It's not like it's a secret that Mozilla Corp. makes their money from search. It's been that way for a very long time and they spell it out right in the State of Mozilla link:
"The majority of Mozilla Corporation’s revenue is from royalties earned through Firefox web browser search partnerships and distribution deals around the world."
Their revenue is up more than $100 million from last year so they're not exactly dying.
How do you figure they're barely surviving? How does that make them a Google puppet? What exactly is your point through this thread?
If you think it's news that they take Google's money I'm not sure you're qualified to be making these sorts of claims.
Do you really think that's even in the realm of possibility? There is so much paranoia-driven FUD in these comments.
But let's say that yes, this absurd hypothetical is possible and happens.
Someone is capturing full audio from your device even though it allegedly only transmits when certain phrases are used (e.g., "Alexa..."). They've tunneled through your modem, router and AP and are capturing directly from your device.
That same someone is somehow able to process hours of ambient sounds, conversations and everything else to pick out someone using an inappropriate tone with their children.
They then take these recordings to a local child protection agency (e.g., CPS) and present the audio along with your information to develop an actionable case against you.
That child protection agency then decides your tone was strong enough that they need to pursue legal action.
How does this hold up in court? How does illegally-obtained audio stand as evidence? How are they able to prove it was you and not a relative or visitor?
It won't hold up; this is insane. Your point about the wrong tone being used against you is insane. I get being paranoid and not trusting these devices but get real!
> Someone is capturing full audio from your device even though it allegedly only transmits when certain phrases are used (e.g., "Alexa..."). They've tunneled through your modem, router and AP and are capturing directly from your device.
That's a ridiculous scenario.
How about, "Alexa itself transmits to the cloud. 10 years from now, a scanning service post-processes recordings using sentiment analysis and emotional state tracking now required by the new administration. State regulators have determined that parents should not talk to children in tones that fall into $this_band$. Regulations make Amazon responsible to report this to the authorities or face financial penalties."
Today, folks are being deported from this country after living here for a decade under the Dream Act. So, no, I don't put much stock in your assertion that things won't be applied retroactively or used to "forecast outcomes".
> Someone is capturing full audio from your device even though it allegedly only transmits when certain phrases are used (e.g., "Alexa..."). They've tunneled through your modem, router and AP and are capturing directly from your device.
It's not remotely out of line to discuss the implications of hijacking an Alexa in a discussion thread on an article that describes exactly how to hijack an Alexa. You don't have to sound incredulous about that part...
You're picking a piece out of my full response and adding context I didn't provide. I said the overall statement was absurd, not that capturing audio was.
Look at what prosecutors do today with internet history. They search through whatever they can find in the browser history of a supposedly guilty suspect, cherry pick anything remotely incriminating, and use it completely out of context to support whatever case they are trying to build. I don’t think it’s one bit far fetched or paranoid to see something similar happening if they could ever get access to a suspects indexed conversations.
You'd be surprised how crazy CPS is if you aren't wealthy and white. They don't actually seem to even need any "evidence" really.
I agree it seems unlikely, though, especially if you are relatively wealthy and white. (Also who is hacking into your system with this as their goal and how likely is that? On the other hand, in the age of swatting, anything seems possible.)
As we continue to advance universal surveillance though (self- and other-), I think we will start to see stuff like this happening more. It'll take a little while.
> Montgomery County police and county Children's Protective Services are jointly investigating the Meitivs of Silver Spring for allowing their children to walk repeatedly around the neighborhood alone. The parents say they know where their children are but are allowing them independence.
> Officers picked up the children about two blocks from home, Rafi said, telling them they would drop them off at home. Instead, the two sat in a patrol car for 2½ hours then were taken about 10 miles away to Children's Protective Services offices in Rockville, Md.
> You'd be surprised how crazy CPS is if you aren't wealthy and white.
When people say they have nothing to hide, they're also saying they have no abuse of power to confront, and nobody who is persecuted to stand with in solidarity. And for some reason, they think they're the standard, or that any of this is new. Look into history, with any totalitarian government, any oppressive king, you'll always find people going "doesn't affect me". It's as old, and as valuable, as dirt.
>You'd be surprised how crazy CPS is if you aren't wealthy and white.
Even then, I have some relatives (white and middle-class) that lived in an apartment. The people on the other side of the wall reported them for yelling at their kids. Fortunately for them they had a friend at the CPS who called them and told them that CPS was coming the next morning to take away their kids. So they packed up and moved out of state that night.
Yeah, good point, it's not limited to the white and not wealthy, but like everything else in society, the more resources you got, the more you can avoid them (and being white is indeed a resource in our society). But yeah, CPS is scary shit.
You have no experience with CPS, do you? There is no court involved at the beginning. They can just take your children away on their say so. Afterwards you will have to go though the courts to get them back.
Am I the only one in here who loves their hosted solutions? We use Teams at work and I use Family for my wife and I.
It's important to me that I have access to certain passwords on my desktop, laptop and phone. These items also need to be accessible to others who should be able to view/edit. There's no way to do with without some sort of cloud solution and so the decision becomes which cloud solution. I used to use Dropbox, but now have no need with Team/Family.
With teams, when a staff member leaves, we can easily remove them from the admin panel, update all passwords in all vaults they had access to and have those changes immediately available to everyone.
A lot of responses here sound incredibly paranoid and almost naive. If you're not syncing passwords between devices/users and you're not putting your information into the cloud then I would argue at some point you may be performing insecure actions to accommodate secrets use/management.
For example, how are you logging in on your phone to a service that requires a user name and password when the password lives only in a standalone system on your desktop? If you're not manually entering the password, you're likely doing something security-wise that isn't ideal.
I really wanted to use 1Password for Teams, I don't mind paying a subscription model, and their whitepaper on their hosted solution is really quite thorough:
My big issue is still with the web app allowing you to unlock your vault and access your passwords. They acknowledge in the whitepaper that it's theoretically possible that an attacker could MITM your SSL connection and serve malicious javascript, stealing both your master password and any secrets you access. They list certificate pinning and DNSSec as unimplemented future actions they may take, but also need to take into account that their web app servers themselves may be compromised.
All of this could ideally be mitigated by centrally hosting encrypted password databases, but either a) having the extension/desktop app cryptographically verify all server pages and assets, or b) allowing the web UI to be entirely disabled. If they did either of those I'd sign up for an enterprise account in a heartbeat.
This is something we plan to tackle in the future. Probably via some sort of downloadable local copy of the web client. But it's possible we integrate it into each app somehow. It's still something I think we're trying to think through to try to get right before we act.
As it stands, the only reason you need to login to the web client is for administration purposes and sign up. After that the native clients handle the rest.
That said, as you indicated, we're aware of this potential vector of attack and acknowledge it.
I disagree. In fact, given the regular loss of online credentials, I think you are misguided in your faith in a hosted password solution. There are plenty of people that do not want to for very good reasons.
As far as syncing using non-hosted 1Password, I use a combination of wifi sync (for mobile devices) and Resilio (in local sync only mode, no tracker, no cloud copy a la Dropbox) to sync. Works very nicely across 5 or 6 devices and fits my use case of syncing only when my devices are on the same network.
If you're using 1Password for Mac or iOS, then simultaneous writes are a non-issue. All sync types have conflict resolution implemented, where worst case scenario it'll put the overwritten password into a "Conflict" section at the bottom of the item.
With the other apps, you'd get nice behavior with 1Password.com because the first one to hit the server will have its record saved in the archive. That's one of the nice features of 1Password.com, getting to see item history. You don't need to worry about accidentally overwriting changes.
I love it too. I completely understand why some people want to avoid a hosted solution, but it makes sense for me and my family. I've probably recouped the subscription cost in the time savings compared to having to troubleshoot my wife's setup every couple of months.
> I've probably recouped the subscription cost in the time savings compared to having to troubleshoot my wife's setup every couple of months.
Absolutely agreed–the hosted solution made it so straightforward to get my girlfriend onto a password manager that I've never looked back. I had used the standalone version with Dropbox sync for a long time before switching, but I had enough (occasional, minor) issues with the sync process that I didn't want to push it on her and then have it become a point of frustration when I wasn't available to help debug it.
The hosted solution has been totally seamless to set up on various devices, adding additional shared and personal vaults for household accounts was painless, and my own peace of mind in knowing she uses it for everything is worth a lot to me.
I'm syncing passwords between devices, but I'm not using "the" cloud.
I self-host ownCloud. I use their clients for syncing on desktop, and a separate utility on Android for syncing my 1Password vault to my phone. My data never leaves my hands.
My thinking, besides just general paranoia, is that while AgileBits is probably more competent than I am when it comes to securing and administering their infrastructure, their infrastructure is also a much bigger target.
It's unlikely -- given my general lack of doing anything interesting or controversial with my life -- that I will ever be specifically targetted. It's much more likely that I will become collateral damage. e.g., https://www.theregister.co.uk/2012/03/02/linode_bitcoin_heis...
We cannot tell what your data is. It's encrypted on your device using keys that only you know. Then we store it on our side on the server.
The unique solution of using your Master Password and your Secret Key, makes brute forcing the data on our server an incredibly expensive job for anyone attempting to do so. It makes our servers an absolutely terrible target.
I definitely recommend reading the white paper, it's quite easy to read, even if you aren't super interested in cryptography. If you have questions though just let me know. I'll make sure you get answers.
All it would take for 1Password to decrypt our entire vault is for 1Password to push out a software update that simply made it so that the client app uploaded the keys to 1Password's servers after the user typed it in. Without 1Password releasing their source code, end users would have no idea if such an update ever took place. We just have to trust 1Password as a company. Well, if we already trust 1Password as a company, what's the point of even using encryption? Might as well just store it in plain text in a database on your servers and trust that your employees won't look at them!
Without open source auditing of all clients and md5 checksums of compiled binaries, security is nothing more than an illusion.
If that's your concern then I'm afraid there's little we can do to change your opinion and perhaps 1Password isn't the solution for you.
I don't mean to sound rude or anything like that. Just being honest.
We have had grand visions of offering portions of our source (notably the cryptographic portions) available for review, note, not open source in the sense you can use it but in a license that makes it available for review purposes.
If 1Password.com was the sole solution we offered then open sourcing the entire app would be potentially feasible because our income wouldn't rely on people compiling their own version and editing out the license code. But it makes little sense for us to make that available if modified copies can be made available removing a chunk of our income.
For what it's worth, we have over 90 people who depend on AgileBits to provide paychecks so people can support their families. That's a heavy burden when your decisions can impact that many lives. I'm just a member of our team, not a founder or owner or anything but hopefully you can recognize this side of things.
We'd like nothing more than to do whatever we can to get users to trust us but there are limits to what we can do and still keep 1Password alive.
If you absolutely have to see the code in order to trust an application then there are other options out there, but they won't provide the same level of support, features, or hands off management. These are trade offs you have to make as an individual. Only you can make those decisions for you.
Every person at AgileBits uses 1Password, and we design it knowing we will be using it and we are all passionate about wanting our data secure. If we did something to put your data at risk, we did the same thing to ourselves. Just another view of that I suppose.
I'm simply pointing out the elephant in the room. If there is no ability to audit the source code of the password manager, and the source code is managed by a third party company, then for all intents and purposes, the third party company has theoretical access to everything (regardless of what encryption is used). It boils down to trust, and that trust can be violated by a single rogue employee at AgileBits. It could also be potentially violated by a government agency gaining control of AgileBits.
First, I'd like to point out that this concern is completely orthogonal to a hosted service, and has no connection to it.
Second, with the inability to check that a given binary came from a given source tree, open source does not help us audit what gets executed. If we're supposing that Agilebits' build process has been compromised, then we're in the same realm as considering a compromised build process for .deb or .rpm.
[Disclosure: I work for AgileBits, the makers of 1Password]
Thanks. I (as you'd expect) agree with both points.
The second one is particularly challenging. Deterministic builds are possible for some categories of software, but it will be a long time in coming. And for software that is updated frequently, it is even harder for people to practically check that what they are running is the reviewed code. But the technology is improving for this to be more practical. On the other hand, app stores move things further away from having the ability to distribute determinist builds.
This is not an excuse to not seek openness, but it does point out that there are lots of things to do that most people don't to get the benefits of that kind of inspection.
[Disclosure: I work for AgileBits, the makers of 1Password]
I'd like to elaborate on the two points made by @epistasis
1. Ability to deliver of a malicious client does not depend on where your encrypted data lives. If you sync over your own private network or if your encrypted data is held by us, it is just as difficult (or hard) to get away with delivering a malicious client.
2. There is a lot of security value to openness and having the source available, but it is only a defense against deliberately malicious software if you compile the software yourself. Otherwise, there is a very weak trust chain between the code that has been reviewed and the binary you are running.
For the first point, a malicious client wouldn't need to exfiltrate all of your encrypted data. It would only need to exfiltrate the credentials needed to obtain your encrypted data. (As well as exfiltrating keys, etc). So for the overwhelming portion of people there is no significant difference with respect to us having your encrypted data or it living some place else.
As for the second point, tools for deterministic builds are improving, but there are still practical impediments. In theory there are ways to ensure a good trust chain between the reviewed source and the binaries that people run. But these are far from ready for our target users: everybody.
So if you, say, recommend KeePass for this sort of reason, are you also recommending it to people who will check the signatures on the source and then build from that? (I have enormous respect for both KeePass and for those who use it that way. But I have less respect for those who would recommend that to everyone. I hope that we are past the bad old days of "some people don't deserve security.")
While we can't completely rule out the possibility of delivering a malicious client (through us turning evil, external compulsion, or an insider attack), there are things that we can do to make it harder for that to go undetected.
You will find that where we can we have made it easy to run 1Password attached to a debugger. People with sufficient skills can see that it behaves as we say it does. This makes it far more likely that a widely distributed malicious client wouldn't go undetected.
Also to support this (and try to gain some of the security benefits of openness), we've gone into gory detail about how 1Password works. Sure there are holes in some of the documentation, but we are slowly filling in those.
I'll also mention the third claim that a "single employee" could cause the distribution of a malicious client. Again, there is no way to completely rule that out, but it would be hard for any single or small group of people do that without running a significant risk of this being detected internally. So it would have to be a fairly large conspiracy. And as we know, the plausibility of any conspiracy diminishes rapidly with the number of people who have to keep the secret. There are many eyes on the source, many eyes on the build and distribution process, and very few hands on the code signing keys.
Several times I've mentioned "significant chance of getting caught". Consider the risks to anyone trying to do evil this way. What are the consequences to them if they are caught, and so how big of a risk will they accept? So even though we can't make it impossible for someone to get away with it, we do what we can to make it hard to get away undetected.
None of this is perfect. And you have to weigh your own choices. But when you do so, make a fair comparison with the realistic alternatives instead of against an ideal.
I'm pretty confident that AgileBits only has access to the encrypted versions of stuff. They've thought about this long and hard and it would decimate their business if they did anything as stupid as storing things in plaintext. That's why you have to enter your master password... to decrypt the file.
> Am I the only one in here who loves their hosted solutions?
No, even though I'm fully-aware that it's ill-advised. You're picking your poison: you can either have absolute security (which should always win, but I am human) or convenience. That being said, I'm not a fan of them forcing people down their hosted route.
We don't know the full stack powering this and there are 100K users/month.
There have been a lot of great points in reply to this and I would like to add that part of this cost may be to help perception. A service like this that feels/is slow can die pretty quickly if the perception of the service is that it doesn't work as well as it should.
I've used it and loved it. For me it greatly enhanced readability as they had put a lot of care into the aesthetic and typography.
I'm not a fan of the way it takes over the default WikiPedia URLs, however. And the Firefox plugin hasn't been updated since 2016 and isn't compatible with newer versions of Firefox so I don't use it on a regular basis anymore.
They're constantly lying about deliveries, saying they handed a package directly to me when they left it at another building or claiming they couldn't get through the gate when they lost the package or missed the deadline.
How is this an Amazon problem and not a delivery service (USPS, UPS, FedEx, et al.) problem?
Because I'm talking about AMZL, which is Amazon's delivery service. I haven't had these problems with USPS, UPS, or FedEx in the 3 years I've lived at this address.
I think it would be their issue anyway, as I was responding to someone saying they prefer Amazon because they have reliable delivery. Unreliable delivery that isn't their fault is still unreliable delivery.
"The majority of Mozilla Corporation’s revenue is from royalties earned through Firefox web browser search partnerships and distribution deals around the world."
Their revenue is up more than $100 million from last year so they're not exactly dying.
How do you figure they're barely surviving? How does that make them a Google puppet? What exactly is your point through this thread?
If you think it's news that they take Google's money I'm not sure you're qualified to be making these sorts of claims.