Could there be a backdoor?

jdouglasj
jdouglasj
Community Member
Warning No formatter is installed for the format ipb
«13

Comments

  • tatchley
    tatchley
    Community Member
    edited December 2012
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • jdouglasj
    jdouglasj
    Community Member
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • Phil382
    Phil382
    Community Member

    I originally came across this thread by accident, but found the question and answers to be interesting and well-considered. In follow-up to khad and jpgoldberg's responses, I was wondering what kind of third party scrutiny (i.e., from Apple) has been applied to 1Password (for iOS or Mac) as part of the App Store vetting process? See, e.g., https://developer.apple.com/appstore/guidelines.html. Would this provide any measure of assurance to someone concerned about the possibility, however unlikely, of backdoors in the code? Thanks!

  • khad
    khad
    1Password Alumni

    I don't believe there is much in the App Store review process that would detect certain backdoors. They may catch some backdoors, but it is not a system I would rely on in that regard.

    Thankfully, there are many more eyeballs from the security community on 1Password than would ever be feasible in the App Store review process. :)

  • Phil382
    Phil382
    Community Member
    edited January 2013

    Thanks, khad. If the external security community is and has been scrutinizing 1Password, it seems to me that displaying endorsements from several of its most prominent members would be a great marketing strategy and would also assuage the understandable concerns that some have. (By the way, for my own part, I am very satisfied with 1Password's security and your assurances above.)

  • Hi Phil382,

    You're right, some endorsements from the security community would be great. Without digging into details, suffice it to say that it turns out these guys are very busy. Apparently they don't need the business :)

    Someday I hope to finish a full audit and proudly display some endorsements.

  • Phil382
    Phil382
    Community Member
    edited January 2013

    While this subject is still on my radar, I'll add that the apparent absence of user security complaints over the years speaks volumes and is reassuring in its own right. I have yet to read of anyone ever suffering an actual 1Password security breach or blaming it for a drained bank account.

  • khad
    khad
    1Password Alumni

    To our knowledge that has never happened. Nothing is impossible, but much is improbable. There's a [perhaps not so] fine line between "hubris" and "being prepared." While we are extremely proud of the security of 1Password, we are never resting on our laurels. It is always important to look ahead (and stay ahead) with security.

    You may be interested in some rainy day reading about the new Cloud Keychain design if you find the security of 1Password fascinating:

    1Password 4 Cloud Keychain design

    And of course, if you ever have any questions, you know where to find us! :)

  • MikeMcFarlane
    MikeMcFarlane
    Community Member

    Interesting thread, started by an interesting question.

    I think of it in the way that has been covered in previous blog articles - good security requires convenience (or I won't use it.) I don't need to use 1password, there are other options that could be considered more secure, relatively e.g. keeping all my passwords written down and in a bank vault, or not having my password manager sync via the cloud. But on the balance of apparent probabilities (based on the highly subject personal viewpoint from reading up, from researching the product, from the quality history of the product ie no serious security issues) I chose to trust 1password which in turn makes a lot of my other information more secure as it is convenient and easy to access my data on all my devices. It's a choice.

    Sure it would be nice if AgileBits had independent verification or open source code, but we don't have that. What we do have is a very popular product, and I am pretty sure if there was a backdoor or other security issue, it would be all over the internet in a moment.

    Sorry for the very subjective arguments!

  • Hi Mike,

    No need to apologize, you should never apologize for stating your own opinions and contributing excellent thoughts in the discussions here. That's what the forum is for, the sharing of ideas, thoughts and feelings among our beloved community.

    Thank you!

  • SpaceAce
    SpaceAce
    Community Member
    edited February 2013

    Although I do not believe that Agile Bits would risk their business by transferring the master password to their servers I still do believe it's a very bad idea to store a keychain-file in any cloud-storage!
    Therefore I'm disappointed that the AppStore version (3.9) had removed the local WiFi-sync option and version 4 for Mac is still not available more than a year after 3.9 ...
    So for now I'm only using the Mac version and still wait to bring the iPhone and iPad version into production (already purchased but waiting for a non-cloud sync-option)

  • MikeT
    edited February 2013

    Hi SpaceAce,

    I understand your concerns, we're working on a local USB sync that'll bypass any need to use the cloud. We removed the Wi-Fi sync because it was too unstable to use for many of our customers, even though it worked properly for some. The USB sync will remove most of the Wi-Fi instabilities since it no longer relies on it.

    1Password 4.0 for Mac is in heavy development at the moment but I don't have a timeframe on when it'll be out.

    FYI: There are no master passwords stored anywhere, so there's nothing for us to transfer anywhere. Even if your data file is in the cloud, there's nothing people can do to get into the data file unless they can guess your master password. The way we create your data file requires them to spend centuries with computers to guess it.

    Thank you!

  • SpaceAce
    SpaceAce
    Community Member
    edited February 2013

    Hi MikeT,

    Just because the master password is not stored anywhere it could be phished or stolen by a keylogger or similar trojan.
    Even if you have chosen a good encryption mechanism for the keychain-file it's IMHO still bad to let someone lay his hands on the encrypted file to run their tools against it offline with all the time they need. Call me paranoid but there are file-types which I will never store in a cloud-service. My keychain-file is one of these ;-)

    Any chance to be part of the 4.0 Beta-Test for Mac?

    Cheers,
    SpaceAce

  • MikeT
    edited February 2013

    Hi SpaceAce,

    There is no 1Password 4 for Mac betas right now, we don't have any information we can share at the moment. Once we reach that stage of development, we'll announce the details about the beta project just as we did for the 1Password 4 for iOS betas. You'll be able to sign up then.

    As for the trojan, if you did have it, it wouldn't matter if you never had the file in the cloud, they can simply just scan for the data file, upload it remotely, and do it offline just as they would have to break into either iCloud/Dropbox if they could figure out your Dropbox/AppleID account information. Be sure to lock down the firewall to ensure this doesn't happen. :)

  • SpaceAce
    SpaceAce
    Community Member

    You bet my home is quite some "Fort Knox" (hardware and software firewalls protecting my network and my machines) :)
    While all what you say is true in some way I still fancy the "least possible risk"-approach avoiding unnecessary opportunities for the bad guys. This includes keeping certain files out of the cloud.

  • khad
    khad
    1Password Alumni

    We're working on USB sync and it should be available soon if you are cloud averse. :)

  • razorsharp
    razorsharp
    Community Member

    I recently purchased 1Password after trying several other products. I really like it and I want to use it for all my passwords and other sensitive data. But how do I know that the software doesn't, for example, actually collect everyone's login information and send it to a central server for later sale to the highest bidder? I understand this is why many people recommend open-source password managers, but for a cross-platform (OSX, iOS, Windows), 1Password is much more pleasant to use than the open-source tools I tried.

    Have independent audits been done of 1Password? If not, how do people get comfortable with putting all their credentials, plus even the security question answers and social security numbers into a program that they're not really sure what it's doing?

    I really like 1Password and really want to feel comfortable with it. Any input would be appreciated.

  • RDustinB
    RDustinB
    Community Member

    Hey Agile Bits,

    With all the information coming out about companies giving the NSA backdoors in their software:

    https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

    As Bruce states in his blog post: the math is good but the code has been subverted.

    My questions to the makers of 1Password:
    1) Have you subverted your code in any way?
    2) Have you ever been approached by the NSA to subvert your code?
    3) Would you be willing to either publish results from an external agency from a full security audit that you've had performed on your software, or be willing to subject your software to an external agency for a full security audit?

    Thank you.

    -Dustin (concern user)

  • Niklas
    Niklas
    Community Member

    If they have been approached by the NSA it would have been with an NSL attached: Agile Bits would not be able to deny or confirm any contact with NSA (or any of its sibling agencies). They would even have to keep quiet about it to their own legal counsel.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member
    edited October 2013

    This fucking paranoid thing again? Why don't you SEARCH the forums? It's been discussed to death.

    The short answer is: NO, there is no backdoor. And all users have the option to keep their data on their local disk.

    @Niklas: NSA is American. AgileBits is in Canada. As much as America would like it, their laws and agencies don't apply outside of their borders.

  • khad
    khad
    1Password Alumni

    Great questions, @razorsharp and @RDustinB. It is great that you are thinking about these things. I merged your threads which this existing one.

    As for a backdoor, please see my post #3 above.

    Regarding a security audit, please see Jeff's post #5 above.

    Please also be sure to read our blog posts:

    You have secrets; we don’t. Why our data format is public

    On the NSA, PRISM, and what it means for your 1Password data

    1Password and The Crypto Wars

    Once you've had a chance to review those, please let us know if you have any follow up questions. We're always here to help.

  • Niklas
    Niklas
    Community Member

    @Uno_Lavoz that's the theory and we all thoughthoped it worked like that until we had stuff like Snowden, Kim Dotcom/Megaupload, extra-legal execution of suspects and civilians, Guantanamo.

    No, I don't think anything like that will happen to Agile Bits, I'm not that paranoid. But the argument that shady three-letter agencies from USA will follow international law and respect the sovereignty of other nations in 2013 is laughable at best and really sad because they wont. Heck UK and USA even spies on their own NATO allies.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member

    Spying on other countries is one thing. I'm aware that NSA does that. But they don't force their American "must have a backdoor in all crypto software if we tell you to" laws on small companies in other countries. That's what I meant. There's a difference between spying in secrecy and trying to enforce their laws outside of their borders.

    @khad This is totally unrelated but could you please ensure that the team has this on their internal bugtracker: http://discussions.agilebits.com/discussion/comment/84500/#Comment_84500 - I posted it exactly one month ago and tried PM'ing two team members to get them to notice the thread. I'm a fellow programmer and that's a free (even for commercial use) fix for an ugly issue in 1Password 4. You're the closest I've been to seeing life from any AgileBits staff recently so perhaps you could pass this link on and ensure it's on the bugtracker? It would benefit all users (smaller databases due to superior compression, yet far better looking icons that gets rid of the current barf-quality).

  • Niklas
    Niklas
    Community Member
    edited October 2013

    Agile Bits does software development inside US borders (have developers working and living in USA). Just sayin' because Agile Bits said so in their blog post on this very subject.

  • RDustinB
    RDustinB
    Community Member

    @khad, perfect I was hoping for some articles that would answer my questions.

    @Uno_Lavoz, I did search the forums for "NSA backdoors" and didn't get the answers I was looking for, hence the reason for my original question. No need to be touchy :)

  • Uno_Lavoz
    Uno_Lavoz
    Community Member

    @RDustinB So you searched the forum but still felt your questions deserved making another thread when there was an existing NSA-thread?

  • khad
    khad
    1Password Alumni

    @Uno_Lavoz, I'll pass your request along to the team. :) For the record, though, I assure you every single person at AgileBits has been working overtime lately even if your specific thread didn't get a reply yet. Thanks for your feedback!

    I encourage everyone to please keep this thread on topic.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member

    @khad Thanks. I can't even imagine the workload all of you have been through day and night for months now (I've been on software projects and know what it's like, but none with forums/beta testing this active). But I had also tried my best for a whole month to get this free and simple fix noticed, and I was worn out as well. ;) Thank you for passing it on. Now I finally know that it'll be seen by the team.

    Anyway, as for the NSA issue, it's important to note that they have not broken any encryption schemes. The mathematics behind it all is still safe and guarantees that an attacker that manages to get your database still has to crack an incredibly long key (the 1Password database spec is open for anyone to read and is very secure). That task is difficult even for the NSA, and they're not going to put their supercomputer clusters on our Average Joe databases.

    The best thing people can do is have an extremely secure password. Then it won't matter if you store it directly on the NSA's hard drives. Your database will still be prohibitively difficult to crack even for them.

    Personally I use a 24 character password that's upper, lowercase, numeric and special characters. If it's that long, is a combination of several words, isn't in a dictionary and doesn't use a simple substitution scheme (i.e. no Disney = D15n3y type passwords), then it'll never be bruteforced in our lifetimes by a non-supercomputer adversary, if computers stay on the slow processing power rise that they've been on for so long now.

    Basically: Have a super secure password. Store the database itself wherever you want. There are no backdoors in 1Password and the mathematics behind the database format guarantee that your data is excellently encrypted.

    I'd feel safe storing all of my 1Password stuff directly on NSA's hard drives, because they are not targeting me and I have an incredible password.

    Know your foe and act accordingly. I have no foes. ;)

This discussion has been closed.