] |
*** | koan has quit IRC (Ping timeout: 276 seconds) | [13:21] |
RandalSchwartz | well - until you have an iphone client, not useful for me
and it embeds in safari and firefox and chrome | [13:22] |
reardencode | RandalSchwartz: it should work on iphone in the browser just fine
RandalSchwartz: my whole point here was to make a program that just works in most modern browsers what do you mean by embeds? ie autofills forms? | [13:24] |
RandalSchwartz | how is it available on every page?
as in... I go to mail.google.com. How does it fill my password there? | [13:27] |
fink | js? | [13:28] |
RandalSchwartz | sure - where is that loaded from, and why?
when does mail.google.com load your JS | [13:29] |
reardencode | RandalSchwartz: gotcha, doesn't do that yet, you leave it running in a tab and copy passwords over | [13:29] |
RandalSchwartz | oh - fairly useless for me then
definitely not even in the runnig | [13:29] |
reardencode | haha, give me a break, been working in it for like 30 days in my free time :-P | [13:29] |
RandalSchwartz | just telling you what you have to get to before even announcing it
because I'm a typical customer of 1password and lastpass | [13:30] |
fink | reardencode: you're going to have to do better than that if you want to run with the big boys
reardencode: there's no way i'm blogging about this until it has full iphone & android integration | [13:30] |
RandalSchwartz | the easy parts of that are easy
the hard parts are really f'ing hard | [13:30] |
reardencode | fink: can you define "full iphone and android integration"? | [13:31] |
fink | reardencode: unless i get a prerelease tshirt, that is | [13:31] |
RandalSchwartz | reardencode - see what I just said
iphone native app, first since you can't force safari to load JS so you have to build an iphone app with a browser embedded | [13:31] |
fink | reardencode: call me when apple buys you out
;) | [13:32] |
reardencode | RandalSchwartz: is that how the othe rpassowrd managers work? they embed a browser into which they stick their passwords? | [13:32] |
RandalSchwartz | yup
both lastpass and 1password have custom browsers | [13:32] |
reardencode | ah, I wouldn't use that, nor would my initial market interviews (friends) -- they want to be able to have an app that sticks their passwords either ont eh screen or clipboard for them to use as they choose | [13:32] |
RandalSchwartz | and I wouldn't use *that* | [13:33] |
fink | reardencode: maybe you could leverage some kind of XSS vulnerability in all the major browsers to get your password app to work | [13:33] |
reardencode | RandalSchwartz: gotcha :) | [13:33] |
RandalSchwartz | keep in mind copy/paste on an iphone is a real pain | [13:33] |
reardencode | fink: I think it'd be pretty easy to do with a bookmarklet on desktop browsers, will ahve to look into that | [13:33] |
RandalSchwartz | especially if you have *two* items (user + password) | [13:34] |
reardencode | RandalSchwartz: I actually didn't know that, never used an iphone in my life! | [13:34] |
RandalSchwartz | you get exactly one copy/paste buffer | [13:34] |
reardencode | hmm, interesting feedback -- I also hadn't envisioned needing to _lookup_ and supply username, but rather using the username as part of the lookup key. | [13:35] |
RandalSchwartz | the key is the website URL
not the username | [13:43] |
reardencode | ok, so android and iphone aside (for the moment) would it be interesting on the desktop if it was an app that you leave open in a page and interact with by clicking save and load bookmarklets in major browsers? | [13:43] |
RandalSchwartz | the website URL should result in one or more things to be pasted into that form | [13:43] |
reardencode | RandalSchwartz: I went back and forth on that -- for my personal usage, I prefer to have it dual key -- I have multiple logins on _many_ sites | [13:43] |
RandalSchwartz | yeah - so you take the website URL, then show me a list of possible named sets, and I pick one
that's the way lastpass and 1password work *I* get to pick the name of the set so for gmail, if I have 5 personalities, you'd pop up a list of 5 each of those might map to a username/password pair | [13:44] |
reardencode | but you are ok with it being a tab you have to keep open? (So far I don't have a way around that without destroying what I want it to be, but I can make it so you don't have to go to that tab... | [13:47] |
RandalSchwartz | no, I'm not
as in, if you want to compete with 1p and lastpass it sits as a browser extension so it can intercept every normal page in safari, chrome, and firefox on OSX | [13:48] |
reardencode | no need to intercept, just use bookmarklets | [13:48] |
RandalSchwartz | and as a separate browser on IOS | [13:49] |
reardencode | yeah, I don't think I'm going to satisfy your usecase -- I want something that doesn't involve installing browser extensions | [13:49] |
RandalSchwartz | security policies rightfully reject that for Safari
bookmarkelts run in their own origin-space | [13:49] |
reardencode | reject which? | [13:49] |
RandalSchwartz | or something like that
I know 1password can't run as bookmarklets any more because of some tightening of safari policy | [13:50] |
reardencode | hmm, I'm able to write a bookmarklet that does dom manipulation just fine at first glance...
interesting, I'll try it | [13:50] |
RandalSchwartz | on safari? | [13:50] |
reardencode | was in chrome. | [13:51] |
RandalSchwartz | yeah - safari is trying to prevent more XSS
so they've gone more for the letter of the law not sure of details, but it broke old-school 1password so now 1password is an extension | [13:51] |
reardencode | bagh mac
er apple | [13:52] |
RandalSchwartz | yes. blame apple for Doing The Right Thing
nice stance | [13:53] |
reardencode | I don't think it's the right thing to prevent useful monkeypatch bookmarklets
if I want to be able to click a button to quickly do some dom on a page in _my_ browser, I shouldn't have to go write an extension for it | [13:54] |
RandalSchwartz | even if those could lead to security breaches?
again - I don't know all the details but it was about security, as I recall | [13:54] |
reardencode | pretty sure that one is just a protect users from themselves type of thing, unless they allow sites to auto-add bookmarklets, in which case _that_ would be what you fix
if a user can install an extension to do a thing, they should be allowed to install a bookmarklet to do that same thing (within technical capabilities) | [13:55] |
RandalSchwartz | hah - I know now
1password says "don't use this, because a malicious website could take advantage of it" that makes sense now so it still works, but it's preferred you don't use it just looked up the docs | [13:56] |
reardencode | hmm, wonder what they're protecting against -- origin abuses?
if the bookmarklet looks up the password on user click based on the origin of the page on which it was clicked, where's the security hole? | [13:59] |
fink | reardencode: how about an active-x plugin?
reardencode: i guess a malicious js could be looking out for your bookmarklet? | [14:06] |
*** | vcs has joined #arpnetworks | [14:07] |
reardencode | fink: hmm, I wonder... I'm trying to come up with an attack vector what I had envisioned | [14:08] |
..... (idle for 23mn) | ||
*** | robotarmy has joined #arpnetworks | [14:31] |
.......... (idle for 49mn) | ||
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [15:20] | |
RandalSchwartz | yeay - three machines at arp being zfs send/recv cloned to texas!
no more "what if a bomb drops on wilshire annex" worries! zxfer for the win | [15:32] |
............... (idle for 1h10mn) | ||
*** | EhtyarWRK has joined #arpnetworks | [16:43] |
phreak has joined #arpnetworks
robotarmy has quit IRC (Remote host closed the connection) | [16:51] | |
..... (idle for 20mn) | ||
phreak has quit IRC (Quit: sleep) | [17:11] | |
Lefty has joined #arpnetworks | [17:22] | |
........ (idle for 38mn) | ||
up_the_irons | RandalSchwartz: are you doing round robin dns, or will you have to manually change dns entries, or something else... ? | [18:00] |
*** | fink has quit IRC (Quit: fink) | [18:06] |
up_the_irons | i wonder why i'm getting a lot of small ubuntu orders lately | [18:07] |
mhoran | Huh. | [18:07] |
*** | phreak has joined #arpnetworks | [18:08] |
...... (idle for 27mn) | ||
phreak has quit IRC (Quit: sleep) | [18:35] | |
HighJinx has quit IRC (Ping timeout: 276 seconds) | [18:48] | |
fink has joined #arpnetworks | [18:53] | |
up_the_irons | another ubuntu order | [19:04] |
............. (idle for 1h4mn) | ||
*** | vcs has quit IRC (Ping timeout: 264 seconds) | [20:08] |
......... (idle for 42mn) | ||
pilgrimd | they just realeased natty narwhal | [20:50] |
*** | HighJinx has joined #arpnetworks | [20:54] |
....... (idle for 30mn) | ||
vcs has joined #arpnetworks | [21:24] | |
fink has quit IRC (Quit: fink) | [21:36] | |
....................... (idle for 1h50mn) | ||
psybermonkey has joined #arpnetworks | [23:26] | |
phreak has joined #arpnetworks | [23:37] | |
..... (idle for 21mn) | ||
nerdd has joined #arpnetworks | [23:58] |
↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |