A question to the IT wizzards here:
The recent thread on here about autorouter providing weather information inflight via LTE and the Telegram-app got me thinking. If I understand this correctly Telegram requires access to one’s contacts on the mobile device in order to function and uploads those contacts to a Telegram-server.
How do you store passwords and other confidential information, e.g. credit card or passport numbers, on a PC and on portable devices securely and ideally in a way so that the data gets synchronised? Preferrably without the use of some cloud service which might or might not access the data. There are some services / apps like 1Password a.o. out there.
Do you have any recommendations/views or might warn of any shortfalls of such systems?
Thank you !
1Password et al are great for the job. You have to trust the app though.
I personally use “STRIP”, synced over all my devices.
i use eWallet, which i have on my Macs and all iOS devices and which syncs via cloud.
A colleague of mine stores a lot of stuff like that in a secure (encrypted) disk partition. You can do the same under Android and IOS.
There will always be remaining vulnerabilities e.g.
In short, the only way you can be sure nobody can read stuff off your laptop should you lose it, is to encrypt the whole hard drive. Or the whole FLASH, in a mobile device. There are products for that.
Whatsapp and Telegram are a bit more tricky. They authenticate on your phone number, AFAICT. That’s why when you install them, they offer you “contacts” for each person who appears in your phone book under the number known to them and has an account with them. (Whatsapp seem to keep details for ever of people who used the app and then uninstalled it; I have been offered to “invite” a load of these). I don’t think there is much danger with these apps so long as you use them for low grade messages. Whatsapp messages can be seen by loads of people (their system admins). Telegram too unless you use the “secret” messaging mode which is encrypted end to end. IMHO the largest concern with these apps is “stalking” via the “last seen online” display, which is why some people use the features available to suppress the visibility of that bit.
Facebook’s takeover of Whatsapp means FB now has everybody’s mobile number, which is why Telegram is “better”, for now
and uploads those contacts to a Telegram-server.
If Telegram were smart about privacy, and wanted to protect themselves from litigation over privacy breaches, they would not send the contacts to their server; they would send only crypto hashes. I don’t know what they do. It’s open source AFAIK…
Thanks for your feedback.
STRIP looks interesting.
On a related note: for professional reasons, I am on the lookout for something like this but with multiple levels. I.e. there can be several teams (Windows, Unix, network, database, middleware, …) and each have their list of stored passwords, visible only to authorised team members, writeable by even fewer. Persons can belong to several teams.
Don’t talk of LDAP – too many nightmares already! ;)
Or perhaps, as you said, the choice of implementation was “less than perfect”…
Peripherally on topic, I had a thought about the security of Whatsapp and similar IM services which use your phone # as a “handle”.
The real risk is if you are a famous person. Then anybody who works for the company and who finds out your mobile number (journalists don’t seem to have a problem finding those) can set things up to watch out for your messages.
Whereas, generally on the internet, all people who work for these companies can see is your IP and a few other bits which usually don’t point to any identifiable person.
Which in turn means that the use of Whatsapp etc within large companies (which use fixed IPs) needs to be done carefully…
Peter, how would this be different from hacking a phone to tap into voice calls or assume the phone’s identity? The way these services work is that each end point has an encryption key which is locally generated and whose authenticity is validated by the server once during setup by means of an SMS with a PIN code. That is a reasonably safe approach.