This cool video shows how to use a posterized gradient to make a set of tonal rectangles.
Add a horizontal (O°) gradient adjustment layer running from one tonality or color to another.
Add a posterize adjustment layer. It’s property panel lets you set the number of separate tones/colors in the gradient. An odd number guarantees 50% grey somewhere.
Clip the posterize layer to the gradient layer.
This is really cool.
More can be found here, including a downloadable action.
Most exploits occur over the Internet, so this is a no-brainer. When you do not need to have an Internet connection going, go to the Wireless icon and select Turn Wifi Off. (Or disconnect the Ethernet cable if you use that.)
1.2. Disable Bluetooth when not at home.
Bluetooth may be useful for connecting to an external keyboard at home, or to a fitness device, but if you don’t need it, it is prudent to switch it off since it offers a potential if rare means of attack. (This is less so today that in its early days.)
It is also useful for surveillance. Your Bluetooth device’s address can be obtained to identify and track you in public places. As a test, I tried detecting Bluetooth devices while driving down the road. The phones of people in passing cars were easily detected by my iSystem app.
1.3. Disable the Ethernet port if there is one.
Few people use the Ethernet port any longer. It is mainly useful for technology professionals in communicating with routers and servers. If you don’t need to use it, go into the Ethernet settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.
1.4. Disable Firewire.
Most people never need Firewire. If you don’t, go into the Firewire settings, select Disable for the Configure IPv4 setting. For the IPv6 setting select Local Link Only.
Trivia: It has been discovered that a Mac that is asleep can provide access to the entirety of its RAM through the Firewire port via DMA (direct memory access). Thus it can be used to copy data. It’s a rare exploit, especially since it requires physical access to a computer when it’s asleep, but it’s another reason to disable Firewire.
1.5. Do not use online storage.
It is unwise to use iCloud or any other cloud-based online storage service such as DropBox, convenient though it may be. If you do not encrypt your files before you upload them, they can be copied and used right away or years from now e.g. by governments, by people who hacked into the cloud, and by employees of the cloud service.
The typical argument that it doesn’t matter if they’re stolen is a form of denial. Just because you don’t want to imagine the numerous outrageous ways in which for instance your photos can be used, but that doesn’t mean that others feel so inhibited.
The practice of encrypting data before storing it in the cloud is called TNO: Trust No One. Security professionals recommend a TNO approach.
1.6. Avoid free online email.
You really should not use online free email services either such as these:
Yahoo mail
Gmail
Mail.com
Inbox.com
Lycos mail
Hotmail
Aol mail
GMX mail Most corporations that run such services are all too eager to turn over your personal information to any nefarious company or government agency that’s paying. Betraying your trust is profitable and they view that betrayal as a no-brainer without consequences.
Surveillance is the killer app of the Internet.
Long before Edward Snowden, it was exposed on Cryptome.org that Yahoo charges the US government only US $60 for a year’s worth of a user’s emails.
1.7. Keep critical personal data off of your computer
Not everything has to be on your computer. Critical data such as your social security number, tax records, legal paperwork, birth certificates, passwords, ID cards, immigration documents, sexy photos and revealing private videos should be located on encrypted external media from start to finish.
1.8. Encrypt your external drives.
Any laborer or landlord who walks into your apartment and sees a USB drive sitting on the table could in theory steal it, or copy it without your knowing. It’s wise to encrypt such drives to at least protect your data.
You may think you know what’s on a drive, but in truth most people are largely ignorant of where they’ve put their numerous files.
To encrypt a USB or hard drive, format it for Mac OS (not Windows FAT) and tell Disk Utility to encrypt it.
External media that are not in use should be locked away.
1.9. Securely erase and wipe empty space
When you delete a file, use the Finder’s Secure Empty Trash [sic] feature. You should go into the Finder preferences and set secure erasure to be the default method.
But note, data deletion that is not done by the Finder, but rather is done automatically by programs like browsers, will probably not be done securely.
To make sure that no deleted data can be un-deleted, you can periodically run Disk Utility and use the Erase Empty Space feature. This will make sure important data like deleted web browser cache data and web history cannot be recovered.
1.10. Remove all personal data before taking your Mac in for repair
It was revealed on Consumerist.com that workers in Best Buy’s Geek Squad service were regularly copying customers’ photos and other content onto personal thumb drives during the course of repairing their computers. Would Apple’s geniuses not do the same? Who can say, except an insider.
1.11. Avoid low-cost domain resellers and hosting services.
Don’t be fooled by low prices. When you sign up with cheap services, they could just make up for the lack of profits by selling you out.
I discovered to my surprise that the Universal Terms of Service provided by GoDaddy and its various resellers has an enormous qualification: They claim ownership of your User Content if it is within a subcategory called User Submissions. The problem is, they never define what part of your data falls into that subcategory and what does not.
You should always take the time to read the fine print.
1.12. Practice good thumb drive isolation.
Never buy or use a USB thumb drive that cannot be attached to your keychain. A thumb drive without a keychain hook or that is not on your primary or only keychain is easily lost or stolen.
A thumb drive should always be encrypted unless it’s solely for use in
your car’s audio system in which case it should only have your current MP3s and nothing else;
your TV in which case it should only have MP4s you plan to watch soon.
Give each thumb drive a name indicating what it’s for and mark it to indicate its purpose e.g. AUDIO BOOKFORCAR.
Never use a thumb drive that you find sitting in public somewhere. Leaving a thumb drive on a ledge or table is a classic means of infecting computers at e.g. a nearby business or government organization.
2. Disable risky services
2.1. Inhibit Bonjour.
After you enable your firewall (see section 3 below) your should enable its stealth mode. This should prevent your computer from broadcasting its existence to other computers on a network.
An alternative method is to disable the Bonjour service. This tells other Macs near you what services you have to offer them, and tells you what they can offer you.
Two rules of thumb:
You should not encourage others to be trying to get access to what is on your computer.
You should not be accessing any data they have made available as it may contain malware.
In Mountain Lion, can go into Settings, Security, Firewall, and Firewall Options and select Enable Stealth Mode (for good measure), and then Block All Incoming Connections.
Another approach is to use the command line to edit the file /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist. You add to the section ProgramArguments by inserting a string entry called -NoMulticastAdvertisements. Then reboot.
2.2. Disable Bluetooth discovery.
If you must use Bluetooth, disable discovery in the Bluetooth settings. You can also do this in the Bluetooth-icon pulldown menu.
2.3. Disable any Sharing services.
It is almost always a bad idea to leave sharing services on. If you must use a sharing service, do so only temporarily when you need it, then switch it off again. Go into Sharing settings and uncheck everything.
2.4. Remove Google spyware that comes with Mail
I recently discovered that a Google mail plugin was periodically running and checking to see what drives I have mounted on my system, e.g. whether I have a USB drive plugged in. This is very odd because:
I was not running Mail at the time.
I do not have a Gmail account.
I was not logged into my Google account. To prevent this kind of activity, whatever its actual purpose may have be, one can remove the offending plugin. But… warning! If you do this then you won’t be able to use a Gmail account from within Mail. From Terminal, do this:
2.5. Disable Location Services and the IR receiver.
Very few people need these. For good measure, go into Settings, Security, Privacy and disable both Location Services and the IR receiver.
Location services is mainly useful for the Map program.
2.6. Remove CIJScannerRegister
If you don’t have any older Canon printers on your network, you don’t need CIJScannerRegister. This program sends out UDP packets looking for these printers. If you have many Macs on a network this can add to the congestion, but even if you only have one, the fact that CIJScannerRegister is sending out these packets could leave you open to attacks, because
It advertises your existence.
The CIJScannerRegister program itself may have vulnerabilities that a malicious computer could exploit.
To remove CIJScannerRegister, use this Terminal command:
Note, CIJScannerRegister appears to have been removed from OS/X Mavericks.
3. Block outsiders
3.1. Enable the basic Firewall.
You should always have your Mac behind a physical firewall such as the one in your Wifi router, but you will also need to enable Apple’s built-in Firewall capability, especially if you will use your Mac on an unencrypted public Wifi.
Go into Settings, Security, and Firewall to find it and start it.
3.2. Enable FileVault to encrypt your hard drive
Encrypt your entire drive using FileVault. The first time you enable it, it will require up to an hour to encrypt your drive.
If you also have Windows installed on your computer via BootCamp, FileVault will prevent Windows programs from reading your Mac files, and that’s generally good especially if your Windows setup get infected with malware.
3.3. Add a firmware (boot) password
The firmware password is not your normal login password, but rather the password that lets the Mac boot from a disk other than your hard drive. Adding it is done using the OS/X installation disk, if you have one. By enabling a firmware password, you prevent other people from booting up your computer from an CD-R or DVD-R disc or from a USB flash drive.
This can be very important, because if you fail to add a firmware password and you fail to encrypt your hard drive, this means crooks and ne’erdowells can potentially walk up to your unattended Mac, boot from a thumb drive and steal all of your data.
3.4. Turn off your home Wifi router at night and when you are not at home.
At night, or whenever you are not at home, there is no need for your router to be powered up. Having it on means that someone can theoretically hack into the router itself from anywhere on the planet.
If you think such a thing is unlikely, just google port 32764 backdoor. There are several ways to break into a Wifi router and port 32764 is perhaps the latest one to be discovered. Check it by clicking here.
Set the adminsitration password on your Wifi router (not just the encryption password) to something very hard to guess, and make sure you disable remote log-in. Also disable logging into the router via Wifi: require a connection with a cable.
3.5. Shut off the port forwarding.
If you must set up your Wifi router for port forwarding, make sure you turn off that feature immediately after you’re done with it. Otherwise you’re just providing a means for outsiders to bypass the firewall.
An example of an activity that often leads to port forwarding being left on is when gamers use it to play video games with other people from around the world. Since Macs are less commonly used for gaming than are Windows PCs and gaming consoles, this may not apply to you.
An example of a situation in which port forwarding is useful but potentially dangerous is when you set it up to permit you into into your Mac from afar using ssh (secure shell). Remote login is a standard feature of OS/X that is enabled in Settings, the Sharing section, by clicking Remote Login. For such an activity you’d be enabling port 22 on your Wifi router to let outsiders (hopefully only you!) who are utilizing ssh or sftp to enter your machine.
If, in the worst case, you leave Remote Login enabled on your Mac and port forwarding enabled on your Wifi router and leave your router itself powered up e.g. at night, this could be very bad.
3.6. Shut off the router’s uPnP service
Most Wifi routers support universal plug-and-play, which can reveal information about what’s on your network to people who are far away. You should always make sure that uPnP is switched off. However you should also be aware that some routers, even if you tell them to switch off uPnP, leave it partially on anyway.
3.7. Set the Wifi encryption password
This is a no brainer. If people are able to get onto your Wifi network, they can read most of the data that is passing across the network. This means they can analyze it and record it. Even though much of your data will be useless to them, some of it could be quite useful. For instance, some email services even today fail to encrypt emails when your mail reader downloads them.
So enable the Wifi password, and use WPA2 encryption.
Note that WEP encryption is not secure and should not be used. It was not actually designed by security professionals.
3.8. Set up your Wifi router to not broadcast the name of your router i.e. the SSID.
If you know your router’s name, you don’t need to tell the world about it. Letting everyone in the neighborhood know the name (the SSID) is dangerous because it means they can then commence with trying to break into your Wifi network.
3.9. Check your file permissions.
If more than one person will use your computer, each with his own account, make sure that users cannot access one another’s files.
This pertains to the files in your home directory. Most users don’t need to worry about this since they don’t put files in their home directory.
Make sure that files and subdirectories in your home directory are accessible only by you, and not by people in your group or by everyone. Directories should have permissions 0700 and files should be 0600.
The only directory that should be 0777 is ~/Public, which is the sharing directory.
A pitfall: Files copied from a Windows thumb drive, which typically has a FAT32 file system, will often be automatically set to 0644, and directories to 0755, which lets any other user on your Mac access them if those files are in your home directory.
4. Browse the Web wisely
4.1. Disable third-party cookies
Third-party cookies are a means by which people are tracked when they use the Internet.
Safari disables them by default.
In Firefox it is possible to disable third-party cookies but it requires the extra effort of going into the browser preferences in the Privacy section and History subsection to enable blocking. You can run the following cookie forensics test to see whether you are at risk: Cookie forensics.
4.2. Do not use unofficial Firefox plugins.
If you begin to check who writes plugins, it quickly becomes apparent that many authors go by pseudonyms and never give their actual names. They also conceal their whereabouts in many cases, or they are located in faraway countries. This might not matter except for two key facts:
Plugins run Javascript which is a major conduit for malware exploits.
More nefarious plug-ins that you add manually are allowed to include object code.
Food for thought:
When I asked a famous security researcher why more research is not being done into the risks posed by browser plugins, he answered that it’s just not cool enough.
Don’t assume that experts are working to keep you safe in every possible way. They may care more about getting their kicks or winning security competition prize money than about protecting you.
4.3. Avoid PDFs except from reputable sources.
In 2010, the Chinese hacked into hundreds of American corporations, including Google. One means by which this was done was using malware-infected PDF files, sent to GMail accounts. Thus, you should not assume that PDFs are generally safe.
In 2011, a Mac-specific trojan OSX/Revir-B was found that hides inside PDFs. Sophos article.
4.4. Disable Java in each browser
99.9% of the time, you do not need Java, but if it’s enabled, it is a huge security risk and the hackers in far-flung places like Mauritius and Khazakstan know this.
Granted, some employers still require use of Java by their employees. Some Scandinavian banks allegedly require its use for online banking. On your personal computer however you generally do not need it.
It’s very risky to leave Flash enabled or even installed. Flash may seem useful for watching videos on Youtube or Vimeo, outside of the limited context it is a pretty pathetic technology.
Websites containing Flash can contain exploits.
PDFs containing Flash can contain exploits.
Ads containing Flash can contain exploits.
Give a listen to how it is being used for nefarious purposes, such as recording your keystokes:
In short, Adobe has done a horrific job of making Flash safe.
YouTube now supports HTML5 for watching many videos. Use that instead of Flash.
If you must use Flash, use it from within Chrome only and only go to specific websites, like YouTube, Xfinity, Vimeo and Hulu. Chrome is the wiser browser for Flash use because Google has their own variant of Flash that is based on Adobe’s code but is more secure. Verge article.
4.6. Remove Flash if possible.
The copies of Flash that Safari or Firefox would use should be deleted.
In the directory /Library/Internet Plug-Ins, there is a part of the flash plugin for Safari. Use this command to remove it:
4.7. Do not surf the Web in public places unless a password is required.
For technical reasons, it turns out that places like coffeehouses and restaurants that offer free Wifi are the least secure environments in which to do Web surfing.
An important point: It is in public Wifi locations that so-called zero day exploits are most likely to be deployed. A zero-day is simply one that security researchers have not yet become aware of, but the spooks and criminal gangs do know about.
The main way to make public Wifi secure is if encryption is enabled on their Wifi router, and they have to use WPA encryption. That protects you from other customers as well as people outside the building.
Without WPA encryption enabled, other people can potentially intercept your Internet traffic and even hijack your online account(s) using man in the middle attacks. If you must use non-encrypted public Wifi like at Starbucks, don’t access personal online accounts such as email.
Actually, some have asserted that even having WPA enabled is not enough, since miscreants can still snoop the key-exchange that is done when WPA is starting up, which is done in the clear.
One way to make public Wifi secure for you only is to use a VPN connection. Companies often require this for their employees’ computers.
4.8. Log out of website A before you log into website B.
A common type of exploit termed Cross Site Scripting or XSS involves a user clicking on a link, such as in an email, that hijacks a current session that you have open at a website like Facebook and Gmail. This type of exploit cannot succeed if you are logged out. Therefore always log out of your accounts when you are not using them.
4.9. Skip the media-related websites
The great masses of illicit video, music and photo content that are available on the web appear to be made available as-is. There is not much evidence that anyone checks them for malware. Let’s say 1 in 1000 files has malware that stealthily takes over your computer. If you view such materials on a regular basis, it is inevitable that you will get an infection sooner or later.
Rule 1: If you want illicit movies or TV shows, buy the DVDs and play them on your TV. Or rent them from your local library, which may be quite cheap or free.
Rule 2: If you want to look at interesting photos of bikini-clad women or accidents or whatever, consider doing it from within a virtual machine e.g. using VMWare or Parallels.
Rule 3: If you want to listen to music before buying it, go to the video-upload websites like YouTube rather than to download sites. This is where the artists expect and want you to go.
4.10. Disable Java in email client Thunderbird.
It turns out that Mozilla decided to allow add-ons in Thunderbird, and in the version I downloaded, Java is enabled by default. So if you use Thunderbird you will need to go into the Tools menu, select Add-Ons and disable all of them for your safety.
4.11. Add sites to your /etc/hosts as loopback.
Specific domains that cause excessive or unknown traffic can often be blocked using a simple method: Add them to your /etc/hosts file, specifying their IP address as 127.0.0.1. This is also a good way to block ads, if you know the domains they’re using. Example:
—– |
sudo vi /etc/hosts
Adding lines such as:
127.0.0.1 akamaiedge.net
127.0.0.1 trafficjunky.net
127.0.0.1 akamaitechnologies.com
127.0.0.1 a23-62-228-16.deploy.static.akamaitechnologies.com
127.0.0.1 syndication.exoclick.com
127.0.0.1 exoclick.com
127.0.0.1 1e100.net
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 nuq04s19-in-f7.1e100.net # etc.
127.0.0.1 nuq05s02-in-f15.1e100.net
|
4.12. When possible use a text browser e.g. Links
For visiting risky websites, don’t use a mainstream graphical browser. Use a text-based browser in Terminal. Links is a good one. It does not come preinstalled but you can download from here, build it and install it.
4.13. Install an ad blocker if available.
Firefox does not have an ad-blocker built in. Most people use Ad Block Plus, which is a Firefox extension.
4.14. If you must go to a risky website, run a site checker on it first
There are now websites that can run a series of tests on another website that you specify. You can thereby assess whether the specified sit will try to attack your computer. Malicious sites typically do this by exploiting vulnerabilities in web browsers.
4.15. Tell your browser to not install software automatically.
Safari supports automatic software installation without your approval, and exploiters have used this feature to install malware. You can disable it ostensibly by going into preferences and disabling automatic opening of safe downloads.
4.16. Tell your mail program to not load remote images.
Emails that contain images may seem like a safe convenience, but in fact there are risks to do with displaying them.
Images can somewhat rarely contain malware.
If you view a phishing email, loading the images can tell the attacker what your IP address is.
4.17. Tell your browser to not open safe files automatically.
Some browsers such as Safari have a setting that gives it your permission (set to Yes by default) to automatically open some files that it deems to be safe. The issue here is, it is not worth trusting the browser to make that decision for you.
4.18. Using public wifi: Change your MAC address.
When you log in to the free Wifi at a business such as a coffeehouse, you often see a pop-up window appear saying “Click to accept our terms of service”. This is where your privacy gets violated. When you press Accept, the Javascript that is running in that popup puts your current MAC address into the URL that it sends to a server.
Why this is done only they know. My guess is that they are trying to make money by selling information about your doings and whereabouts using your MAC as the tracking identifier. If your MAC can be linked to your identity, for instance by examining your Web traffic, it can become even more valuable.
Furthermore if an alliance of retail companies were to share this information among themselves, they could track your movements throughout the day based on what businesses you go near. You don’t even have to enter a business: The Wifi signal travels outside the store. You could drive past a business and still be identified.
If any of that makes you uncomfortable or creeps you out, you can change your Mac’s Wifi MAC address like so:
—– |
ifconfig en0 ether NEW_MAC_ADDR
sudo arp -a -d
|
5. Avoid risky software
5.1. Avoid products from Microsoft.
Even today, Microsoft’s Office for Mac is an overpriced, low-quality variant of their Office product for Windows. But worse than that, in-document scripting is still enabled by default, which unnecessarily leaves open a conduit for malware exploits to be launched. It is a vulnerability that has been exploited extensively by hackers in the past.
5.2. Skip the precompiled free software.
The best rule of thumb is, if you did not compile a free program yourself from the source code, assume that it has malware in it, and don’t use it. In order to compile it you obviously need the source code, and if the source code is not available (i.e. it is closed source) then you should wonder what they are hiding.
Unfortunately some of the bigger apps are not made easy to build by users. Firefox, for example. Indeed it is the apps that are most critical to most people’s workflows that are most difficult to build.
5.3 Use virtual machines with caution
Virtual machines like VMWare, Parallels and VirtualBox all present a potential risk of spying on your activities by the companies that make them. Think out it. These machines know every network connection your virtualized software is making, every keystroke that you type, every mouse click. If any of the companies that make these programs has a contract with an oppressive, spying-prone government or corporate espionage company, they could provide a record of everything that you do in a virtual machine to said malefactor company.
In addition, some virtual machines have vulnerabilities themselves. and bad people have written malware There are known to exist breakout exploits in which malware that is running within a VM can use vulnerabilities in the VM software to find a way out of the running VM and into your main OS.
6. Check for malware
6.1. Stop risky services from launching
When you log in, some programs automatically launch. Some programs that do so can be found and removed if you run Settings, click on Users and Groups, select the tab Login Items.
From the command line, you may also find launch data in ~/Library/LaunchItems. You can stop them from launching after login by removing their launch plist files.
6.2. Look for keyloggers
A keylogger is a program that records every keystroke that you type and periodically sends those keystrokes to a server run by criminals or spooks.
A common Mac keylogger is ABK. Look for it using Spotlight or use the find command to search in these directories:
You can also check your non-Apple KEXT files related to keyloggers. For example Blazing Tools Perfect Keylogger shows up as com.BT.kext.bpkkext in the output of this command:
Having a commercial antivirus running can be a security risk in its own right.
Some malware is now written to attack and take over the antivirus programs.
Some antivirus programs have a default setting to automatically upload your private files to their cloud servers without your consent in order to protect them. This means that some antivirus programs are effectively trojan horse spyware.
If any antivirus company has been required by a nefarious government agency to provide them with a means to get into their customers1 computers, they will never tell you.
There is a free and open-source antivirus scanner called ClamAV that, if you are a technically savvy person, you can download, build, install, and run from the command-line. ClamAV link.
6.4. Periodically reinstall OS/X.
Infections are inevitable. Antivirus does not fully undo an infection. The best solution for security is to reinstall the OS from time to time, e.g. once per month, after reformatting the hard drive. Like brushing one’s teeth or tying one’s shoelaces, this is not difficult once it becomes routine.
6.5. Mainly use a non-administrator account.
The first account that you create is a given administrator rights. That’s dangerous, because if you inadvertently run a malware-infected program, it can do more damage to your system that if you ran it from a regular user account.
Therefore, when you install OS/X, call your first account admin, and then create a separate non-admin account that you will use 98% of the time.
But you ask: Why? Isn’t this just paranoia? No. An example:
Taiwanese security researchers found, and reported at the Black Hat Europe 2014 conference, that Apple foolishly allows any user with admin privileges to install kernel drivers. They found this ability was still present in Yosemite when that it was released.
6.6 If you have the technical skill, create your own firewall rules.
It can be important to block risky outgoing connections. You cannot be 100% sure that some random program you’ve downloaded is not a trojan horse than will upload your data to a server.
A simple script like the following, run using sudo, can stymie some spying efforts.
sudo launchctl list | sed 1d | awk '!/0x|com.(apple|openssh|vix)|edu.mit|org.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
launchctl list | sed 1d | awk '!/0x|com.apple|edu.mit|org.(x|openbsd)/{print $3}'
ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
|
7. Detect outsiders
It might help to get an idea of what computers are close enough to attack your computer.
Let’s say for instance that you want to access your bank account online (bad idea) but you have roommates that you don’t know very well. In this case it might be wise to wait until other people are not using your network. But how do you know if they are? You have to detect their presence.
7.1 Find out who else is on your network
If you’re using a Wifi connection, especially in a public place, there may be many computers, phones, and tablets that are on the Wifi and able snoop on your activity or to attack your computer.
Even if the owner of a device is benign, there may be malware on his or her device that is programmed to automatically seek out vulnerable devices or look for interesting data.
Using Terminal, run this command:
This lists any devices that your computer has knowledge of now, which may include devices that were previously on the network but recently disconnected. It is usually an incomplete list.
A more proactive way to see whether there is anyone else on your network is to use the command ping -i 5 -c 1 255.255.255.255 but this should only be done rarely as it makes your computer look suspicious.
8. Summary
There are a lot of things that you can do to secure your Mac, many of which do not require technical ability. They do require that you think though, and use common sense.
Complete hyperbolic garbage. Data, given a big enough set, is just a reflection of reality. You might as well claim we have a religion of our eyes and ears.
Given huge sets, much like reality, almost anything can be “proven” at some sort of local scale. It’s not a religion or a cult or a new god. It’s just observation.
Second, data is a recording of past events, and has surprisingly limited ability to predict future outcomes. There is a narrow window for the most instinctual tasks where it works well and there is a Tom of value there — but it comes no where close enough to be meta-cognitions ability to give you free will.
‘Given huge sets, much like reality, almost anything can be “proven” at some sort of local scale.’
I don’t think you’re right, I think that some things aren’t tractable to this kind of analysis. Obv. Godel type things, but if you believe in freedom of will and an open universe then a lot of other things. For example, the path of true love, the next line of a poem, the summer after next’s hot fashion trend.
More importantly (less) international events, earthquakes, solar flares.
Fractals, chaos and incompletness.
You can prove it retrospectively but you can’t predict it in the moment was what I was trying to say.
Given enough data, while you can’t predict exact actions, you can predict general trends with good accuracy. For example, given your complete post history and metadata about those posts and your views of HN, someone could fairly easily predict what subjects you will upvote, what subjects you’ll comment on (and a good idea of the tone of your comment), and so forth.
We’re creatures of habit, and once you have enough information to identify those habits, you can do a pretty good job at predicting what we will do. Heck, with the little data I have access to, I can be pretty sure which articles I will see comments from big posters like jacquesm and tptacek, and what their comments will contain. I can’t predict every story they will comment upon, nor the exact details of the comments, but at a higher level it is definitely predictable.
Valid points, but they won’t stop the average less self-analytical person from trusting Big Data, just as many are susceptible to altering their behavior because of some “study” they read about in the paper. Due to our (the masses) inability to follow the gnothi seauton aphorism, we are more likely to allow someone or something to make choices for us. See concluding paragraph of the essay.
Is it different today from 50 or 100 years ago? Doesn’t seem so different to me.
The article keeps confounding free will with authority over society, and morality itself. But these are all different (see footnote * ).
Harari complains that “Dataism” (and email) makes us “… tiny chips inside a giant system that nobody really understands”. But individuals always were just small parts of a great ecosystem that nobody understands.
But even with SMTP, we are still big enough to live our lives well for ourselves and loved ones. We can also try to improve society — but the results will be small and unpredictable.
He shows the same confusion of indivdual freedom with social control when he says:
in a humanist society, ethical and political debates are conducted in the name of conflicting human feelings,
Well that’s a pity, because in a liberal society, they should be debates about human rights. Your feelings about gay pride or religion should not give you authority to control others, but your rights might set some bounds.
As far as I can tell, Harari has learned that modern biology is starting to see life and the mind as an information system. He accepts this science, but doesn’t like it. So he tries to build some confused link to the Big Data giants.
Now there a good reasons, well known at HN, to disaprove of those guys. But Harari’s reasoning is not even wrong.
*: e.g. The RC church emphasises individual free will, claims its own temporal authority, and teaches that God is the ultimate moral authority.
I’m not certain where the haters are coming from. I thought it was well written and extremely interesting.
Sure - there are current limitations, and being able to predict what hasn’t happened yet is certainly difficult.
What was interesting to me though, is many of our most important choices in life have happened 1000s of times before. Should I buy this? Should I marry this person? What school should I go to or what career should I pursue? These are all questions that can, on average, be better answered with available data than potentially just following your gut. This is the position of the article, and I tend to agree.
While the mystical nature of the totality of the machine we are cogs in seems hyperbolic or unnerving, at a practical level it makes sense to model your interactions with the world that way. Taking that stance, the comparison to religion and humanism should be easy to follow, and reflect on. When are you “dataist”? When are you “humanist?” You’ll learn a lot about yourself simply asking that question.
Which makes for a great ending to the article - do you know yourself? Better than algorithm? Maybe not in all cases, and the data shows thats not necessarily a bad thing.
Please tell me exactly which algorithm, hyperparameters, processing chain and data sources are able to make better decisions than humans in ethical matters - reliably, consistently and with no regard to who is running the algorithm. What kind of questions do you want to answer and what kind of structure do you expect the answer to have?
You can’t answer, because the candidate algorithms are trade secrets, “under active development” or can only be run when babysit by trained specialists? Then it’s just a giant “Computer says no” where the implicit assumptions and biases of a relatively small group of humans sold as “objecive” or even “superhuman” by putting some layers of indirection between them and the public.
The big metaphor for life, mind, the universe, god, keeps changing. It was animals/spirits, then it was clockwork/machines, then it was information/data, and this article is a reflection of that. We keep thinking we are on the cusp of ultimate understanding, until our metaphor maxes out and we realize we’re not.
I believe the next metaphor will be ecology. The notion that an information processing agent can be understood in isolation from the ecology in which it operates (both in terms of energy/mechanics and information) is getting harder and harder to sustain. And the ecologies we humans rely on are dying quickly. We’ll need to turn that around sooner or later, by insight or by force.
The notion that an information processing agent can be understood in isolation from the ecology in which it operates (both in terms of energy/mechanics and information) is getting harder and harder to sustain
That is my main objection to the Chinese Room mental experiment. A room is not embodied, so it can’t learn like us. But an AI agent could be embodied and develop intelligent behavior.
The article is hyperbolic in the extreme and doesn’t really reflect the reality of these systems.
However. It is an important read, in my opinion.
Because this is well rendered and well formatted summation of the rhetoric people use to argue against scaled analytics and the collection of data. Understanding the counter arguments and motivation behind this article is a good step to interfacing with people uncomfortable with these ideas.
I think it’s important because it flags that there is a school of thought (that the author doesn’t side with or against) that denies humanism and theism and instead owns that observations and calculations are a better way of understanding our place in the universe than empathy with the human spirit or the purpose of a divine spirit.
This is an inversion of science’s place in ontology and epistemology (I hope I’ve got the spelling that indicates theory of knowledge, not vaginal surgery), previously science has not spoken about our inner lives and destiny, now people believe that it can say everything.
This is a shift that has happened twice before so it’s quite something.
For the past few centuries humanism has seen the human heart as the supreme source of authority not merely in politics but in every other field of activity. From infancy we are bombarded with a barrage of humanist slogans counselling us: “Listen to yourself, be true to yourself, trust yourself, follow your heart, do what feels good.”
I’m just reading a book by Norbert Elias (https://en.wikipedia.org/wiki/Norbert_Elias), who, when writing about his theory of the “civilizing process”, stated exactly the contrary. More exactly, he’s saying that we only listened to our hearts/true self/passions back when we were “un-civilized”, like in the Middle Ages, but after the State monopolized the use of force and the collecting of taxes and after the “société de cour” formed people had to suppress their passions/heart and had to “rationalize” their external actions.
typical article of someone really smart and educated that want to talk about something he doesn’t really understand, but he doesn’t know that.
We’ve had free will debates here on HN before, and the submitted story is usually quickly debunked as pompous and arrogant pseudo-intellectuallism. A flavour of jaded post college nihilism. Fatalistic points of view can jump off a cliff if they find their circumstances so constrained, and without option.
Full disclosure, I work for AgileBits, the folks that make 1Password.
I hear and appreciate your collective concerns that we are getting rid of the standalone license option. However, I’d like to assure you that not only are there no plans to get rid of it, we are continuing to develop the standalone version. We know that we have a critical mass of customers who appreciate the ability to store their password data outside of the cloud. And given that we are entirely customer funded, those are customers that we cannot and are not ignoring.
Our subscriptions options remain new and we are still figuring a lot of things out. One of the ongoing issues has been customer confusion between licenses and account. That is why we have made it a bit harder to locate information about licenses on our site. Nothing insidious, just an attempt to make it easier for the majority of our customers to locate what they are looking for without confusing them.
If anyone has any additional questions or concerns, I would encourage you to contact us directly at support+social@agilebits.com.
Best, Eva
|
| |
| |
I think this is disingenuous because only a month ago Kyle from AgileBits was saying that you are considering getting rid of the standalone option, if customers vote with their wallet and I quote:
“we don’t have any immediate plans to remove the standalone products. However, if a vast majority of our users switch to 1Password Family or 1Password Teams (and as of today, an Individual plan!) then it doesn’t make a ton of sense to keep the standalone product around. So, it’s probably one of those speak with your wallet kind of scenarios.”
You also got rid of the Mac-only licensing option after introducing 1Password for Families. Unless I don’t remember correctly, it was about $20 cheaper than the option that also gives you that old and unmaintained Windows client.
I mean, if it’s a contest between the standalone version and subscriptions, it sure looks like the game isn’t fair.
|
| |
| |
Hey, I’m a happy 1pass customer, but give me fucking break.
Maybe 1 visitor in 100, visiting your website, would even realize that there’s a fixed-price option still available. It’s buried way at the bottom of the pricing page, hidden inside the FAQ.
The link itself just leads to a purchase page, with absolutely no attempt to explain or lay out the differences between the subscription and fixed price option.
To claim this about “preventing customer confusion” seems to me pretty absurd. Be more honest, please.
|
| |
| |
I think the explanation is reasonable even if you disagree with it, and the world isn’t a polarity between “company behaviors I agree with” and “shady, insidious, underhanded behavior by a company that deserves basically openly harassing someone who volunteered to talk about it and questioning their integrity and honesty in a comment.” People are too quick to accuse someone of dishonesty these days and I don’t think most realize how serious of a charge that actually is. If you said something like that to me in person we’d have a serious problem because at the end if the day, integrity is all anybody really has.
Anyway, completely happy subscription user here and it’s actually the reason I went back to 1Password. I used to do the standalone Dropbox thing too and the subscription is just night and day better, and given the value I extract from this product I’m not going to freak out over half a coffee a month nor accuse AgileBits, a company I’ve tremendously respected for many years with their attention to support and customer experience, with suddenly being the axis of evil as you’ve done here.
I’ll drive this point home: I actually got the standalone licenses cheaper through work way back when and still happily entered into paying for a subscription from my own funds.
I think the people extremely upset about this, including you, are the ones being disingenuous and forgetting how reasonable AgileBits is in everything else they do. I’m not even a fan, it’s just been apparent to me for a long time.
Again, this is $36 per year. How much value do you extract from the stuff you store in 1Password? Is it really that unreasonable for a company to move toward more recurring revenue? It’s a really weird opinion here, of all places, the “let’s build a hypergrowth SaaS” home of the Web.
|
| |
| |
I’m not accusing them of being evil, or even commenting on the change to a subscription model — I’m just calling out what to me looks like transparent dishonesty.
|
| |
| |
I’m a customer that has purchased on multiple platforms, paid for upgrades, and recommended 1password to people in person and on social media. I don’t ever want to sync my secrets to the cloud. Ever. A subscription model will permanently lose me as a customer.
|
| |
| |
It’s really hard to believe you aren’t moving to a 100% subscription model, especially when the “standard license” is now effectively getting the legacy treatment on your product page. It doesn’t feel like another version of your product, it feels like the one that is about to be dead.
|
| |
| |
I have no problem with your intention to move users towards annual subscriptions, nor offering cloud storage as an optional feature. This would certainly be more convenient for newbies.
I also have no problem in paying you $36 per year for the same functionality that I have today with the downloadable version. I guess between the family version, plus iOS, plus upgrades, I’ve been paying the same amount every couple of years.
But the moment you start forcing users to use your cloud storage (instead of locally managed options, like ssh, local sync, etc), you lost me forever.
Please make sure you keep these options very separate. Give security conscious users the option to not have their computers “phoning home” to your servers, and to explicitly enable cloud sync only if they want.
|
| |
| |
I like the separation between services right now. 1Password manages the client, Dropbox handles the storage, because they’re experts at that. The same is true for Arq, a popular Mac backup software. Arq handles the client interactions but uses third party storage providers to store the data. I trust Amazon to store my backups.
Granted, backups are not the same as passwords, but they are both important to maintain in terms of data integrity and security. And I wouldn’t trust Arq to run their own cloud storage platform and I don’t trust 1Password to operate their own cloud password storage solution, either.
|
| |
| |
I have two standalone accounts (wife and I) and I use the Team subscription for my, well, team. The thing is, I’ve chosen 1Password for my personal secrets because I don’t share them with anyone, ever. I don’t need them stored centrally as long as there is the Dropbox option, and I feel like it is precisely this architecture that has kept 1Password mostly out of the headlines unlike some of their competitors.
|
| |
| |
Hey Eva, can you pass some notes onto the team for me?
- OSX Desktop app is great. The “[+]” button to add new logins is in an odd location, but no big deal.
- The Android app needs a “Most Recent” view. I end up searching for the same logins, until I remember they can be favorited.
- When I re-install the Android App, it always prompts me to buy the PRO version. Takes a bit to resolve that it’s already been purchased.
- Windows app is bad. Really bad. Recommended 1Password to a few friends, and had to later apologize when I realized they weren’t in the Mac ecosystem. Slow, janky. Has a bad habit of locking up chrome when I first open the plugin.
- Lastly - yet another subscription service? I want you to be successful, but I likely won’t be recommending 1Password anymore, or dropping if the standalone license gets feature locked.
|
| |
| |
I think you need to adjust the pricing page graphics to reflect there are three purchase options, not just two subscription options. Many people, myself included, will not use subscriptionware.
|
| |
| |
As a long time user across platforms who has continued to pay for upgrades and has now licensed a Team and Family. I appreciate the direction you are heading, and I was more than willing to pay a recurring fee given how much the pace of development has picked up.
Since 1Password hasn’t had much support for teams and password sharing (e.g., for super admin or disaster scenarios), I have continued to support multiple managers across my clients. Due to their robust support for teams, Dashlane and Lastpass have been the most deployed. While these solutions are simple enough that my clients can make them work, they don’t enjoy using them. Quite often, I’ve learned that they’ve hit enough obstacles that they don’t even trust the tool and keep reusing the same weak passwords all over the web so that they can remember what they need.
I’m rushing to move these same clients over to 1Password before the Teams promo ends. The attention to detail and subtle improvements to UX have been really well received. And today, I will be meeting with a non-profit board to convince them to get on board.
I will take the opportunity to push a few requests (that I know you’ve heard before … from me):
Many of my clients are required (by law) to provide access to their business records in case of their death. It’d be nice to give my family and employees access to certain accounts as well. Guest vaults with auditing are a step in the right direction, but I’d love to see time delayed access. I have an opportunity to reject access within a certain time frame (configurable). My concern here is that I don’t want to rely on the security practices of the people I’m sharing with to protect these particular passwords.
Pairwise sharing with teammates and guests. I often need to share a single password/key (not a vault) in a pairwise fashion with several different people. Vaults are too much for one-off sharing, and the guest limits are pretty restrictive here.
Revised guest model. I believe Team accounts are capped at 20 guests and Families at 2. Why not cap the number of items in a guest vault (10-15 seems fair) instead? I’m assuming the restriction is there to prevent people from abusing the feature (totally understandable). But there are some valuable guest use cases for power users (and even everyday family users).
I want to set up a vault for my housemates and another for the folks who sublet the extra offices in my lease. 1Password is the perfect place for me to store information about door codes, wireless networks, and a few other sensitive details that may be important if I’m not available. This could also get me off of LastPass/Dashlane completely for managing project-related passwords with clients.
Along the same lines, the Pro pricing for Team seems really high. I do need some of the functionality, but I can’t imagine paying approx $150/user/year to get it (though maybe a $150/team/year to upgrade the feature set would feel reasonable even for my small team). I also know that I’ll never be able to sell my smaller healthcare providers on it, even though the extra functionality would be valuable for compliance.
Referral/partnership arrangement. I am constantly onboarding clients onto password management solutions, and handling many of their day-to-day challenges. I’m not just thinking about financial incentives here. It’d be nice to have some partner oriented features in the application, like the ability to move a guest vault out to an independent team or audit-only access.
|
| |
| |
I wasn’t aware of this change, so I read the entire linked support thread. Although the company responders did some nice verbal gymnastics, I think it is pretty obvious that this is just mainly just a money grab on behalf of AgileBits.
Additionally, several comments implied that AgileBits was hiding the option to buy a standalone license, so I looked at their pricing page1. I have to say I agree; it is not listed as an option alongside the two subscription options. In fact, you have to scroll all the way down, to the end of the FAQ, to even find a mention of it.
I’ll concede that a subscription option might be better for some users, especially those using it on multiple devices, but I think AgileBits should not be hiding the regular license option.
|
| |
| |
Completely agree.
I personally have no problem using commercial software, but my password manager is one place where I suspect that I should be moving to open source in case I don’t want to renew my license over some future pricing disagreement, and I lose access to some of my critically important property (passwords).
It’s tempting to think that we’ll be able to keep our currently purchased standalone licenses in perpetuity, but I’ve already been dragged through at least one major version upgrade of 1Password to keep pace with new OS developments (for OS X and iOS). There were no new features that I needed or even wanted, but I paid the $50 (or whatever it was, I notice a new license is now $64.99!) anyway to maintain compatibility.
Unfortunately, the landscape for open source alternatives doesn’t seem particularly good. Some of those mentioned here like Keepass 1 look like they’re usable, but are quite a far shot from 1Password’s quality.
I’m a former 1Password user and these work fine. The Android app is actually better than 1Password, and KeeWeb is better for me because it works on Linux as well and it gives me a full history of all edits (not just the password field). Plus being just one file, it is also easier to go back in time using Dropbox’s version history.
What you’ll miss is the fancy browser extension, but for me that’s fine, because a browser extension represents a huge security risk, and selecting a field in KeeWeb is painless as it has keyboard shortcuts. 1Password also has the capability for local network Wifi sync, which is really cool, but at least in my opinion they are moving away from this model and that feature will be gone.
|
| |
| |
So you’d rather copy and paste passwords because KeePass doesn’t have browser extensions? No, thanks. How are extensions security risks? You still need to enter your master password to decrypt passwords. And extensions are siloed by the browser.
|
| |
| |
I see nothing wrong with copy/paste. On Android it is a security risk, because apps can get notified and wake up when it happens, but Keepass2Android that I mentioned provides a keyboard for input which works better than 1Password.
But even so, KeeWeb and KeePass give you this “auto-type” facility that types the password for you in any password field, without going through copy/paste. It’s not much, but it works if you’re worried.
|
| |
| |
There are browser extensions that interface with KeePass to do what you are asking.
I don’t use them, I simply use KeePass’ autotype feature.
|
| |
| |
I’d like to see websites make copy/paste easier by allowing you to enter user name and password in a combined field. Have separate fields that can be used the normal way, but also allow submission with the username field left blank and the password field containing username:password.
|
| | | |
| |
The fancy browser extensions are important in protecting you from phishing. They will refuse to fill in your password unless the domain matches exactly.
|
| |
| |
As a multi device user, it’s definitely better for me. I have 2x windows desktop, a Mac laptop, an iPhone and an android tablet. With the current non-subscriptioin pricing model, it will cost me 65 dollars for the two desktop apps, plus another 20 dollars for the android + ios apps - that’s a fairly hefty upfront fee. 3 dollars a month (after 6 months) is far more appealing really.
As an aside, it’s extremely difficult to find out how much the android pro feature currently costs, I ended up finding it in the comments sectino of one of their posts rather than the google play store or on their website.
|
| |
| |
But the idea behind a password manager is that you effectively use it in perpetuity. I bought 1Password in 2013 for $50, and the iPhone app for $9. I use it several times a day, and don’t see that changing at any point in the near future. At $3/month, I would have be approaching twice what I actually paid, with no prospect for being done with that payment. I get why AgileBits is going to a subscription model; I’m sure they would prefer that I had paid them $96 by now, rather than $59, and that I would go on to pay them another $36 per year every year forever. But the idea that you, as a consumer, are looking at this and seeing an appealing deal suggests you haven’t really thought it through very well.
|
| |
| |
Out of curiosity, when new versions of iOS and macOS get released over the next several years, are you willing to pay for the upgrades the developers will have to inevitably release in order to maintain compatibility with the OS?
Or do you expect your initial $59 purchase in 2013 to truly last in perpetuity?
|
| |
| |
I’m seeing a more appealing deal than putting out 80 dollars up front. The amount of software that I have paid for up front, and continued to use for longer than 2 years I can count on one hand. I wouldn’t be surprised if in 2 years time I had moved to another service. Given that 62 + 20 is the break even point, that’s 27 months paid, plus the 6 months up front, just shy of 3 years.
|
| |
| |
You will definitely not pay again for the Android / iOS apps, unless they release it with another name in the app store, or they introduce another paid option, hiding new features under some switch in their code, otherwise for both Android and iOS it’s a pay once model.
I’ve also had 1Password 6 for at least a year. Nothing new happened since I first bought it. And the Windows client still sucks so horribly that indeed that price isn’t justified.
But btw, for 3x desktop licenses I don’t think you’ll get away with 3 dollars per month ;-)
|
| |
| |
Well I haven’t paid for it, I’m currently using lastpass. Why wouldn’t I be able to use their $3 plan for 3 desktop machines? They’re all my machines (work desktop, personal desktop, personal laptop) and amount of time I am using more than one at a time is minimal.
|
| |
| |
You’re right, you can use it on all three. Btw, the OS X version is great, more than great, it’s the best, but the Windows version is old and kind of unmaintained. Make sure you like it.
|
| |
| |
Eh, I don’t consider it hidden as much as they just rolled out this brand new version of the product (the subscription version), so of course they’re going to emphasize what’s new.
As a 1Password user, I actually prefer this model. Many of us believe that subscription service pricing leads to more sustainable software companies, and for that reason I’m happy to see the AgileBits team take a forward looking perspective.
|
| |
| |
I have been a paying customer since 2010 or so. We have done a trial of 1Password Family, but I just don’t see the advantage for customers. You just get locked into someone’s data silo and you cannot purchase upgrades anymore at your own leisure. I agree with those who say that it primarily benefits AgileBits.
Sadly, my experience with other products that switched to a subscription model has been that at some point all kinds strategies (‘incentives’) are applied to get people to move to subscription licensing. So, I am carefully watching the situation as it unfolds.
|
| |
| |
I know this question comes up time and time again, but as it seems a good fit here: What are the best password managers out there that do not force you to use their “cloud” for syncing between devices and are available on all major platforms?
I am a very happy 1Password user up to now because of it’s local wifi sync feature, but I think with this announcement the writing is on the wall: The standalone sync will go away sometime down the road to “improve” everyone’s user experience by moving them to the cloud sync and the accompanying subscription revenue. So it might be a good time to explore (open source?) alternatives…
|
| |
| |
I’m a former 1Password user and switched to KeePass ports.
On the desktop I use KeeWeb 1, which works great on both Linux and OS X, and I assume on Windows as well, on Android I use Keepass2Android 2, which is actually better than 1Password on Android btw, and on iOS I use MiniKeePass [3]. This last one is a little weak, but it works. All 3 are open source btw.
And seriously, it works better than I expected for $0.
What made me switch is their move to a subscription model. They pretend that the old licensing model will still be around, but if you pay attention, that’s not true. The first thing they did for example is to get rid of the Mac-only license, in order to make subscriptions seem more competitive. And they also stopped developing standalone features. I’m a Linux user as well, I would have liked a Linux port. And the only sync option is Dropbox, but Google Drive or other options would have been nice.
On cloud syncing, I do syncing by means of Dropbox, but my Dropbox directory isn’t a big target for hackers and at the very least I know how KeePass and GPG work, what ends up in my Dropbox being just an encrypted file. I don’t know how LastPass and 1Password work, even though they claim the encryption is only client side, and frankly I don’t care anymore.
KeePass is not the same as KeepassX, or KeepassDroid, or any of the other clients.
|
| |
| |
I’d be surprised if any features were removed from the current standalone version. So basically, until need a software upgrade, either for compatibility or feature reasons, there are no issues.
1password major versions always cost money, so the only added cost is that of switching. With the current data-format of 1password being open-source, that shouldn’t be that hard.
As for alternatives, last time I looked (~3 months ago, when I was in the market for a password manager) I chose 1password because of their superior browser plugins. The contending alternatives were: - keepass (open source) - lastpass - dashlane
|
| |
| |
I wouldn’t be surprised if features were removed in a version or two. The have negative incentive to maintain working dropbox synching code, since now it’s competition for their main product.
Even if they don’t remove the feature, what are the odds it gets any love and continues to work well?
Bitrot is a real thing. Most software needs a little bit of love to continue working as the world around it changes.
|
| |
| |
What are the best password managers out there that do not force you to use their “cloud” for syncing between devices and are available on all major platforms?
The definition of “best” is subjective, and eventually up to your desires.
With that said, at least Password Gorilla (https://github.com/zdia/gorilla/wiki) is open source and has some built in ‘sync’ ability that does not require any cloud service (it is manually driven, but it highlights most ‘merge conflicts’ for you to resolve) . It is also available on Linux, Windows, and MacOS, and while not itself available on Android there are several Android apps. (and maybe an iOS app or two) that inter-operate with the encrypted file format it uses.
|
| | | |
| |
F secure key don’t force you to sync. Actually that’s the difference between the paid and free version (sync cost, the rest of the features are free).
|
| |
| |
I’ve been pretty happy with Enpass. Runs on pretty much everything, syncs to your choice of cloud services.
|
| |
| |
This looks like a great alternative. Thanks! I will def keep this one in my back pocket in case 1password does indeed start to deprecate or mess with the standalone offerings.
|
| |
| |
I use this everywhere and I’ve been slowly migrating all of my passwords off of 1password:
Bookmarlet and mobile app and I don’t need to store any passwords anymore. I also save passwords in the browser to save time after they’re generated.
|
| |
| |
Yes it might have been a valid question a few years ago. These days the ReadySignOn iOS is unquestionably the best password manager all around. Actually it’s the only one that I ccould trust. Its recently released source code of KeePass plug-in shows it actually uses a million key derivation iteration count and additional direct key xors on top of ASE256.
|
| |
| |
What does ReadySignOn cost? I can’t find any pricing information on their website.
On their App Store web page it just says “Free” without the usual “Offers in-app purchases”.
On closing the tab I saw something about “purchases” and this is what I see in the lower left corner:
Top In-App Purchases
English website te$5.99 English website te$0.99
This might be a great program but I feel like they’re so shifty about pricing that I don’t feel comfortable with them.
I understand they can’t completely control the way that the App Store presents things and maybe it’s more clear if I load iTunes.
|
| |
| |
The app is free, no pay-to-unlock features. I think the IAP packages are for additional templates which are really not necessary at all. If I need a similar record for the same site I just duplicate then modify, it’s actually easier than templates. The only limit that I found is there is no Android version.
|
| |
| |
Their pricing fell a bit decisive as well:
$2.99
and a bit smaller: “per month billed annually”
I know breaking it down to the month is popular, but it makes 0 sense for me if the only way I can pay is anually and there is no way to pay monthly (even for a premium).
Sorry, but I’m now over to Dashlane (clear $39.99/year)
|
| |
| |
Thanks for recommending this. We currently use 1password for our business but and while the Mac client is ok the teams website leaves a lot to be desired and no Linux client at this point is embarrassing. It’s expensive too! You get the feeling that agile bits is ok at developing Mac and Windows software but basically has no idea about developing software for the web.
|
| | | |
| |
Woops! I actually meant to post super gen pass but at least the website I referenced points directly to super gen pass so it wouldn’t be too hard to figure out I would hope!
|
| |
| |
This was also my decision to go with Dashlane. I spent some time testing different managers but Dashlane was the easiest to use and pricing was straightforward. I am working on different laptops/servers at customers I wanted one price with unlimited devices.
|
| |
| |
Have they actually removed the standalone option?
I’m perfectly happy with it (using iCloud sync) and will continue to be a happy 1Password user unless/until they force me to subscribe.
|
| |
| |
It’s a bit hidden but you can still license a standalone version.
|
| |
| |
I’ve hit subscription model overload at this point. I’ve long-since stopped using most of the software and services in my life which are subscription based. I’m likely to just go back to an encrypted text file, and cutting & pasting passwords.
You are not netflix, and I am not your personal ATM.
|
| |
| |
Seriously. I get that’s it’s good for business - but it’s like mobile apps. I only have the capacity for a few, and all others are past saturation point.
|
| |
| |
I’ve been waiting for a way to access my 1Password data on the web, e.g. from a Linux machine (no 1Password Linux client exists) so I’ll gladly pay the subscription fee now that this exists.
Also the quality of the software (in terms of user experience)—both on the desktop and on iOS—is fantastic. Also the ability to contact a human for support is excellent. In general I like to support high quality software using $.
I am however nervous about the idea of storing all my passwords on someone else’s server. If there ever were a security breach, imagine the consequence.
Instead of “change your password, we’ve been hacked” it would be “change ALL 100 of your passwords, we’ve been hacked”. Ugh.
|
| |
| |
> I am however nervous about the idea of storing all my passwords on someone else’s server. If there ever were a security breach, imagine the consequence.
This doesn’t necessarily follow, depending on the security model of the software you’re using. If encryption/decryption is handled on the client, then a breach yields encrypted data rather than anything of use. (You can then attack the encryption on that data, sure, but that’s a tall order to do wholesale.)
Also, 1pass is (was? I haven’t used it for a few years) handy for command-line access and it runs on Linux.
a security breach on the server wouldn’t mean that your passwords are compromised.
with the subscription model, they’re protected by both your master password, and your account key (128? bit key generated at account creation).
neither of those leave your computer.
|
| |
| |
I am a long time 1Password customer and have recommended the software to family and friends. This new subscription model was confusing when it launched and I am now more uncomfortable with the company’s explanations and backtracking.
There are other options for password management out there. If Agilebits are not super transparent about everything, users will leave for the competition. I am much less comfortable with Agilebits than I was pre-subscription model.
The standalone version should be promoted equally on the website, not as a small link in the FAQ.
I stopped buying Adobe products when they went to subscription as well.
|
| |
| |
I’ve been watching this carefully, because the subscription model has zero benefits for me and both Chrome and Safari have started to implement basic password management solutions that already do cloud syncing. They’re weak and obscure, but usable, and 1Password’s benefit is that it’s smarter and prettier.
However, I’m not keen on cloud sync that I don’t control or that I can’t audit somehow. So no AgileBits for me in the new model, ever, and if they drop the Dropbox sync option, I’ll move everything to KeePass.
Shame, though, the UX and integration with other apps in iOS is pretty nifty.
But to be honest, I suspect AgileBits’ market share to shrink significantly over time as browser and OS-based password managers become better.
|
| |
| |
I wonder if they would have met this resistance if they had started as SaaS from day one. I mean, I get the benefit to them of recurring revenue, but from a customer standpoint this is right up there with Adobe trying to force everyone to creative cloud (albeit handled much better imho). People viewed it as something you pay once for, and not something that warrants paying in perpetuity. Customers fully realize that increasing LTV for AgileBits means a massive price hike for them over multiple years if you do the May on percentage increase.
|
| |
| |
I wonder if they would have met this resistance if they had started as SaaS from day one.
Day one for Agile Bits was in 2006, and a SaaS model just wouldn’t have worked at that time. People would’ve just laughed at “renting software for a personal computer” (Mac OS X).
|
| |
| |
The idea of using a cloud-based password manager has always sounded rather bizarre to me. For low priority sites I just use the PasswordMaker browser extension, and the KeePass app for the important ones.
|
| |
| |
The data format of 1password is open. There open source packages out there that can read and manipulate the vault which confirms this specification is true.
The format has attracted quit a bit of scrutiny, and no-one has found a weakness. If the underlying crypto’d be broken your passwords are probably useless anyway.
|
| |
| |
It’s not cloud based. It’s a locally installed app with optional cloud syncing.
|
| |
| |
Does AgileBits being a Canadian company mean that the NSA and/or the FBI has full legal authority to intercept communications with the service without regard to the locality of the servers? Presumably they would be limited in what could be done on scale based upon the use of encryption for transport and of the vault itself, but does this change the threat profile vs Dropbox sync with respect to legal process?
|
| | | |
| |
How do you get $600?
$3/month is $36/year. At 10 years, that’s $360.
Where do you get another $240 for the standalone product?
|
| | | |
| |
Is this why texting people passwords from one password does not work anymore? This shits whack, that was the one reason why I tried to get other people to use app, we could share passwords.
Over this app, looking for something else.
|
| |
| |
I recently switched to Enpass1 and am reasonably happy with it: it might be an alternative for you to consider as well.
It’s very much a 1Password ripoff, which I mean as a compliment: the UI will be familiar to you. It’s not nearly as polished as 1Password, but there don’t seem to be many native password managers that are. Their desktop clients are free, and their mobile clients are flat licenses (actually free downloads with limited functionality as a demo, and in-app purchase to unlock, but whatever).
Sync options are actually a bit better than 1Password I think: the usual suspects like Dropbox are there, but you can also sync over your own webdav server if you want to.
I switched because I wanted something that had a decent Linux client. If 1Password is going the way of subscription pricing, it seems like I made my switch none too soon.
|
| | | |
| |
Wow! Thx for the link, cant believe why i skip over enpass in my search.
|
| | | |
| |
Actually this doesn’t fulfill your sharing passwords requirement. It’s still something I recommend you check out though at the very least for your personal passwords
|
| |
| |
oh well.. there’s so many apps that do this nowadays, i got used to it by now. As soon as the ‘non-subscription-model’ of the app is no longer actively developed i just dump it and switch to another app. There are plenty alternatives anyway.
|
| |
| |
In the recent past it definitely has seemed like AgileBits is struggling for revenue or looking at new and steady streams of revenue, which is where the subscriptions fit in.
Although AgileBits has had responsive customer service (not always necessarily the same as useful or good customer service), it has made at least one prominent mistake that it had to backtrack out of after a long time. One was putting 1Password on the Mac App Store (MAS) and saying it would be “MAS only” (like Pixelmator) and refusing to provide a separate AgileBits store option, with the justification that MAS simplifies things (it probably did remove some overheads) and that it didn’t want to maintain its own store, payment processing, etc. What was hypocritical of AgileBits was that it still had to maintain its store, payment processing, etc., for its Windows version of 1Password. Many customers complained, and complained quite a lot, on their forums, but AgileBits’ attitude and response were very poor and seemed downright obstinate. After a long time, AgileBits realized that MAS wasn’t that great (not sure of the reasons) and brought 1Password (Mac) to its store while retaining MAS as an option.
The current push of a subscription model, while stating that standalone licenses continue to remain (although obscured on the site “to avoid confusion”), seems to be a repeat of history. The outcome is unknown at this point in time. Maybe a lot of people will find the subscription easier to use and force AgileBits to shutdown the standalone licensing model. Most people who belong to the consumer segment (those who do not make money with the software they use, like in the case of Adobe products) do not prefer subscriptions and like the flexibility of “owning software” (license) and having the freedom to choose when they would upgrade and at what price (in many cases waiting for some special discount sale).
Hopefully, AgileBits will remove the obscurity of the standalone licenses and provide it prominently, because the current scheme just doesn’t fit with what AgileBits as a company always aims to be. It’s too cheap of AgileBits to do something like this. Also hopefully, the subscription models will continue to be optional (with standalone licenses available at reasonable prices) and perhaps segmented differently (with lower price points?) to attract customers for specific features that are of value to them.
It would also be better for AgileBits to get into making other kinds of software applications instead of trying to squeeze more and more out of password management and shared password systems.
I’m an occasional 1Password user on Windows, but I switched most of my passwords to the built-in browser based password management (since I mostly use only one or two browsers). For some other purposes, I use KeePass and KeeWeb (though 1Password’s browser extensions, where they work, are quite convenient). I personally don’t see a lot of value in getting 1Password anymore, and as for a subscription, that would be inappropriately wasteful.
|
| | | |
| |
Because free software that doesn’t offer the feature set and platforms out of the box actually costs me a lot of money in convenience and features that I use? YMMV.
|
| |
| |
Because “offers better features” is subjective, and to some people the design polish and UX of 1Password outshines that of KeePass.
With the release of iOS 10, RAW image capture comes to the latest iOS devices, while RAW editing comes to even more. Many developers are rushing to bring the reality of RAW to your iOS device, and 500px is one of the first. RAW by 500px is an all-new app that not only shoots RAW, but edits RAW — even RAW files from your full size camera. In addition to a beautiful editing workflow, RAW by 500px also includes a built-in model release form and easy submission of your final image to the 500px Marketplace — release included. And finally, in the not-too-distant future, you’ll be able to review and accept paid assignments directly from the 500px app.
Join me, PhotoJoseph, for this episode of TWiP Apps with guest Adam Shutsa, VP of Design at 500px.
| |
