Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

August 08 2013

Chrome's insane password security strategy • elliottkember

Chrome’s insane password security strategy • elliottkember
http://blog.elliottkember.com/chromes-insane-password-security-strategy

There’s no master password, no security, not even a prompt that “these passwords are visible”.
...
Any time I try to draw attention to this, I get the usual responses from technical people:

Just use 1Pass

The computer is already insecure as soon as you have physical access

That’s just how password management works

While all of these points are valid, this doesn’t address the real problem: Google isn’t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.

cf. aussi
Why you should never let Chrome store your passwords http://bgr.com/2013/08/07/google-chrome-password-security

Why You Shouldn’t Let Google Chrome Save Your Passwords http://www.shellypalmer.com/2013/08/chrome-and-saved-passwords

Remembering passwords for multiple websites is incredibly annoying but it still might not be a good idea to let Google’s Chrome browser remember them for you. Software developer Elliott Kember notes that it’s incredibly easy for anyone to see the passwords you’ve stored on Chrome as long as they’re using a computer where you’ve logged into the browser.

#securite #chrome #mdp

March 12 2013

February 12 2013

Four short links: 12 February 2013

  1. Your USB Sticks Are Made With Chopsticks (Bunnie Huang) — behind-the-scenes on how USB sticks are made.
  2. mutetab — find and kill the Chrome tab making all the damn noise! (via Nelson Minar)
  3. Visualization, Modeling, and Surprises (John D Cook) — paraphrases Hadley Wickham: Visualization can surprise you, but it doesn’t scale well. Modelling scales well, but it can’t surprise you.
  4. Head Like an Orange — science animated GIFs, assembled from nature documentaries. (via Ed Yong)

November 19 2012

March 22 2012

Developer Week in Review: The mysterious Google I/O machine

We're in the countdown days to the two big annual developer conferences (not counting OSCON, of course ...). Google I/O will open registration on March 27th, and if past history is any guide, WWDC should also start (and end) signups around the same week. So, get your credit cards warmed up and ready. Last year, both conferences sold out in less than a day (Google I/O in under an hour!).

And speaking of Google I/O

Google IO game

Just what is the purpose of the Rube Goldberg-esque physical puzzle that has gone up on the Google I/O website. Does it have something to do with a puzzle that potential attendees will need to solve to register? Will attendees be flung around from session to session by giant pendulums? Is it all just a cool demo of Chrome? And does it have anything to do with ancient Mayan prophecies?

In any event, it's a fun (if simple) game, worth a few moments of your time, but unlikely to absorb more than 15 minutes of your attention. Now, if they added achievements and a Zombie mode, that might be something.


So much for sandboxing

Reports of a successful exploitation against the Chrome sandbox appeared recently, and now word has broken that a new Java exploit not only breaks out of the sandbox, but manages to install itself into system memory, where it can mess around with privileged processes. Worse, unlike the Chrome exploit, which was reported to Google and not in the wild, this new Java hack is being actively distributed on popular Russian news sites.

Since the entire point of a sandbox is to keep malicious code from getting access to system resources, it is truly disheartening to see how frequently sandboxes are being penetrated these days. If there's one piece of code that needs to be rock-solid, it's the bit that keeps the bad guys from doing bad things. That it fails so often in reality either indicates that developers aren't doing a good job, or that it's a really hard problem and it may be time to rethink sandboxing as a valid security approach.

Go is almost a Go

For those who have been eagerly awaiting Google's attempt to reinvent the wheel new programing language, Go, the wait is almost over, as RC1 has just hit the street. According to the developers, this is very close to what the final 1.0 release will look like. If you've been waiting for a stable version of Go to kick the tires, now is probably the time.

As with most new programming languages, I am maintaining a healthy degree of skepticism as to the long-term viability of Go. This is not because of any inherent faults of the language, but because of the institutional inertia that new languages have to fight to gain acceptance. Whether Google's influence will be enough to get Go ensconced in the pantheon of mainstream languages is yet to be seen.

Fluent Conference: JavaScript & Beyond — Explore the changing worlds of JavaScript & HTML5 at the O'Reilly Fluent Conference (May 29 - 31 in San Francisco, Calif.).

Save 20% on registration with the code RADAR20

Got news?

Please send tips and leads here.

Related:

February 23 2012

Developer Week in Review: Flash marginalization continues

I got a rude reminder of how dependent we've grown on ubiquitous telecommunications, as AT&T decided to take a sick day, cell phone service-wise. The outage only lasted an hour or so, but I suddenly found myself on the road with no way to call into a scheduled scrum standup (can it be a standup when you're sitting in your car?) and no way to email to let them know what was going on.

Total outages have been pretty rare, but it wouldn't take much from a solar storm perspective to knock everything offline, something I wrote about several years ago. Try to imagine modern society with no power, telecommunications or GPS navigation for a few days, and losing cell service for an hour gets put into its proper perspective.

Now that I'm back at home with a nice reliable fiber connection, I can give you the news of the week.

Tux can only flash people wearing chrome, now

As was reported previously, Adobe is starting to gracefully put Flash out to pasture in favor of HTML5. The deathwatch took another step forward this week, with Adobe announcing that only Chrome will be able to run Flash under Linux in the future.

One could argue that Linux never was much of a market for Flash anyway, but following on the heels of the announcement regarding mobile support, it should be clear that Flash is on the way out. Flash was once considered the last best hope for seamless integration across desktop and mobile platforms, held back only by Apple's intransigence. Now, all eyes are on HTML5.


Getting laid off doesn't sound so bad now, does it?

In the "developed world," software professionals spend a lot of time worried about intellectual property, career viability, privacy issues, and the like — our version of "first world problems." Once in a while, however, we get harsh reminders of the kind of real problems that can face a software developer in less-friendly circumstances.

Such is the case of Saeed Malekpour, an Iranian-born engineer and Canadian resident, who is currently facing a death sentence in Iran, accused of creating a pornographic network. According to most sources, the only thing that Malekpour actually did was to create a program that could be used to upload photos to websites, and that code had been incorporated into pornographic websites without his knowledge.

Malekpour confessed to running a pornographic network after a year in custody, a time when his supporters claim he was frequently tortured. What is certain is that very soon, if nothing is done, he will be executed, likely by being beheaded.

It's easy to write this off as a symptom of extremist ideology, but it should also serve as a wake-up call to open source and freelance developers who never plan to venture outside so-called "developed" countries. It is far too easy to imagine some hapless developer being dragged off to an undisclosed location because his or her software was found on the laptop of a jihadist. The problem with writing software is that you never know who may end up using it.

Putting Apple's labor issues in perspective

I just watched the "Nightline" report on Apple's production facilities, run by Foxconn in China. I'm sure that there's lots of righteous outrage afoot about the low wages (starting at $1.80 an hour) and cramped living conditions at the facility. I thought it was worth putting things in perspective, however.

To make it clear at the outset, I'm not in any way an apologist for China's government or social system. But I suspect you could find lots of people living in the U.S. willing to work for that wage, provided with lodging for $17 a month and a meal that cost about an hour's wage. As the report pointed out, the suicide rate at Foxconn is actually below the average in China, at 1.7 suicides per 100,000. For comparison, U.S. police officers experience 18 suicides per 100,000. And lest we become too indignant about factory accidents at the Foxconn facilities that killed more than two dozen in the past few years, we should remember that the U.S. doesn't have a shinning record in this regard either.

The point I'm making is that Apple makes an easy target because of its size and because some people want to make trouble for the company whenever they can. However, if we're going to attack Apple, let's do it for the right reasons. By most accounts, Apple is doing a much better job ensuring worker rights and safety than the industry as a whole.


Strata 2012 — The 2012 Strata Conference, being held Feb. 28-March 1 in Santa Clara, Calif., will offer three full days of hands-on data training and information-rich sessions. Strata brings together the people, tools, and technologies you need to make data work.



Save 20% on registration with the code RADAR20

Got news?

Please send tips and leads here.

Related:

January 19 2012

Four short links: 19 January 2012

  1. Fragmentation is Not The End of Android -- full of trenchant insights, this post considers the many implications of the Android value chain. Only Apple directly profits from being an OS provider in the mobile ecosystem. For Google it is a cost center particularly struck me. Anyone know whether Google offers to (for money) maintain branded carrier- and/or device-specific versions of Android? Seems like a natural business model given their development pipeline and desire to ensure availability of updates. (via John Gruber)
  2. Chart of Y Combinator Companies' Hosting Decisions -- just what it says.
  3. Muststache -- fun Chrome extension using face recognition to add mustaches to faces in pictures. Ten years ago, almost every kind of face recognition was a dark art requiring many computrons. Today it's a toy.
  4. Stamen's 2011 -- frankly astonishing year of beautiful and meaningful visualizations and design. They continue to provide the benchmarks for designing with data.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl