Does anyone know if Steve Gibson has a Google+ Community or something similar for "Security Now ...

[G+_Steve C]

Does anyone know if Steve Gibson has a Google+ Community or something similar for "Security Now" where we can discuss security concerns?

I found something disturbing today. You know how browsers like

Internet Explorer and Chrome can automatically fill in blank lines and common information in documents and will offer to save your username and password when you login to a website?  Well, I always thought that information was saved locally in the browser on my PC in a cookie but it seems they have uploaded all of it!

When I recently installed Linux on a new solid state drive I also

installed Chrome to make it easy to check my email on Gmail and manage Android apps.  I only logged into Gmail, I never logged into Chrome at all and this was a new installation of Linux on a new drive so there was no information that could have been carried over from anywhere else.  However, when I used Chrome to browse to Ebay and Amazon and it asked me for the user IDs and passwords Chrome AUTOMATICALLY FILLED THEM IN!  I was shocked!

This is troubling because it means that all passwords are saved at

Google somewhere and probably not even encrypted. They might be

encrypted but there's no way to tell is there?

[G+_Joe Phelps]

This is a well publicized feature. You should look at the Settings in Chrome and adjust the Sync settings.

[G+_Steve C]

The thing is I never even logged into Chrome!

[G+_Joe Phelps]

You only have to login to one Google service to be logged into all of them.

[G+_Steve C]

I wonder if Microsoft is also saving passwords externally when someone logs into a site using Internet Explorer?  I use IE but don't presently use any Microsoft email programs like Outlook.com or live.com or other services they could use to log me in so I can test it. 

[G+_Joe Phelps]

steve c When you logged into Gmail you were logged into the other Google services such as Chrome and G+ also.

[G+_Steve C]

I guess that means the NSA has everyone's passwords now too?  They don't need to break encryption since they can just login!

[G+_Joe Phelps]

steve c How would they have them?

[G+_Joe Phelps]

I didn't finish my post. How would Google syncing your passwords and form data be any different than you entering this information on the web pages they belong to?

[G+_Paul Dail]

Use LastPass for all your log-in's.

[G+_Wayne Brander]

steve c  your browser auto-fill data and your less critical passwords are strongly encrypted and saved locally on your PC.  Same for your Google/Chrome log-in.  When customers bring in a PC with a dying hard-drive, the first question I get is "can you get my passwords back, I don't have a list of them".  The encrypted file is saved in your Chrome application folder and is available to a service tech, federal snoops, hackers and thieves.

Google offers a really handy sync feature that copies this encrypted file out to your Android devices and all other PCs you own with a Chrome browser. The conversation that types like Gibson, Green and Schneier are having today centers on who has the resources, time and money to try to break the encryption and read these files.

I would encourage you to relax about this issue steve c  .  The experts above all agree that the math is sound. It could take years and millions of dollars to be able to peek at your passwords.

Paul Dail offers a good suggestion with Last Pass but there is still the concern with NSA hacking into routers, MITM (man in the middle) attacks and even keystroke loggers.  Bottom line: Password encryption and security is GOOD.  Hacking by authorities we are supposed to trust is BAD.

[G+_Steve C]

Joe Phelps  Joe the difference is that Google now has all the passwords instead of just the site I was going to log into like Ebay or whatever.

[G+_Joe Phelps]

steve c Turn off the sync feature. This should delete your date from Google's servers.

[G+_Steve C]

So Wayne, do you think the password file is really well encrypted?

[G+_Wayne Brander]

Steve, Google now encrypts all their pages with the https protocol that we use for banking.  Have a look at the URL address at the top of this page.

Do I think it's well encrypted?... I'm just another techie... we gotta go to the experts:

 

Matthew Green is a top US cryptologist.  Here is what RT reported:  

http://rt.com/op-edge/nsa-spying-weakens-us-security-768/

The lead-in line of this bombshell:  *The NSA was no good at decrypting online communications, so they used their authority to spoil encryption technologies to get easy access to communications by people they wanted to spy on, including US citizens, Professor Mathew Green told RT.*

 

Green's blog is here:

http://blog.cryptographyengineering.com/2013/09/on-nsa.html

 

You mentioned Steve Gibson.  Here is what Gibson said on TWIT TechNewsToday: 

http://twit.tv/show/tech-news-today/834

 

Here is Gibson on Security Now:  http://twit.tv/show/security-now/421

 

And here's confirmation of Gibson's opinion from Ars Technica: http://arstechnica.com/security/2013/09/of-course-nsa-can-crack-crypto-anyone-can-the-question-is-how-much/

 

The latest encryption standards are secure.  I'm not worried about Google at all but NSA spying, hacking and gag orders destroy privacy and confidence in technology and they're also destroying US technology giants like Google, Apple and Microsoft.

[G+_Bruce B]

Well said Wayne. You have the choice of what you want synched, encrypted, and more importantly 2nd step authentication. Google doesn't bother me. Facebook irritates the hell out of me, and the government has become more dangerous than the black hat hackers across the globe. Black hats can destroy your machine and maybe your finances. The government can destroy your life.

[G+_Wayne Brander]

Bruce Bridwell I couldn't agree more with your comments on security, Google and the 'noise' of Facebook.  You've nailed it!

[G+_Bruce B]

That's an honor coming from you Wayne!

[G+_Jeffrey Michael]

Nice discussion.  For anyone with grave concerns on these developments, I recommend you watch a movie, "The Lives of Others" (a Sony Pictures Classic, Academy Award Winner for Best Foreign Language Film).  The film brilliantly uses a tale of historical hind-sight as cautionary foresight.  I can think of no other film more timely or prescient.  IMDb http://www.imdb.com/title/tt0405094/

[G+_Bruce B]

It's a great discussion! I often wonder if we've been too lazy keeping our government in check-we have. We are nothing more than subjects now. I was taught in school that we are a democracy instead of a constitutional republic. I'm 52 years old. Is it too late to turn the tide? I don't think so. I HAVE TO HAVE HOPE! I think the great minds of our country (and others) can do it in a peaceable manner with technology. If we screw around and don't demand term limits and something like the Fair Tax I'm afraid we're doomed. I remember listening to the presidential debates. Ron Paul had me until he got to foreign policy. Now I realize how correct he was. I'm sorry if I hijacked the thread, but it's relevant. It's mostly scary though. I will watch that film too.

[G+_Steve C]

Jeffrey Michael  That movie is not on Netflix so I doubt there is any way to see it unless you get a pirated copy with Bittorrent!  LOL

[G+_Joe Phelps]

steve c You can buy it on Amazon.

[G+_Wayne Brander]

Why not just watch it on Wide Eye Cinema?

http://wideeyecinema.com/?p=11212

(PS. I have not seen this and not sure how relevant or helpful it may be)

[G+_Steve C]

Wayne Brander Interesting, did you try it?  I never heard of that site but it looks like a scam. The movie doesn't play in Chrome or Firefox but I get a message across the top saying "You need to update your version of media player" and has a URL linking to some kind of ad.

[G+_Wayne Brander]

Sorry steve c , I haven't used that site for a while... looks like they're trying to monetize it.  Here's a URL that definitely works:

The Lives Of Others Das Leben Der Anderen 2006 BRRip XviD VLiS  

Let us know if you learn anything new watching the movie.