Discussions

Secure code: Roboform (proprietary) vs FOSS password managers

+
0 Votes
Locked

Secure code: Roboform (proprietary) vs FOSS password managers

ITSecurityGuy
A while back, I started looking for a FOSS solution for keeping track of my passwords. I did so as a result of Michael Kassner's strongly stated preference for FOSS. MPK's bias seemed to be supported by the implied belief that proprietary code is prone to too much reliance upon "security by obscurity".

While I don't completely disagree with that, I recently had occasion to correspond with Siber Systems about my reasons for not recommending RoboForm 7 for my clients (primarily my lack of interest in trusting the cloud based features). I also expressed concern about their statement that RoboForm 6.x code was frozen and would not be developed any further.

In their response, Siber Systems explained that 6.x would continue to be supported and pointed out that RoboForm has never required any patches for security vulnerabilities. All updates were developed for enhanced function or stability, not lack of security.

This reminded me of several threads here, where it was assumed that RoboForm was not good enough because it isn't FOSS. After reading the reply from Siber Systems, I decided to perform a vendor search on Secunia's database of advisories for vulnerabilities.

I was quite pleasantly surprised to learn that none of the five pieces of software listed for Siber Systems has EVER been the target of a single Secunia advisory between 2003 and 2011. It seems that Siber Systems has apparently been capable of publishing secure code long before Microsoft's big effort began in this area. Either that, or their security by obscurity has been extremely lucky.

I will continue as a satisfied user of Roboform, feeling at least as safe with high quality (albeit proprietary) software, as anyone choosing to shun it in favor of FOSS. It's only free for 10 or fewer passwords, but it's worth the price to secure my 200-300 sets of unique credentials, as well as my personal information for completing forms. I even trust it with my SS number and a CC number, its expiration date & authorization code, because it pops up a warning, whenever it fills a field in a form with those critical items of information.

Being unable to PM Micheal Kassner, I decided to post this in the hope he sees it. I would be interested in anyone's feedback on alternative solutions. I am still interested in using an additional factor, aside from the biometrics I already use on my laptop, my SecureTouch mouse and my MXI ClipDrive Bio.

Michael got me interested in the YubiKey. However, I haven't convinced Siber Systems to link it up with RoboForm directly, although there is at least one FOSS Password Manager which supports it. I haven't gotten around to trying to implement it in tandem with RoboForm myself yet. Any ideas or feedback on this?
  • +
    0 Votes
    ITSecurityGuy

    I should also mention that the only credit card info stored in RoboForm's highly encrypted database is of the single-use type, offered by Discover and Bank of America.

    They are not valid for use with any vendor other than where I made the first purchase. I establish them with a credit line barely sufficient for the current purchase. If I want to buy from the same vendor again, I have to log into Discover's site and increase the available balance. With BoA, I have to create a new number for each purchase. I believe American Express offers a similar type of temporary account number, which links back to your real CC number, but allows limited use. I won't use my real account number for ANY online transactions.

    I am also careful to keep switching the temporary CC numbers linked to my PayPal account, whenever I use it for online payments, and I NEVER give PayPal my bank account number.

    +
    0 Votes
    AnsuGisalas

    I've never seen anyone say that any FOSS title will be more secure than any Proprietary title.

    Being proprietary is not a security choice, and I doubt Roboform has been relying on obscurity, if they have such a good track record.

    You need to separate these issues: Business model and Coding principles.
    FOSS or Proprietary is a Business Model choice.
    Coding doctrine is another matter entirely: Though it has corelations from the Business model: Choosing to prepare and test a project for release until it's tight is a question of deciding to build consumer goodwill, paying for that with a greater investment pre-revenue. It pays off in then having less of an unkeep-cost, too.
    Business model affects this; a greedy moneygrubbing corporation may force their developers to put the product on the market prematurely. On the other hand, a FOSS development is likely to be trickling out in both alpha and beta, on account of there being little actual difference between how a main release works, and how a test release works... most of the testers may be external, after all.

    I think it's definitely worth supporting a proprietary company that has a prudent, disciplined coding principle - if for no other reason, then for the reasons that some customers will want proprietary no matter what, and then at least the dirty moneygrubbing hacks will get a smaller part of that pie.

    +
    0 Votes
    ITSecurityGuy

    Firstly, I have no argument concerning the issue, straw man or otherwise, and I said so in my original post. I believe there is something to be said for the benefit of a wider review of the source code, in most cases. You have oversimplified what I was saying.

    Secondly, if you haven't seen anyone say that most FOSS products are LIKELY to be more secure than most Proprietary products, you haven't been reading much.

    (BTW, I paraphrased your claim because I never made the sweeping claim as you stated it; I only said that a "bias seemed to be supported by the implied belief that proprietary code is PRONE to [excessive] reliance upon 'security by obscurity'."

    I also revised mine, for emphasis on the word "PRONE", as opposed to your absolute phrase "will be", and just because "to too much" didn't read as easily, when I saw it this time.

    Aside from that, there are competing freeware products which are not developed for the sake of any business ROI. Some are open source; others are not. With revenue out of the picture, how can you claim that the Coding Doctrine necessarily has any correlation to any Business Model?

    I never said it was merely a security choice, but it has obvious security implications. By your example of the moneygrubbing corporation, you seem to make the case against SOME who follow the proprietary business mode, often relying upon "security by obscurity", rather than taking the time to develop the code securely, or review and test it afterward.

    Your last paragraph is illogical, aside from the misuse of the conditional (if/then) or time sequencing "then", when it should have used the comparative "THAN the reason".

    It stands to reason that, if "some customers will want proprietary" NO MATTER WHAT (with or without prudent, disciplined coding?), then the dirty moneygrubbing hacks will be getting an undeserved larger piece of the pie, along with those with prudent, discipline code.

    +
    0 Votes
    AnsuGisalas

    I do understand what you mean, and I've tried to address obvious exaggerations of innate open source betterness, with explosive results, in the past. I'm nowhere near ready to go DonovanColbert on it though. I think maintaining a staunch demand for prudent reporting is the way to go.

    I also didn't mean to say you made a straw man argument, that's why I wrote such a round-about "there's a bit of a straw man argument in there"
    I meant it to mean, that your opinion could be construed as an attack on a straw man, since it could be interpreted to imply that MPK has made a statement that FOSS is bound to be better than proprietary, which, knowing how carefully Michael crafts his articles (under strict and constant "santeewelding"-brand scrutiny), I find unlikely in the extreme.

    So, I'm sorry if I wasn't clear enough, I didn't mean that you made such a claim, nor that you made such an attack. - So much for the title and first paragraph of my respose to you, above.

    Did you feel that the body text of my post (below first paragraph) was too aggressively worded?
    I can see how that may be - but really I was just writing very fast, and didn't take time to check for sharp edges - sorry.
    I wrote what I wrote about business models and security, because I feel it needed to be added to what you said. If you look again, I think you'll find that my message supports the parts of your message that I agree with.

    And I'll repeat the last part, since I don't think it can be said enough: "I think it's definitely worth supporting a proprietary company that has a prudent, disciplined coding principle - if for no other reason, then for the reasons that some customers will want proprietary no matter what, and then at least the dirty moneygrubbing hacks will get a smaller part of that pie. "

  • +
    0 Votes
    ITSecurityGuy

    I should also mention that the only credit card info stored in RoboForm's highly encrypted database is of the single-use type, offered by Discover and Bank of America.

    They are not valid for use with any vendor other than where I made the first purchase. I establish them with a credit line barely sufficient for the current purchase. If I want to buy from the same vendor again, I have to log into Discover's site and increase the available balance. With BoA, I have to create a new number for each purchase. I believe American Express offers a similar type of temporary account number, which links back to your real CC number, but allows limited use. I won't use my real account number for ANY online transactions.

    I am also careful to keep switching the temporary CC numbers linked to my PayPal account, whenever I use it for online payments, and I NEVER give PayPal my bank account number.

    +
    0 Votes
    AnsuGisalas

    I've never seen anyone say that any FOSS title will be more secure than any Proprietary title.

    Being proprietary is not a security choice, and I doubt Roboform has been relying on obscurity, if they have such a good track record.

    You need to separate these issues: Business model and Coding principles.
    FOSS or Proprietary is a Business Model choice.
    Coding doctrine is another matter entirely: Though it has corelations from the Business model: Choosing to prepare and test a project for release until it's tight is a question of deciding to build consumer goodwill, paying for that with a greater investment pre-revenue. It pays off in then having less of an unkeep-cost, too.
    Business model affects this; a greedy moneygrubbing corporation may force their developers to put the product on the market prematurely. On the other hand, a FOSS development is likely to be trickling out in both alpha and beta, on account of there being little actual difference between how a main release works, and how a test release works... most of the testers may be external, after all.

    I think it's definitely worth supporting a proprietary company that has a prudent, disciplined coding principle - if for no other reason, then for the reasons that some customers will want proprietary no matter what, and then at least the dirty moneygrubbing hacks will get a smaller part of that pie.

    +
    0 Votes
    ITSecurityGuy

    Firstly, I have no argument concerning the issue, straw man or otherwise, and I said so in my original post. I believe there is something to be said for the benefit of a wider review of the source code, in most cases. You have oversimplified what I was saying.

    Secondly, if you haven't seen anyone say that most FOSS products are LIKELY to be more secure than most Proprietary products, you haven't been reading much.

    (BTW, I paraphrased your claim because I never made the sweeping claim as you stated it; I only said that a "bias seemed to be supported by the implied belief that proprietary code is PRONE to [excessive] reliance upon 'security by obscurity'."

    I also revised mine, for emphasis on the word "PRONE", as opposed to your absolute phrase "will be", and just because "to too much" didn't read as easily, when I saw it this time.

    Aside from that, there are competing freeware products which are not developed for the sake of any business ROI. Some are open source; others are not. With revenue out of the picture, how can you claim that the Coding Doctrine necessarily has any correlation to any Business Model?

    I never said it was merely a security choice, but it has obvious security implications. By your example of the moneygrubbing corporation, you seem to make the case against SOME who follow the proprietary business mode, often relying upon "security by obscurity", rather than taking the time to develop the code securely, or review and test it afterward.

    Your last paragraph is illogical, aside from the misuse of the conditional (if/then) or time sequencing "then", when it should have used the comparative "THAN the reason".

    It stands to reason that, if "some customers will want proprietary" NO MATTER WHAT (with or without prudent, disciplined coding?), then the dirty moneygrubbing hacks will be getting an undeserved larger piece of the pie, along with those with prudent, discipline code.

    +
    0 Votes
    AnsuGisalas

    I do understand what you mean, and I've tried to address obvious exaggerations of innate open source betterness, with explosive results, in the past. I'm nowhere near ready to go DonovanColbert on it though. I think maintaining a staunch demand for prudent reporting is the way to go.

    I also didn't mean to say you made a straw man argument, that's why I wrote such a round-about "there's a bit of a straw man argument in there"
    I meant it to mean, that your opinion could be construed as an attack on a straw man, since it could be interpreted to imply that MPK has made a statement that FOSS is bound to be better than proprietary, which, knowing how carefully Michael crafts his articles (under strict and constant "santeewelding"-brand scrutiny), I find unlikely in the extreme.

    So, I'm sorry if I wasn't clear enough, I didn't mean that you made such a claim, nor that you made such an attack. - So much for the title and first paragraph of my respose to you, above.

    Did you feel that the body text of my post (below first paragraph) was too aggressively worded?
    I can see how that may be - but really I was just writing very fast, and didn't take time to check for sharp edges - sorry.
    I wrote what I wrote about business models and security, because I feel it needed to be added to what you said. If you look again, I think you'll find that my message supports the parts of your message that I agree with.

    And I'll repeat the last part, since I don't think it can be said enough: "I think it's definitely worth supporting a proprietary company that has a prudent, disciplined coding principle - if for no other reason, then for the reasons that some customers will want proprietary no matter what, and then at least the dirty moneygrubbing hacks will get a smaller part of that pie. "