[00:13] *** EhtyarWRK has quit IRC (Quit: I was raided by the FBI and all I got to keep was this lousy quit message!)
[02:33] *** ivan-kanis has joined #arpnetworks
[03:01] *** milki has quit IRC (Ping timeout: 240 seconds)
[03:34] *** heavysixer_ has joined #arpnetworks
[03:34] *** ChanServ sets mode: +o heavysixer_
[03:36] *** heavysixer has quit IRC (Ping timeout: 240 seconds)
[03:36] *** heavysixer_ is now known as heavysixer
[04:15] *** milki has joined #arpnetworks
[04:42] *** ivan-kanis has quit IRC (Remote host closed the connection)
[04:54] *** ivan-kanis has joined #arpnetworks
[06:47] *** fink has joined #arpnetworks
[06:53] *** heavysixer has quit IRC (Quit: heavysixer)
[09:02] *** phreak- has joined #arpnetworks
[09:04] *** key has quit IRC (Ping timeout: 246 seconds)
[09:49] *** HighJinx has quit IRC (Ping timeout: 258 seconds)
[10:04] *** ivan-kanis has quit IRC (Remote host closed the connection)
[10:25] *** HighJinx has joined #arpnetworks
[10:38] *** phreak- is now known as phreak
[11:54] *** phreak has quit IRC (Quit: sleep)
[12:09] *** fink has quit IRC (Ping timeout: 252 seconds)
[12:45] *** fink has joined #arpnetworks
[12:50] * RandalSchwartz stares lazily into the irc screen
[13:06] <reardencode> how would the channel feel about me pimping an unrelated project that I've recently released in alpha?
[13:07] <fink> reardencode: i'm excited already
[13:07] <reardencode> haha, http://github.com/reardencode/freekey http://reardencode.github.com/freekey
[13:07] <reardencode> password management, for free, entirely in browser, stored to S3
[13:07] <reardencode> I think it's pretty cool.
[13:09] <fink> oh, github
[13:09] <reardencode> what about it?
[13:09] <fink> reardencode: ok, i already told somebody about it
[13:09] <fink> reardencode: will you have tshirts?
[13:09] <reardencode> hahaha, if it gets popular, absolutely.
[13:09] <RandalSchwartz> freekey is like lastpass?
[13:10] <reardencode> RandalSchwartz: roughly yeah
[13:10] <RandalSchwartz> do you encrypt entirely on client side?
[13:10] <reardencode> RandalSchwartz: yep
[13:10] <RandalSchwartz> with seeded hashes on server side?
[13:10] <reardencode> using JSCL AES256
[13:10] <reardencode> nothing server side
[13:10] <reardencode> er you mean initialization values?
[13:10] <RandalSchwartz> what is "S3" in the above sententec?
[13:10] <RandalSchwartz> sounds like "server" to me
[13:10] <reardencode> it stores to your own Amazon S3 account
[13:11] <reardencode> FreeKey itself is just a 130k HTML/javascript file
[13:11] <RandalSchwartz> what does it store there?
[13:11] <reardencode> your encrypted password data (and the IVs needed to decrypt it)
[13:11] <RandalSchwartz> Ahh, then not at all like lastpass
[13:11] <reardencode> what does lastpass do?
[13:11] <RandalSchwartz> in lastpass, the cloud storage is impenetrable
[13:12] <RandalSchwartz> only a client side password will decrypt it
[13:12] <reardencode> RandalSchwartz: same in FreeKey
[13:12] <RandalSchwartz> so now I'm not following
[13:12] <RandalSchwartz> you are not being clear
[13:12] <reardencode> RandalSchwartz: your password, processed by pbkdf2 encrypts everythign that is saved
[13:12] <RandalSchwartz> you've just contradicted yourself
[13:13] <reardencode> can you state my contradition so I can clarify wherever I've been unclear?
[13:13] <RandalSchwartz> ... <reardencode> your encrypted password data (and the IVs needed to decrypt it)
[13:13] <reardencode> IVs meaning the random data used to seed the encryption -- required to decrypt
[13:13] <RandalSchwartz> how is that not the opposite of "only a client side password will decrypt it"
[13:14] <RandalSchwartz> either there is enough in the cloud to decrypt, or not
[13:14] <reardencode> there is not enough in the cloud to decrypt
[13:14] <reardencode> the password is required, period.
[13:14] <RandalSchwartz> ok - then you misled me
[13:14] <reardencode> the IVs are required, not sufficient to decrypt
[13:14] <reardencode> I apologize for the confusion -- most folks don't bother mentioning IVs when talkign about encryption, I tend to call them out, to my detriment in this case
[13:15] <RandalSchwartz> if you want to sell this to lay people, might note that :)
[13:15] <reardencode> yep :)
[13:16] <reardencode> not really looking to sell -- just looking to stop the flood of non-free software password management solutions
[13:16] <reardencode> and to do it better
[13:16] <reardencode> (I'll probably also have to put up my own storage solution to make it popular as lay people won't want to sign up for S3 necessarily)
[13:21] *** koan has quit IRC (Ping timeout: 276 seconds)
[13:22] <RandalSchwartz> well - until you have an iphone client, not useful for me
[13:23] <RandalSchwartz> and it embeds in safari and firefox and chrome
[13:24] <reardencode> RandalSchwartz: it should work on iphone in the browser just fine
[13:24] <reardencode> RandalSchwartz: my whole point here was to make a program that just works in most modern browsers
[13:25] <reardencode> what do you mean by embeds?
[13:25] <reardencode> ie autofills forms?
[13:27] <RandalSchwartz> how is it available on every page?
[13:28] <RandalSchwartz> as in... I go to mail.google.com.  How does it fill my password there?
[13:28] <fink> js?
[13:29] <RandalSchwartz> sure - where is that loaded from, and why?
[13:29] <RandalSchwartz> when does mail.google.com load your JS
[13:29] <reardencode> RandalSchwartz: gotcha, doesn't do that yet, you leave it running in a tab and copy passwords over
[13:29] <RandalSchwartz> oh - fairly useless for me then
[13:29] <RandalSchwartz> definitely not even in the runnig
[13:29] <reardencode> haha, give me a break, been working in it for like 30 days in my free time :-P
[13:30] <RandalSchwartz> just telling you what you have to get to before even announcing it
[13:30] <RandalSchwartz> because I'm a typical customer of 1password and lastpass
[13:30] <fink> reardencode: you're going to have to do better than that if you want to run with the big boys
[13:30] <fink> reardencode: there's no way i'm blogging about this until it has full iphone & android integration
[13:30] <RandalSchwartz> the easy parts of that are easy
[13:30] <RandalSchwartz> the hard parts are really f'ing hard
[13:31] <reardencode> fink: can you define "full iphone and android integration"?
[13:31] <fink> reardencode: unless i get a prerelease tshirt, that is
[13:31] <RandalSchwartz> reardencode - see what I just said
[13:31] <RandalSchwartz> iphone native app, first
[13:31] <RandalSchwartz> since you can't force safari to load JS
[13:31] <RandalSchwartz> so you have to build an iphone app with a browser embedded
[13:32] <fink> reardencode: call me when apple buys you out
[13:32] <fink> ;)
[13:32] <reardencode> RandalSchwartz: is that how the othe rpassowrd managers work? they embed a browser into which they stick their passwords?
[13:32] <RandalSchwartz> yup
[13:32] <RandalSchwartz> both lastpass and 1password have custom browsers
[13:32] <reardencode> ah, I wouldn't use that, nor would my initial market interviews (friends) -- they want to be able to have an app that sticks their passwords either ont eh screen or clipboard for them to use as they choose
[13:33] <RandalSchwartz> and I wouldn't use *that*
[13:33] <fink> reardencode: maybe you could leverage some kind of XSS vulnerability in all the major browsers to get your password app to work
[13:33] <reardencode> RandalSchwartz: gotcha :)
[13:33] <RandalSchwartz> keep in mind copy/paste on an iphone is a real pain
[13:33] <reardencode> fink: I think it'd be pretty easy to do with a bookmarklet on desktop browsers, will ahve to look into that
[13:34] <RandalSchwartz> especially if you have *two* items (user + password)
[13:34] <reardencode> RandalSchwartz: I actually didn't know that, never used an iphone in my life!
[13:34] <RandalSchwartz> you get exactly one copy/paste buffer
[13:35] <reardencode> hmm, interesting feedback -- I also hadn't envisioned needing to _lookup_ and supply username, but rather using the username as part of the lookup key.
[13:43] <RandalSchwartz> the key is the website URL
[13:43] <RandalSchwartz> not the username
[13:43] <reardencode> ok, so android and iphone aside (for the moment) would it be interesting on the desktop if it was an app that you leave open in a page and interact with by clicking save and load bookmarklets in major browsers?
[13:43] <RandalSchwartz> the website URL should result in one or more things to be pasted into that form
[13:43] <reardencode> RandalSchwartz: I went back and forth on that -- for my personal usage, I prefer to have it dual key -- I have multiple logins on _many_ sites
[13:44] <RandalSchwartz> yeah - so you take the website URL, then show me a list of possible named sets, and I pick one
[13:44] <RandalSchwartz> that's the way lastpass and 1password work
[13:44] <RandalSchwartz> *I* get to pick the name of the set
[13:46] <RandalSchwartz> so for gmail, if I have 5 personalities, you'd pop up a list of 5
[13:47] <RandalSchwartz> each of those might map to a username/password pair
[13:47] <reardencode> but you are ok with it being a tab you have to keep open?  (So far I don't have a way around that without destroying what I want it to be, but I can make it so you don't have to go to that tab...
[13:48] <RandalSchwartz> no, I'm not
[13:48] <RandalSchwartz> as in, if you want to compete with 1p and lastpass
[13:48] <RandalSchwartz> it sits as a browser extension
[13:48] <RandalSchwartz> so it can intercept every normal page
[13:48] <RandalSchwartz> in safari, chrome, and firefox on OSX
[13:48] <reardencode> no need to intercept, just use bookmarklets
[13:49] <RandalSchwartz> and as a separate browser on IOS
[13:49] <reardencode> yeah, I don't think I'm going to satisfy your usecase -- I want something that doesn't involve installing browser extensions
[13:49] <RandalSchwartz> security policies rightfully reject that for Safari
[13:49] <RandalSchwartz> bookmarkelts run in their own origin-space
[13:49] <reardencode> reject which?
[13:50] <RandalSchwartz> or something like that
[13:50] <RandalSchwartz> I know 1password can't run as bookmarklets any more because of some tightening of safari policy
[13:50] <reardencode> hmm, I'm able to write a bookmarklet that does dom manipulation just fine at first glance...
[13:50] <reardencode> interesting, I'll try it
[13:50] <RandalSchwartz> on safari?
[13:51] <reardencode> was in chrome.
[13:51] <RandalSchwartz> yeah - safari is trying to prevent more XSS
[13:51] <RandalSchwartz> so they've gone more for the letter of the law
[13:51] <RandalSchwartz> not sure of details, but it broke old-school 1password
[13:51] <RandalSchwartz> so now 1password is an extension
[13:52] <reardencode> bagh mac
[13:52] <reardencode> er apple
[13:53] <RandalSchwartz> yes.  blame apple for Doing The Right Thing
[13:53] <RandalSchwartz> nice stance
[13:54] <reardencode> I don't think it's the right thing to prevent useful monkeypatch bookmarklets
[13:54] <reardencode> if I want to be able to click a button to quickly do some dom on a page in _my_ browser, I shouldn't have to go write an extension for it
[13:54] <RandalSchwartz> even if those could lead to security breaches?
[13:55] <RandalSchwartz> again - I don't know all the details
[13:55] <RandalSchwartz> but it was about security, as I recall
[13:55] <reardencode> pretty sure that one is just a protect users from themselves type of thing, unless they allow sites to auto-add bookmarklets, in which case _that_ would be what you fix
[13:56] <reardencode> if a user can install an extension to do a thing, they should be allowed to install a bookmarklet to do that same thing
[13:56] <reardencode> (within technical capabilities)
[13:56] <RandalSchwartz> hah - I know now
[13:57] <RandalSchwartz> 1password says "don't use this, because a malicious website could take advantage of it"
[13:57] <RandalSchwartz> that makes sense now
[13:57] <RandalSchwartz> so it still works, but it's preferred you don't use it
[13:57] <RandalSchwartz> just looked up the docs
[13:59] <reardencode> hmm, wonder what they're protecting against -- origin abuses?
[14:00] <reardencode> if the bookmarklet looks up the password on user click based on the origin of the page on which it was clicked, where's the security hole?
[14:06] <fink> reardencode: how about an active-x plugin?
[14:06] <fink> reardencode: i guess a malicious js could be looking out for your bookmarklet?
[14:07] *** vcs has joined #arpnetworks
[14:08] <reardencode> fink: hmm, I wonder... I'm trying to come up with an attack vector what I had envisioned
[14:31] *** robotarmy has joined #arpnetworks
[15:20] *** heavysixer has joined #arpnetworks
[15:21] *** ChanServ sets mode: +o heavysixer
[15:32] <RandalSchwartz> yeay - three machines at arp being zfs send/recv cloned to texas!
[15:32] <RandalSchwartz> no more "what if a bomb drops on wilshire annex" worries!
[15:33] <RandalSchwartz> zxfer for the win
[16:43] *** EhtyarWRK has joined #arpnetworks
[16:51] *** phreak has joined #arpnetworks
[16:51] *** robotarmy has quit IRC (Remote host closed the connection)
[17:11] *** phreak has quit IRC (Quit: sleep)
[17:22] *** Lefty has joined #arpnetworks
[18:00] <up_the_irons> RandalSchwartz: are you doing round robin dns, or will you have to manually change dns entries, or something else... ?
[18:06] *** fink has quit IRC (Quit: fink)
[18:07] <up_the_irons> i wonder why i'm getting a lot of small ubuntu orders lately
[18:07] <mhoran> Huh.
[18:08] *** phreak has joined #arpnetworks
[18:35] *** phreak has quit IRC (Quit: sleep)
[18:48] *** HighJinx has quit IRC (Ping timeout: 276 seconds)
[18:53] *** fink has joined #arpnetworks
[19:04] <up_the_irons> another ubuntu order
[20:08] *** vcs has quit IRC (Ping timeout: 264 seconds)
[20:50] <pilgrimd> they just realeased natty narwhal
[20:54] *** HighJinx has joined #arpnetworks
[21:24] *** vcs has joined #arpnetworks
[21:36] *** fink has quit IRC (Quit: fink)
[23:26] *** psybermonkey has joined #arpnetworks
[23:37] *** phreak has joined #arpnetworks
[23:58] *** nerdd has joined #arpnetworks