http://torrez.us/archives/2006/06/10/457/ Hi. Fri, 02 Mar 2012 05:57:41 +0000 hourly 1 http://wordpress.org/?v=3.2.1 http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-167964 David Fri, 12 Oct 2007 04:10:47 +0000 http://torrez.us/archives/2006/06/10/457/#comment-167964 I redownloaded my OS and don't know what my pin number is so I can't open the browser sync. How can I get my pin number? Thanks, David Thanks,
David]]> http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-154145 Phillip Fri, 31 Aug 2007 12:22:12 +0000 http://torrez.us/archives/2006/06/10/457/#comment-154145 Dhval Don't know where a "four digit PIN" concept comes from. While my Google PIN (for Browser Sync) is over eight digits long, includes numbers, letters, and sybols. I'd wager it is fairly secure. The PIN can be shown in clear text on the LOCAL machine when modifying settings, but I do not believe it is stored on the LOCAL machine that way (unconfirmed.) It is stored no where other than each local machine that has Google Sync Elias Torres You can, of course, disable the sync of any portion of that data, on a category by category basis. You can also choose to encrypt any category. Only passwords have no option to pass unencrypted. If security is your issue, choose which information you want to sync, choose to encrypt it all, and have fun. As far as overall security, If you are using windows (and most other OSs) general access to your local machine is insecure enough. Having, or not having google sync makes little difference. Using firefox to encrypt my passwords locally, sync-ing only my passwords and bookmarks to google and encrypting all sync categories makes my life very convenient, and reasonably secure. I use 6 different computers (four regularly), and trying to keep up with where that damn link is that I added a couple weeks ago would otherwise be very unpleasant. It is useful to remember that security is never perfect. The real goal of computer security is to make the obtainment of the information not be (or to appear not to be) worth the amount of resources and effort required to obtain it. Bank vaults work on this principle. Front door locks work on this principle. Security systems. All security, physical and otherwise is based upon this principle. ANYTHING can be broken into with enough time and resources. "Secure" things just are not worth the requisite amount of time and/or resources.
Don’t know where a “four digit PIN” concept comes from. While my Google PIN (for Browser Sync) is over eight digits long, includes numbers, letters, and sybols. I’d wager it is fairly secure.

The PIN can be shown in clear text on the LOCAL machine when modifying settings, but I do not believe it is stored on the LOCAL machine that way (unconfirmed.) It is stored no where other than each local machine that has Google Sync

Elias Torres
You can, of course, disable the sync of any portion of that data, on a category by category basis. You can also choose to encrypt any category. Only passwords have no option to pass unencrypted. If security is your issue, choose which information you want to sync, choose to encrypt it all, and have fun.

As far as overall security, If you are using windows (and most other OSs) general access to your local machine is insecure enough. Having, or not having google sync makes little difference.

Using firefox to encrypt my passwords locally, sync-ing only my passwords and bookmarks to google and encrypting all sync categories makes my life very convenient, and reasonably secure. I use 6 different computers (four regularly), and trying to keep up with where that damn link is that I added a couple weeks ago would otherwise be very unpleasant.

It is useful to remember that security is never perfect. The real goal of computer security is to make the obtainment of the information not be (or to appear not to be) worth the amount of resources and effort required to obtain it.

Bank vaults work on this principle. Front door locks work on this principle. Security systems. All security, physical and otherwise is based upon this principle.

ANYTHING can be broken into with enough time and resources. “Secure” things just are not worth the requisite amount of time and/or resources.]]> http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-141336 Dhval Thu, 12 Jul 2007 13:01:18 +0000 http://torrez.us/archives/2006/06/10/457/#comment-141336 :) Today 8:27am (EDT) I lost my pin, did a google search with "google browser sync lost pin" and this page was the first page to show up. This is rather an anomaly because I always thought google gives priority to pages on google.com. I Always wonder that the user specific search information is good enough to do a lot of things and how may google use it. David you are right the PIN is indeed on local machine. So google can claim that they don't have access to your browser data and saved password. This is confirmed from this faq, http://www.google.com/tools/firefox/browsersync/faq.html#q19. But ever wonder how secure can a 4-DIGIT password be. So it boils down that goggle owns every GBS user, not only there browsing history but all "sensitive" information. Definitely it doesn't scare me as my "sensitive" information isn't worth much accept for nasty ad's. But I can say that this isn't fair enough. Today 8:27am (EDT) I lost my pin, did a google search with “google browser sync lost pin” and this page was the first page to show up. This is rather an anomaly because I always thought google gives priority to pages on google.com. I Always wonder that the user specific search information is good enough to do a lot of things and how may google use it.

David you are right the PIN is indeed on local machine. So google can claim that they don’t have access to your browser data and saved password. This is confirmed from this faq, http://www.google.com/tools/firefox/browsersync/faq.html#q19.
But ever wonder how secure can a 4-DIGIT password be. So it boils down that goggle owns every GBS user, not only there browsing history but all “sensitive” information.

Definitely it doesn’t scare me as my “sensitive” information isn’t worth much accept for nasty ad’s. But I can say that this isn’t fair enough.]]> http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-10964 Elias Torres Sun, 23 Jul 2006 11:39:01 +0000 http://torrez.us/archives/2006/06/10/457/#comment-10964 David, I think you could be correct and I could confirm my suspicions by contradiction of yours. I guess I will have to install Browser sync. Anyhow, if you are right then we have our PIN in cleartext in our local machine and that's not that safe. Imagine the next worm or a rogue extension uploading everyone's PIN number to a central location. Also, what kind of encryption algorithm could they be using from Javascript since they are doing this locally. I guess we'll have to find out. In Windows you could encrypt the PIN with your logon information but you need a DLL call for that and most likely the Firefox extension is for all platforms, so I doubt they are using that.
I think you could be correct and I could confirm my suspicions by contradiction of yours. I guess I will have to install Browser sync. Anyhow, if you are right then we have our PIN in cleartext in our local machine and that’s not that safe. Imagine the next worm or a rogue extension uploading everyone’s PIN number to a central location. Also, what kind of encryption algorithm could they be using from Javascript since they are doing this locally. I guess we’ll have to find out. In Windows you could encrypt the PIN with your logon information but you need a DLL call for that and most likely the Firefox extension is for all platforms, so I doubt they are using that.]]> http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-10934 David Masover Sat, 22 Jul 2006 23:46:50 +0000 http://torrez.us/archives/2006/06/10/457/#comment-10934 Could you please confirm whether this works the way you think it does? Here's how I think it works: Your PIN is kept in cleartext on the _local_ machine, and never sent to Google. Every now and then, it makes you re-enter it anyway, but if that hasn't happened, there should still be a copy on a machine where you've already installed and been using Browser Sync -- thus, you can view it. You could probably theoretically change your PIN -- decrypt your data, change your PIN, re-encrypt your data, and re-upload it. http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-8082 ®¤©: weblog: QOTD: Chocolate Bars for Everyone Sun, 11 Jun 2006 01:04:33 +0000 http://torrez.us/archives/2006/06/10/457/#comment-8082 [...] — Elias Torres. I don’t have much faith in the accuracy of that chocolate bar password survey, but still … [...] http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-8072 Elias Torres Sat, 10 Jun 2006 16:26:33 +0000 http://torrez.us/archives/2006/06/10/457/#comment-8072 BillyG, InfoLister looks like what I was looking because it writes it to a file. I now can write a cron job that encrypts it and scp to my hosting provider or S3. Of course, the average Joe can't do this and will end up with GBS.
Of course, the average Joe can’t do this and will end up with GBS.]]> http://torrez.us/archives/2006/06/10/457/comment-page-1/#comment-8068 BillyG Sat, 10 Jun 2006 15:54:49 +0000 http://torrez.us/archives/2006/06/10/457/#comment-8068 I don't keep bookmarks on my box, everything goes to my del.icio.us account. This of course gives me access at all times while online and negates the worry of me corrupting my FF profile (hasn't happened in a long time but you never know). I figure there is a better chance of this happening than Y! going out of business lol. I also use the InfoLister ext to save my FF extensions to my host (and provide a link to it on my sidebar for others to grok) so I really didn't see the need for GBS in my case. Anyway, I decided to give GBS a try after a day of two and immediately found that it made me relogin to delicious everytime I posted to it, totally unacceptable, as I've never had this problem before. Needless, to say, I promptly deleted it and my deilicous is working as expected, just fine and G knows a tiny less amount about me lol.
I also use the InfoLister ext to save my FF extensions to my host (and provide a link to it on my sidebar for others to grok) so I really didn’t see the need for GBS in my case.

Anyway, I decided to give GBS a try after a day of two and immediately found that it made me relogin to delicious everytime I posted to it, totally unacceptable, as I’ve never had this problem before.

Needless, to say, I promptly deleted it and my deilicous is working as expected, just fine and G knows a tiny less amount about me lol.]]>