***: ivan-kanis has joined #arpnetworks
milki has quit IRC (Ping timeout: 240 seconds)
heavysixer_ has joined #arpnetworks
ChanServ sets mode: +o heavysixer_
heavysixer has quit IRC (Ping timeout: 240 seconds)
heavysixer_ is now known as heavysixer
milki has joined #arpnetworks
ivan-kanis has quit IRC (Remote host closed the connection)
ivan-kanis has joined #arpnetworks
fink has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer)
phreak- has joined #arpnetworks
key has quit IRC (Ping timeout: 246 seconds)
HighJinx has quit IRC (Ping timeout: 258 seconds)
ivan-kanis has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
phreak- is now known as phreak
phreak has quit IRC (Quit: sleep)
fink has quit IRC (Ping timeout: 252 seconds)
fink has joined #arpnetworks -: RandalSchwartz stares lazily into the irc screen reardencode: how would the channel feel about me pimping an unrelated project that I've recently released in alpha? fink: reardencode: i'm excited already reardencode: haha, http://github.com/reardencode/freekey http://reardencode.github.com/freekey
password management, for free, entirely in browser, stored to S3
I think it's pretty cool. fink: oh, github reardencode: what about it? fink: reardencode: ok, i already told somebody about it
reardencode: will you have tshirts? reardencode: hahaha, if it gets popular, absolutely. RandalSchwartz: freekey is like lastpass? reardencode: RandalSchwartz: roughly yeah RandalSchwartz: do you encrypt entirely on client side? reardencode: RandalSchwartz: yep RandalSchwartz: with seeded hashes on server side? reardencode: using JSCL AES256
nothing server side
er you mean initialization values? RandalSchwartz: what is "S3" in the above sententec?
sounds like "server" to me reardencode: it stores to your own Amazon S3 account
FreeKey itself is just a 130k HTML/javascript file RandalSchwartz: what does it store there? reardencode: your encrypted password data (and the IVs needed to decrypt it) RandalSchwartz: Ahh, then not at all like lastpass reardencode: what does lastpass do? RandalSchwartz: in lastpass, the cloud storage is impenetrable
only a client side password will decrypt it reardencode: RandalSchwartz: same in FreeKey RandalSchwartz: so now I'm not following
you are not being clear reardencode: RandalSchwartz: your password, processed by pbkdf2 encrypts everythign that is saved RandalSchwartz: you've just contradicted yourself reardencode: can you state my contradition so I can clarify wherever I've been unclear? RandalSchwartz: ... <reardencode> your encrypted password data (and the IVs needed to decrypt it) reardencode: IVs meaning the random data used to seed the encryption -- required to decrypt RandalSchwartz: how is that not the opposite of "only a client side password will decrypt it"
either there is enough in the cloud to decrypt, or not reardencode: there is not enough in the cloud to decrypt
the password is required, period. RandalSchwartz: ok - then you misled me reardencode: the IVs are required, not sufficient to decrypt
I apologize for the confusion -- most folks don't bother mentioning IVs when talkign about encryption, I tend to call them out, to my detriment in this case RandalSchwartz: if you want to sell this to lay people, might note that :) reardencode: yep :)
not really looking to sell -- just looking to stop the flood of non-free software password management solutions
and to do it better
(I'll probably also have to put up my own storage solution to make it popular as lay people won't want to sign up for S3 necessarily) ***: koan has quit IRC (Ping timeout: 276 seconds) RandalSchwartz: well - until you have an iphone client, not useful for me
and it embeds in safari and firefox and chrome reardencode: RandalSchwartz: it should work on iphone in the browser just fine
RandalSchwartz: my whole point here was to make a program that just works in most modern browsers
what do you mean by embeds?
ie autofills forms? RandalSchwartz: how is it available on every page?
as in... I go to mail.google.com. How does it fill my password there? fink: js? RandalSchwartz: sure - where is that loaded from, and why?
when does mail.google.com load your JS reardencode: RandalSchwartz: gotcha, doesn't do that yet, you leave it running in a tab and copy passwords over RandalSchwartz: oh - fairly useless for me then
definitely not even in the runnig reardencode: haha, give me a break, been working in it for like 30 days in my free time :-P RandalSchwartz: just telling you what you have to get to before even announcing it
because I'm a typical customer of 1password and lastpass fink: reardencode: you're going to have to do better than that if you want to run with the big boys
reardencode: there's no way i'm blogging about this until it has full iphone & android integration RandalSchwartz: the easy parts of that are easy
the hard parts are really f'ing hard reardencode: fink: can you define "full iphone and android integration"? fink: reardencode: unless i get a prerelease tshirt, that is RandalSchwartz: reardencode - see what I just said
iphone native app, first
since you can't force safari to load JS
so you have to build an iphone app with a browser embedded fink: reardencode: call me when apple buys you out
;) reardencode: RandalSchwartz: is that how the othe rpassowrd managers work? they embed a browser into which they stick their passwords? RandalSchwartz: yup
both lastpass and 1password have custom browsers reardencode: ah, I wouldn't use that, nor would my initial market interviews (friends) -- they want to be able to have an app that sticks their passwords either ont eh screen or clipboard for them to use as they choose RandalSchwartz: and I wouldn't use *that* fink: reardencode: maybe you could leverage some kind of XSS vulnerability in all the major browsers to get your password app to work reardencode: RandalSchwartz: gotcha :) RandalSchwartz: keep in mind copy/paste on an iphone is a real pain reardencode: fink: I think it'd be pretty easy to do with a bookmarklet on desktop browsers, will ahve to look into that RandalSchwartz: especially if you have *two* items (user + password) reardencode: RandalSchwartz: I actually didn't know that, never used an iphone in my life! RandalSchwartz: you get exactly one copy/paste buffer reardencode: hmm, interesting feedback -- I also hadn't envisioned needing to _lookup_ and supply username, but rather using the username as part of the lookup key. RandalSchwartz: the key is the website URL
not the username reardencode: ok, so android and iphone aside (for the moment) would it be interesting on the desktop if it was an app that you leave open in a page and interact with by clicking save and load bookmarklets in major browsers? RandalSchwartz: the website URL should result in one or more things to be pasted into that form reardencode: RandalSchwartz: I went back and forth on that -- for my personal usage, I prefer to have it dual key -- I have multiple logins on _many_ sites RandalSchwartz: yeah - so you take the website URL, then show me a list of possible named sets, and I pick one
that's the way lastpass and 1password work
*I* get to pick the name of the set
so for gmail, if I have 5 personalities, you'd pop up a list of 5
each of those might map to a username/password pair reardencode: but you are ok with it being a tab you have to keep open? (So far I don't have a way around that without destroying what I want it to be, but I can make it so you don't have to go to that tab... RandalSchwartz: no, I'm not
as in, if you want to compete with 1p and lastpass
it sits as a browser extension
so it can intercept every normal page
in safari, chrome, and firefox on OSX reardencode: no need to intercept, just use bookmarklets RandalSchwartz: and as a separate browser on IOS reardencode: yeah, I don't think I'm going to satisfy your usecase -- I want something that doesn't involve installing browser extensions RandalSchwartz: security policies rightfully reject that for Safari
bookmarkelts run in their own origin-space reardencode: reject which? RandalSchwartz: or something like that
I know 1password can't run as bookmarklets any more because of some tightening of safari policy reardencode: hmm, I'm able to write a bookmarklet that does dom manipulation just fine at first glance...
interesting, I'll try it RandalSchwartz: on safari? reardencode: was in chrome. RandalSchwartz: yeah - safari is trying to prevent more XSS
so they've gone more for the letter of the law
not sure of details, but it broke old-school 1password
so now 1password is an extension reardencode: bagh mac
er apple RandalSchwartz: yes. blame apple for Doing The Right Thing
nice stance reardencode: I don't think it's the right thing to prevent useful monkeypatch bookmarklets
if I want to be able to click a button to quickly do some dom on a page in _my_ browser, I shouldn't have to go write an extension for it RandalSchwartz: even if those could lead to security breaches?
again - I don't know all the details
but it was about security, as I recall reardencode: pretty sure that one is just a protect users from themselves type of thing, unless they allow sites to auto-add bookmarklets, in which case _that_ would be what you fix
if a user can install an extension to do a thing, they should be allowed to install a bookmarklet to do that same thing
(within technical capabilities) RandalSchwartz: hah - I know now
1password says "don't use this, because a malicious website could take advantage of it"
that makes sense now
so it still works, but it's preferred you don't use it
just looked up the docs reardencode: hmm, wonder what they're protecting against -- origin abuses?
if the bookmarklet looks up the password on user click based on the origin of the page on which it was clicked, where's the security hole? fink: reardencode: how about an active-x plugin?
reardencode: i guess a malicious js could be looking out for your bookmarklet? ***: vcs has joined #arpnetworks reardencode: fink: hmm, I wonder... I'm trying to come up with an attack vector what I had envisioned ***: robotarmy has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer RandalSchwartz: yeay - three machines at arp being zfs send/recv cloned to texas!
no more "what if a bomb drops on wilshire annex" worries!
zxfer for the win ***: EhtyarWRK has joined #arpnetworks
phreak has joined #arpnetworks
robotarmy has quit IRC (Remote host closed the connection)
phreak has quit IRC (Quit: sleep)
Lefty has joined #arpnetworks up_the_irons: RandalSchwartz: are you doing round robin dns, or will you have to manually change dns entries, or something else... ? ***: fink has quit IRC (Quit: fink) up_the_irons: i wonder why i'm getting a lot of small ubuntu orders lately mhoran: Huh. ***: phreak has joined #arpnetworks
phreak has quit IRC (Quit: sleep)
HighJinx has quit IRC (Ping timeout: 276 seconds)
fink has joined #arpnetworks up_the_irons: another ubuntu order ***: vcs has quit IRC (Ping timeout: 264 seconds) pilgrimd: they just realeased natty narwhal ***: HighJinx has joined #arpnetworks
vcs has joined #arpnetworks
fink has quit IRC (Quit: fink)
psybermonkey has joined #arpnetworks
phreak has joined #arpnetworks
nerdd has joined #arpnetworks