Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2021

Google under fire for Chrome browser's password storage policy:

Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."

This mostly suggests that the tech lead for Chrome hasn't read Joel Spolsky's Let Me Go Back! strategy letter nor ever heard the saying, "A lock keeps an honest man honest."

"But wait! Joel's not talking about security, you fool! He's talking about how Excel ate Lotus 123's lunch!" you say.

That's right, but he's also talking about barriers to entry.

Think of these barriers as an obstacle course that people have to run before you can count them as your customers. If you start out with a field of 1000 runners, about half of them will trip on the tires; half of the survivors won't be strong enough to jump the wall; half of those survivors will fall off the rope ladder into the mud, and so on, until only 1 or 2 people actually overcome all the hurdles. With 8 or 9 barriers, everybody will have one non-negotiable deal killer.

This calculus means that eliminating barriers to switching is the most important thing you have to do if you want to take over an existing market, because eliminating just one barrier will likely double your sales.

On this reread, "calculus" seems a bit strong, doesn't it?

But this works with folks trying to read your passwords too. How many little sisters (or slightly seedy buddies) might have access to your browser? Um, lots. Better yet, how many high-end art thieves contribute to Dollar General's shrinkige issue? That'd be essentially none. Completely different "markets" for different sorts of exploits.

More clearly: Folks that install apps on your computer to phone home to some nefarious server in Elbownia do not read your passwords from your settings page. They do whatever they want. Folks that visit your house might.

Reportedly again from the Chrome tech lead:

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software.

... the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior.

Right, because most passwords stolen from the settings page is from "someone malicious getting access to your account." Your little sister is going to "dump your session" and "install malicious extension [sic] to intercept all your browsing activity" or, get this, "install OS user account level monitoring software." How many times have you seen someone doing this, ever? How many people do you know who could do this? The "market" described above is not the one that needs a master password.

Get out of the ivory tower and back into your living room, Chrome, because that's where your users live.

I'll posit that adding a barrier to entry probably does cut the number of passwords stolen in half. I'd like to see Google's study, not their tech lead's off-the-cuff impressions, suggesting otherwise.

Labels: fail, Google, privacy

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white. As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.

Wednesday, August 07, 2013
Chrome tech lead stuck in ivory tower: Why a master password is a good idea Google under fire for Chrome browser's password storage policy: Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater." This mostly suggests that the tech lead for Chrome hasn't read Joel Spolsky's Let Me Go Back! strategy letter nor ever heard the saying, "A lock keeps an honest man honest." "But wait! Joel's not talking about security, you fool! He's talking about how Excel ate Lotus 123's lunch!" you say. That's right, but he's also talking about barriers to entry. Think of these barriers as an obstacle course that people have to run before you can count them as your customers. If you start out with a field of 1000 runners, about half of them will trip on the tires; half of the survivors won't be strong enough to jump the wall; half of those survivors will fall off the rope ladder into the mud, and so on, until only 1 or 2 people actually overcome all the hurdles. With 8 or 9 barriers, everybody will have one non-negotiable deal killer. This calculus means that eliminating barriers to switching is the most important thing you have to do if you want to take over an existing market, because eliminating just one barrier will likely double your sales. On this reread, "calculus" seems a bit strong, doesn't it? But this works with folks trying to read your passwords too. How many little sisters (or slightly seedy buddies) might have access to your browser? Um, lots. Better yet, how many high-end art thieves contribute to Dollar General's shrinkige issue? That'd be essentially none. Completely different "markets" for different sorts of exploits. More clearly: Folks that install apps on your computer to phone home to some nefarious server in Elbownia do not read your passwords from your settings page. They do whatever they want. Folks that visit your house might. Reportedly again from the Chrome tech lead: Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. ... the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. Right, because most passwords stolen from the settings page is from "someone malicious getting access to your account." Your little sister is going to "dump your session" and "install malicious extension [sic] to intercept all your browsing activity" or, get this, "install OS user account level monitoring software." How many times have you seen someone doing this, ever? How many people do you know who could do this? The "market" described above is not the one that needs a master password. Get out of the ivory tower and back into your living room, Chrome, because that's where your users live. I'll posit that adding a barrier to entry probably does cut the number of passwords stolen in half. I'd like to see Google's study, not their tech lead's off-the-cuff impressions, suggesting otherwise. Labels: fail, Google, privacy posted by ruffin at 8/07/2013 02:14:00 PM

<< Older \| Newer >>

x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!