Do you pay hackers to try to break into 1Password?

SMSW
SMSW
Community Member

In some of the articles written about the recent lawsuit by the US Govt against Apple (US wanted to Apple to break into the terrorist's iPhone), it was mentioned that some companies offer bounties to hackers to try to break their secure products/systems. Does Agilebits do this? If not, aren't your claims of safety questionable? I trust your statements that it will take years to try all the combinations to break in, but do all software developers know when they publish a program that there are ways to break in? Aren't they surprised when a hacker defeats the security system? If patches are necessary, why didnt the developers write the patches into the original program? In other words, what makes you guys so much smarter than the rest of the world in devising an unbreakable 'vault'? I do want to stress here that I'm not being offensive - these are legitimate concerns and if you do not throw your software open to the hacker community for 'testing' how do you really know it is secure? And if it really is secure, why hasn't our gov't chased you guys down for a way in with a court order?

I would like to add here, that I would like to see the option to have 1password erase all of the data on my phone or computer if someone tries to open 1P more than, say, 10 times. I do have backups of both, and while the loss would be a problem, your comment in another post (what if your child tried to open the program 11 times and it erased everything....) is not a reasonable argument for not having this feature. Relatively few of us go around with super safe passwords, and I certainly don't want someone trying multiple times to break into my phone or 1P.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Do you pay hackers to try to break into 1Password?

Comments

  • julie-tx
    julie-tx
    1Password Alumni

    I'm the Team Security: Red Shirt Superhero member who runs our penetration testing programs, so I guess I'm the person in the company who pays hackers to test our security ... using Sara's money :)

    There's a misunderstanding about the difference between cryptography and software in general. If I write a program that is supposed to access a website, download the contents, render all the text and images, etc. there is a chance I might get something wrong with the web browser I just described. I might handle an HTML tag incorrectly, or someone might find a way to create a web page which performs some malicious task.

    1Password's security isn't based on getting all the if-then-else, for-loops and other programming constructs correct. It is based on various properties of numbers -- mathematics -- which aren't dependent on the programmer's skill. I like to think I'm a very highly skilled software engineer, but I know that I make mistakes and I also know that some of my software mistakes have been real doozies.

    But mathematics isn't dependent on my skill. The mathematics of the block ciphers we use -- the Advanced Encryption Standard for most everything -- do not rely on my personal skill as a developer. So long as we shuffle all the bits in all the right ways, and there are standards compliance tests to ensure that AES is implemented correctly, there's no "Oops!" possible. We also know, because there are researchers who investigate the strength of various ciphers, including AES, that certain types of attacks are infeasible. We rely on things which don't rely on us getting them right. That's where our security comes from.

    Back to those hackers I give Sara's money -- one of the things we're doing with the pentest program I'm running at the moment is something akin to "Capture The Flag", except I've written a piece of Bad Software Poetry and our highest bounty is for "capturing" the rather bad poem. The money will be nice, but I'm not sure anyone is going to think the poem is "nice". If you post here next year, and I've not deleted the vault item which contains the poem, I'll dig it up and post it here, unless we're still using it, and I hope we aren't -- it's REALLY bad!

This discussion has been closed.