Comments on: Free Tech Tools Worth Blogging About

By: David Louis Edelman

David Louis Edelman — Mon, 24 Sep 2007 19:24:56 +0000

I seem to remember you commenting a few times, and always with long and thoughtful comments. Maybe I’m confusing you with someone else. Regardless, I always appreciate when someone takes the time to post something more substantial than “Right on, man!” or “You suck, dude!”

By: Yaron

Yaron — Mon, 24 Sep 2007 19:17:13 +0000

You’re most welcome of course.
But since I think I haven’t really commented here for many months, and it was only a few comments back then, I’m not really sure what the “as always” refers too.

By: David Louis Edelman

David Louis Edelman — Sun, 23 Sep 2007 23:56:04 +0000

Thanks for the thoughtful comments, Yaron, as always.

By: Yaron

Yaron — Sun, 23 Sep 2007 23:17:40 +0000

Looking around some more, both Clipperz and PassSafe seem to be on the level, as far as they can. The presentation of the issue on Clipperz’ FAQ probably doesn’t indicate that they don’t know what they’re doing.
But they both have the same things that bother me, and are inherent in the technology:
1. Trust and attractiveness off the server data. True, the data on the server is encrypted. Which puts anyone accessing it in the same spot as getting any other encrypted password file you’d put elsewhere. But here you can’t ever move the data or change the format yourself. And everyone knows that whatever is kept there is very likely passwords, so if they get lots of users the data becomes much more… attractive, that random individual files placed on random servers.
2. The data always gets transferred over the Internet. This will of course happen in any method you’d use that stores the information online. But if you keep a file that you sync manually, you have some ability to notice when something happens that shouldn’t. This way, if the unencrypted information does get sent somewhere, you can’t easily notice something other than normal browser behaviour has happened.
3. The whole reason that the data isn’t placed on their servers in unencrypted form is that the javascript code encrypts it. It’s an issue of trust, but all it would take is probably 1-2 lines changed and an update of the javascript code. Very easy for them, or for someone hacking their servers, to do. Probably also easy to detect, but by the time it’s detected it will be too late for many users.
4. Everything is done with javascript in the browser. Which, unless they’re very very careful, will basically allow the website to interfere with the process. All your passwords are decoded on the client. If you, for example, sign in to an untrusted site (or a fully trusted one, that was hacked itself, or had their ads hacked, etc. These things do happen, and happened several times this past years for otherwise trusted big sites), it’s very likely it could get all your unencrypted passwords if the hack was designed to do so. All the security problems things like GreaseMonkey had/has, but with even less ability to deal with it. If their javascript can interact with the open site, the open site can interact with their javascript.
5. Firefox only. I like Firefox, and usually use Firefox (apart from Opera when I’m very impatient, or IE when using a badly designed site), but it’s limiting for this type of application. You wrote that you need an online-password store. Is it for syncing 2-3 computers of yours, or to access from other/public computers? In the latter cases, you may not even have Firefox installed. In the former, you still may need to interact with some IE only sites.

And you need something you can put all your passwords into, including those that really matter (banks, main email / hosting , etc). Because if you only use this for the less-critical one, you’ll need a solution for the other cases anyway, so why use two tools instead of one?

Personally, I’d stick to an “offline” password manager program, and storing an encrypted password file online.
I assume your host does provide some FTP access. If not, there should still be plenty of web-apps that can allow you to upload a file to the server for updates, and to download it through simple HTTP file download.
So just keep the password management password online as well, for quick download+installations/run on new/public computers.
If you don’t change the passwords, you just need to download the file. Where you might change them, or add them, just save the new file, and upload to the server.
It’s slightly less convenient than Clipperz/PassPack, but not by much, and should be much safer.

By: David Louis Edelman

David Louis Edelman — Sun, 23 Sep 2007 21:00:56 +0000

Yaron: I’d be curious if you’ve taken a look at Clipperz’ competitor PassPack to see if you find their implementation just as troubling. Or is there another service you recommend? A secure online password repository is something that I really need. My previous alternative was to keep a password-protected document up on Google Docs, which strikes me as hardly better than no security at all.

By: Yaron

Yaron — Sun, 23 Sep 2007 20:29:37 +0000

Clipperz seem interesting in concept, but:
(1) The crypto/security part on their FAQ page just lights up too many warning-signs. Maybe they know their stuff and are just bad at the writing/marketing part, but it feels bad.
(2) The javascript code than handles all the passwords can do whatever it wants with them, so even if the encryption is good it will take just a single change to the service to have it send everything open wherever it wants. You can’t even have a simple way to detect that your password manager program creates Internet connections, since the browser is expected to do that all the time. And, well, it does open the can of worms of interacting with the web services themselves and preventing the site from interacting with it if it wants to…

I join the recommendation for VideoLAN/VLC. Lightweight. Plays pretty much everything without requiring an external codec. It can also get almost every streaming video source. And (though this can be a downside for many people) it’s extremely configurable.

PDF-XCHANGE viewer is also really good. There are some cases (rare, and I wasn’t able to find and obvious connection) were it doesn’t properly copy text out of the viewed PDF, so I keep Foxit as a backup. It copies text out of those better, and loads a little faster, but it lacks the more advanced features that PDF-XCHANGE has.

Irfanview is excellent. Copernic is also very good at what it does, but I had problems with it and very large text files, and it had an annoying tendency to decide that the computer is idle for indexing when I was burning discs, so I removed it.

Tag2Find sounds interesting.

I’d add EverNote to the list of recommended utilities. The concept (simulating a continues “tape” paper that you keep adding notes too) is a little strange at first, but it’s very comfortable to use. Fast searching over past notes. And you can add automatic rules/keywords for tagging notes.

Another recommendation is to have a good clipboard manager/search. Personally I use Ditto, but there are some other excellent options. Time-saver.

By: Soni

Soni — Sun, 16 Sep 2007 04:13:36 +0000

Just a note on Tag2Find - if you let it auto tag your documents when you first load it (it tags based on file name, folder, etc), you might end up with a lot of non-useful tags, especially if your file-naming habits are less than wonderful. OTOH, it saves going through and hand-tagging each and every file you already have.

For example, I have some old archived Front Page generated html files around, a few of which are now helpfully tagged with _vti_private and so on. *rolleyes*

Your call, but just an fyi.

By: David Louis Edelman

David Louis Edelman — Fri, 14 Sep 2007 05:02:00 +0000

Soni: Tag2Find sounds pretty cool. Vista was supposed to enable you to tag your files and search for them that way natively, but it’s been a pretty big disappointment. These days if I don’t know where something is, I use Copernic and search for content.

Al: I’ve had a love/hate relationship with GIMP. It’s ridiculously powerful, but I always seem to have stability problems with it. And I’m so used to the Photoshop GUI, I always get frustrated trying to adjust to GIMP’s. I’ll have to check out VideoLAN.

JJA: Sounds cool. I think Adobe made a good move by opening up the PDF standard to allow third-party tools. The third-party market’s just exploded in the past few years.

By: John Joseph Adams

John Joseph Adams — Fri, 14 Sep 2007 04:43:26 +0000

I just came across a PDF tool today that’s pretty handy–PDF-XCHANGE VIEWER (http://www.docu-track.com/home/prod_user/pdfx_viewer/). It lets you annotate PDFs, so if you’re say doing a copyedit on a large document, you can use that to mark up the electronic manuscript.

Basically, it gives you a lot (if not all) of the features of the full version of Adobe Acrobat (as opposed to Acrobat Reader), but for free.

By: Al

Al — Fri, 14 Sep 2007 04:30:25 +0000

Sorry for the formatting error in my last comment… it’s kinda hard to read, but the three tools I listed in my previous comment were (1) GIMP, (2) VideoLAN, and (3) SUPER.