Josh More's Blog's Comments

Comment on Security Sprint – Firefox Profiles by Josh

Josh — Thu, 04 Feb 2010 04:02:37 +0000

Hmm, LastPass does look promising. I agree with what you say about 1Password. It is a very good solution, but only in the OSX/iPhone space. I just haven’t researched anything else in any details, as the solution I have right now is working.

I expect that I’ll be looking a lot come this time next year when it’s time to pick out a shiny new phone. :)

Comment on Security Sprint – Firefox Profiles by Kenneth Younger

Kenneth Younger — Thu, 04 Feb 2010 00:28:55 +0000

I was just doing a little searching and ran across http://lastpass.com – very wide compatibility, including linux. This Ubuntu forum question and response by a team member of LastPass was encouraging as well: http://ubuntuforums.org/showthread.php?p=5896494

I was considering 1Password as well, but they have completely ignored an Android version for a long time, continually saying they’ll get to it eventually – plus, they don’t support any OS other than OSX.

Comment on Security Sprint – Firefox Profiles by Josh

Josh — Wed, 03 Feb 2010 22:44:00 +0000

Personally, I prefer the password wallet systems. I generate a secure password for each site and store it in a wallet. Wallets should use secure encryption (like AES or Twofish).

Generally speaking, I distrust the “store it in the browser” option. I know that it’s more convenient and that modern browsers use decent encryption on their password stores… but in order to function, they must be able to read the store. This means that it is theoretically possible for a flaw in the browser to expose the store to an attacker via web page.

That’s not to say that my solution is perfect. In particular, it is vulnerable to password sniffing by keylogger and accidental account lockouts due to mis-entered passwords. However, when I compare those risks to those of native browser storage, the native browser solution seems riskier. (This is just a feeling… I’ve not researched it… yet ;)

Basically, my philosophy is similar to the Unix philosophy. Most systems do one thing well. Browsers, be they IE, Firefox, Opera or Chrome are really good at browsing. They’re getting better at security, but it’s still not their core focus. There is a lot of security in simplicity, so a simple password wallet with good market history (and that is being actively maintained) is probably better then security in a browser.

I use Gnu Keyring on my Palm and am considering 1Password should I move to the iPhone. I don’t know what’s available in the Blackberry and Android spaces, but I’m sure that they exist there too.

Comment on Security Sprint – Firefox Profiles by Kenneth Younger

Kenneth Younger — Wed, 03 Feb 2010 16:07:04 +0000

Thanks for pointing me to the SQL Inject Me and XSS Me plugins, those will definitely help test the web apps.

I was curious, and was hoping you could elaborate as to how you manage your passwords securely.

Comment on Mythic Monday – Immortality by Josh More – Starmind Blog » Security lessons from Nature – Immortal Jellyfish

Josh More – Starmind Blog » Security lessons from Nature – Immortal Jellyfish — Sun, 24 Jan 2010 02:52:47 +0000

[...] let's take a look at the other side of immortality (the down-side of which was explored here). In particular, let's look at [...]

Comment on Mythic Natural History – Encapsulation by Josh More – Starmind Blog » Small Business Attack – Web Disclosure

Josh More – Starmind Blog » Small Business Attack – Web Disclosure — Sun, 24 Jan 2010 02:37:40 +0000

[...] of the flaws on a legacy server at the Iowa State University Cyber Defense Competition resulted in granting me the ability to scan the entire web directory. Normally, you'd think "What's [...]

Comment on Site Review – Scribd by A4D

A4D — Tue, 01 Dec 2009 16:26:28 +0000

Interesting review as you cover it in a technical and thorough manner

I was just looking at the site from a Social Media point of view and placed Scribd site review in Google and your site came up

Thanks for the review

not sure I would use it now

A4D

Comment on Mythic Monday – Medusa and Immutability by Josh

Josh — Sat, 14 Nov 2009 06:13:14 +0000

@moso bamboo lover

You should just be able to add http://feeds.feedburner.com/starmind-blog . This can either be directly, or you can click on the orange RSS icon in the address bar in Firefox. If you hover over the orange RSS logo at the top right of the page, it should display some common newsreaders. If none of those are what you use, just clicking on the orange RSS icon itself should work just fine.

Comment on Mythic Monday – Medusa and Immutability by moso bamboo lover

moso bamboo lover — Thu, 12 Nov 2009 22:23:45 +0000

Hi, I can�t understand how to add your site in my rss reader, help please :)

Comment on Mythic Monday – Aesop: The Dog, The Rooster and the Fox by Martin DeMello

Martin DeMello — Tue, 27 Oct 2009 13:51:05 +0000

’spear phishing’ is a great term :) hadn’t encountered it before.