My employer has started blocking 1Password.com recently, breaking my ability to access my passwords and Two-Factor Authentication (2FA) details using the browser extension. I can still get these details on my phone, but typing a completely random 22-character password by hand is far from ideal, and a bit of a pain in the rump, to be honest. This isn’t their most egregious “security theatre” policy, but it is one of the most impactful (to me).

Cards on the table, I 💖 1Password, and have been a paying customer for several years. If my access and ability to securely login/sign-up to stuff wasn’t being impeded by another party, I’d happily keep chugging away without much further thought. Their software has been super useful, convenient, and improved how I approach my personal online security.

As it is though, I started thinking about migrating from 1Password to Bitwarden; the ability to easily self-host Bitwarden being the main attraction in this scenario. Between hosting costs and upgrading to a “Pro” tier account for in-app 2FA generation, it would work out about $15-20 a year more expensive than I pay for 1Password, but that’s not a huge amount in the grand scheme of things.

However.

The most immediate concern would be rebuilding my password vault accurately, complete with all the 2FA details I need – which is a lot. That’s going to take a lot of time and effort to move across, even with an export recreating everything – at the very least I’m going to have to check and verify everything imported correctly and that I’m not locked out of anything. And my digging into this hasn’t confirmed that all item types I use in 1Password can be exported across to Bitwarden.

However, part two.

Unless you happen to have an installation of the native applications for macOS or Windows (say, because corporate policy prohibits and prevents it, and you no longer run either of those OS’s at home…), there’s no way to export your data. At all. 1Password then becomes a silo you can’t easily get out of. The only way out is to manually recreate all of your data elsewhere. When your vault starts getting above more than a few dozen items, that’s a lot of work. Mine stretches into the hundreds.

It’s something I hadn’t really thought about before I started the thought exercise around potentially moving away. When we talk about silos, normally we’re talking about social media locking your posts and user data inside their networks. An everyday utility like a highly-convenient password manager rarely factors into it. And yet, here I am. I guess I forgot my initial misgivings about 1Password.com, and didn’t check ahead for an exit strategy.

I’m not certain how I’m going to proceed from here. 1Password themselves haven’t given me a reason to quit their service, but I’d be lying if I said this realisation of how “locked in” I am didn’t bug me and push me to migrating as an it’s-the-principle-of-the-thing “eff you” moment.

It’s something to revisit in the new year.

🔖 Bookmarked: Youtube's ban on "hacking techniques" threatens to shut down all of infosec Youtube

“Youtube banning security disclosures doesn’t make products more secure, nor will it prevent attackers from exploiting defects — but it will mean that users will be the last to know that they’ve been trusting the wrong companies, and that developers will keep on making the same stupid mistakes…forever.”

🔖 Bookmarked: Life Moves Fast, Smart-Apartment Style by Lesley Carhart

“I had no idea when I got the initial email about my apartment going “smart” how much my life would change in the course of a month. At the time I was speaking in front of a room of cybersecurity journalists, and it was all I could do to keep my cool and quickly blast off an appalled (and probably less than tactful) tweet. Only a few weeks later, my situation has changed everything.”

Lesley Carhart ( )

In 2017 I’m trying to be be a bit more privacy and security-minded when using the web (on all devices). I’ve been increasingly interested in these areas for a few years, and especially since the Snowden revelations, and recent events like the IP Bill, aka the “Snoopers Charter,” in the UK have pushed me further towards them. Over the next few weeks I’m going to look into (and try to document here) various things I can do to increase my security, decrease the amount of information applications and services can collect on me, and generally “take back control” of my online privacy.

I work in the tech industry, I’m fairly conscious about this stuff, and understand a few of the elements and technologies, but it’s really a very basic understanding. What I do know might be out of date. At this stage it might be too little too late… right now I don’t really know.

Upfront: I fully recognise that if the police/MI5/NSA/FSB/whoever really wanted my data, nothing I could do would be able to stop them.

security

Also upfront: even with that in mind, whatever I put in place won’t be considered “perfect.” What I’m looking to do is balance convenience, practicality, and security. If something is too difficult or fiddly to use, it will end up not being used.

Thinking specifically about the IP Bill, far too many agencies for my liking will have complete, unfettered access to what I get up to on the internet. Beyond that one example, the amount of web ad trackers we have to contend with nowadays is snowballing, as are the services amassing data to pay for those “free” apps we enjoy.

While it might be that none of these data collectors have nefarious purposes in mind (if you’re trusting), data security breaches are becoming bigger and more frequent. Data being stored is likely to leak or be stolen at some point, so the best you can hope for is to limit the amount of potentially harmful data1 being held.

On a lighter note, here’s a great spoof from Cassetteboy about the IP Bill

So all this is a bit of a long-winded preamble to saying look out for the future posts where I talk about what I have learned, how I’m applying it, any recommendations I have, and how you can do the same. The first post on some of the basics, and links to reading materials will be coming today/tomorrow. In the meantime, are there any tips or good sources you’ve come across? Feel free to share in the comments.


  1. Insert definition of what you would consider “harmful data if leaked” 

For someone who’s primarily a developer/support person, I spend a lot of time setting up and configuring – or fixing – servers. I guess this came from an eagerness to learn and I got tarred with the “Linux/Server” Guy brushes at some point!

My interest in Operations has had an uptick again recently, so I’ve been doing a bit of reading of late. This morning, while waiting on news about some work-related activities I’ve come across a couple of interesting articles:

My First 5 Minutes On A Server; Or, Essential Security for Linux Servers by Brian Kennedy is a fantastic little quick-start for securing a Linux server. It’s not everything you need to do, but as noted in the article, it sets the foundations for a secure server which is easy to keep secure. Do these steps first, then go about securing any additional services you need to run.

One thing I’ve been wondering about, is setting up my own email system, rather than run on Google Apps. As convenient as the Google platform is, I do sometimes think I’m trusting them with a bit too much of my information. Recent revelations about the NSA/GCHQ, PRISM, and whatever-comes-next, from Edward Snowden haven’t done much to allay those worries.

But Google Apps is convenient. It wraps my mail, calander, contacts, and many other things into a nice package that is available everywhere and syncs across platform, with Push notifications, search, and other modern conveniences… but never the less, I’ve been thinking about how I could move away from the “Do-No-Evil” Empire, which is why Drew Crawford’s excellent, in-depth article “NSA-proof your e-mail in 2 hours” was a great find. I might spin up an instance on my dormant Joyent account and give it a try on one of my spare domains, so I can evaluate the process and benefits before deciding on moving my primary mail domain.

Other topics which have crossed my path this weekend are system configuration, maintenance, and automation using tools such as Chef and Puppet. The idea of taking a known-good environment and replicating it with just a few commands is definitely appealing – particularly when it comes to tasks such as setting up development/test environments! I haven’t gone too far into these topics yet, but I’m hoping to find the time in the next few weeks to go through some of the articles I’ve found.