org.nspasteboard.TimeLimited or ConcealedType

[Brian Bucknam]

Thomas T. brought this up in the thread about RestoredType (and originally over a month ago -- it has taken me a while to get back through my postponed "todo" list), but I think it would benefit from its own, separate, discussion.

(I guess if you only view this via email, maybe the separate thread doesn't seem quite the same?)

Anyway, to expand up Thomas's proposal;

First: the motivation. One other known "producer" of clipboard data is 1Password and (I assume) similar password management utilities. They 'remember' wonderfully difficult-to-crack passwords that most of us could never remember and, in some usage scenarios, place the password onto the pasteboard so the user can log in to some service by Pasting the password into the appropriate field.

Of course, a difficult-to-crack password is no longer as difficult to crack if someone glances over your shoulder five or ten minutes later when you bring up your clipboard history utility window to Paste in something else.

That is, the motivation is to add a pasteboard marker that indicates that the item should either not appear at all in any clipboard history, or that it should only stay in the history for a limited time.

Thomas Tempelmann proposed a "ConcealedType" that would not appear at all in clipboard history utilities. That makes some sense.

There was some discussion at that time with Peter Maurer, who argued that he would like to be able to Copy an account name and a password from KeyChain or 1Password, then use a clipboard history utility to Paste first one of those items, then the other, into a login window. So he was arguing against "ConcealedType," but liked the idea of a "TimeLimited" or "OneTimeUse" marker.

So the actual proposal is (subject to discussion and refinement of course) is: An "org.nspasteboard.TimeLimited" marker which could contain an NSDate (or possibly just an NSTimeInterval value) after which the marked item should be removed from the user interface of clipboard history utilities.

This proposal makes a lot of sense to me, but of course I don't develop either a password utility (which would 'produce' this marker) or a clipboard history utility (which might want to specially handle it).

But, like Thomas said, if enough developers embraced it as a standard, perhaps 1Password and other similar utilities would pick up and start using it.

Cheers,

Brian

[Peter Maurer]

Hi guys,

I think ConcealedType could be a great improvement for certain users. However, I'm not so sure about TimeLimited, and in a broader sense, about whether the standard should define what is to be done with pasteboards that are marked as concealed/private. My ideal scenario would look like this:

The producer app merely tags the pasteboard. Then the consumer (e.g., a pasteboard history app) decides how to deal with that. It might want to...

- Simply ignore pasteboards marked as concealed
- Display and paste them when requested, but obfuscate the display (e.g., "Password" => "P•••")
- Set a timer that makes sense in the current context, or remove concealed pasteboards when the consumer quits
- Maybe even ignore the marker (i.e., treat these pasteboards like any other pasteboard) in some cases

...depending on internal logic based on the task at hand and/or user preferences -- which, as a user, I'd expect in the consumer app, not the producer.

In my opinion, the producer app doesn't know enough about the consumer app's job and the user's condition (disabilities?) to be in a position to set a reasonable timeout.

Peter.

[Peter Maurer]

Upon re-reading what I just sent, I think I owe Brian an apology regarding TimeLimited:

Yes, I am indeed criticizing an idea that I was quite fond of initially, and I know that's a bit of a jerk move. Unfortunately, that often happens when I think about stuff like that -- at first I'm enthusiastic, then when I revisit the idea, potential issues crop up.

Sorry about that. And I'll stop flooding the list now. :)

Peter.

[Peter N Lewis]

On 12/06/2013, at 3:06 , Brian Bucknam <br...@smilesoftware.com> wrote:
> Anyway, to expand up Thomas's proposal;
>
> First: the motivation. One other known "producer" of clipboard data is 1Password and (I assume) similar password management utilities. They 'remember' wonderfully difficult-to-crack passwords that most of us could never remember and, in some usage scenarios, place the password onto the pasteboard so the user can log in to some service by Pasting the password into the appropriate field.
> Of course, a difficult-to-crack password is no longer as difficult to crack if someone glances over your shoulder five or ten minutes later when you bring up your clipboard history utility window to Paste in something else.
> That is, the motivation is to add a pasteboard marker that indicates that the item should either not appear at all in any clipboard history, or that it should only stay in the history for a limited time.
>
> Thomas Tempelmann proposed a "ConcealedType" that would not appear at all in clipboard history utilities. That makes some sense.
>
> There was some discussion at that time with Peter Maurer, who argued that he would like to be able to Copy an account name and a password from KeyChain or 1Password, then use a clipboard history utility to Paste first one of those items, then the other, into a login window. So he was arguing against "ConcealedType," but liked the idea of a "TimeLimited" or "OneTimeUse" marker.

I like the idea, and agree with Peter: just stick with org.nspasteboard.ConcealedType and leave it to the clipboard history app to figure out what that means.

For Keyboard Maestro, at a minimum it would mean avoiding saving it to disk, and would likely mean some form of restricted display in the history. The question for me would be whether there is any case where I can actually generate the attribute, which would also be handy. Perhaps as simple an action as "Mark the current clipboard as ConcealedType", although I guess by that point there would be no way to have other clipboard history consumers notice that the previous value was the same and is now concealed.

Anyway, if you can get any application to actually generate this attribute (especially 1Password, which I think would be relatively easy) then I would be happy to support it to at least come level.

Does anyone have any contacts with the 1Password folks want to approach them with the suggestion?
Peter.

--
Keyboard Maestro 6.0.1 now out - Syncing, Plug Ins, Styled Text, Browser Control & More.

Keyboard Maestro <http://www.keyboardmaestro.com/> Macros for your Mac
<http://www.stairways.com/> <http://download.keyboardmaestro.com/>

[Günther "gue" Blaschek]

Hi folks,

After following the new thread on ConcealedType, I may have found a reason NOT to include this on the clipboard.

Without ConcealedType: It is true that a historian can include passwords in the history. Users could then inspect the history and would see the passwords.

With ConcealedType: The only reasonable solution would be to actively exclude such items from the history. Just obfuscating them in the UI (•••) would not help. Anyone would see that a password is being hidden from his eyes. But it's actually quite simple to recall this history item and paste the plain-text password into TextEdit.

But here is another - even more frightening - scenario: Assume that I would like to steal passwords (just for the sake of this discussion; don't worry, I'm a good guy. :-). All I need to do is create a utility that runs on the user's computer in the background. This could be something with a useful purpose, so users actively install this thing on their computers. Now all I would have to do is watch for pasteboard changes and record everything that contains the ConcealedType marker. I could ignore everything else, but as soon as there is the ConcealedType flag, I know that I have found something important. It's as if someone publicly said "Don't listen now. I'm going to say something secret." Or - as in the good old spy movies - you come across a folder with "TOP SECRET" printed on the cover in big red letters. A perfect reason to take a closer look.

In the days of PRISM, I ask you to reconsider this flag. I'm not sure whether I have fully understood the consequences. There may be others who do. Please double-check that the introduction of such a "TOP SECRET" label will not make things worse.

Cheers,

gue

[Thomas Tempelmann]

gue Günther  Blaschek wrote:

scenario: Assume that I would like to steal passwords

Then I’d watch the clipboard for any single words (no spaces in it) that do not consist of only letters but contain symbols and/or digits.

Thus, complex passwords are easily detected anyway (no need for the ConcealedType marker), and simple passwords that consist of letters only and looks like ordinary words are mainly just that – ordinary works, and are already covered in dictionary attacks anyway, and thus discouraged.

So, for any tool trying to spy on “good” passwords in the clipboard, there’s no protection from it, anyway. The new type hardly makes this worse.

Thomas

[Brian Bucknam]

On Wednesday, June 12, 2013 12:06:30 AM UTC-7, Günther "gue" Blaschek wrote:

But here is another - even more frightening - scenario: Assume that I would like to steal passwords (just for the sake of this discussion; don't worry, I'm a good guy. :-). All I need to do is create a utility that runs on the user's computer in the background. This could be something with a useful purpose, so users actively install this thing on their computers. Now all I would have to do is watch for pasteboard changes and record everything that contains the ConcealedType marker.

If the bad guys have already got their software on your system, I think you've got worse problems than conveniently marking passwords for them.

That is, I would rather gain the advantages of:

- obfuscating the item in a visible clipboard history to avoid "over the shoulder" viewing, and 

- not having those particular pasteboard entries saved to disk, etc.

… over any increased risk of installing Trojan Horse software.

I think, if I were developing something like 1Password, I would offer the inclusion of this marker as a preference setting for exactly the reasons you list. That is, all users should probably be able to make their own judgment about which security measures they find more worthwhile.

Again, I don't think the NSPasteboard.org standards should specify exactly how password utilities, clipboard histories, or text expansion utilities should work. But I do think it should offer useful metadata about user intention, data source, etc.

Cheers,

Brian

[Brian Bucknam]

Good points. I think the original proposal was more like "one time use" or "content that should not appear in clipboard histories at all", and the time limit was a way to suggest that it appear only for a little while in histories. 

I think just "ConcealedType" is simple and straightforward. If the clipboard history utility that I will never get around to writing decided to drop the "ConcealedType" item out of its visible history after a while, that would be cool :-)

Cheers,

Brian

[Peter N Lewis]

On 13/06/2013, at 8:13 , Brian Bucknam <br...@smilesoftware.com> wrote:
> I think just "ConcealedType" is simple and straightforward. If the clipboard history utility that I will never get around to writing decided to drop the "ConcealedType" item out of its visible history after a while, that would be cool :-)

Ironically, I just today received an email from someone highly put out that their passwords were splattered all over the clipboard history and wanting an "emergency fix" for this. So it was nice to at least be able to say their is a proposal being worked on.

But without 1Password and other such apps (and, ha, Apple's new Maverick password stuff???) marking the passwords, it may be a proposal without much value.

Anyway, seems we're agreed in principal just to add the ConcealedType attribute. Now we just need someone to a) add it to the spec web page, and b) actually implement adding the attribute.

[Thomas Tempelmann]

> On Wednesday, June 12, 2013 12:06:30 AM UTC-7, Günther "gue" Blaschek wrote:
>> But here is another - even more frightening - scenario: Assume that I would
>> like to steal passwords (just for the sake of this discussion; don't worry,
>> I'm a good guy. :-). All I need to do is create a utility that runs on the
>> user's computer in the background. This could be something with a useful
>> purpose, so users actively install this thing on their computers. Now all I
>> would have to do is watch for pasteboard changes and record everything that
>> contains the ConcealedType marker.

Brian Bucknam replied:

> If the bad guys have already got their software on your system, I think you've
> got worse problems than conveniently marking passwords for them.

In fact, besides my earlier point that a spy software could detect certain
types of pws in the clipboard by their patterns, it could even check which
app put them in there: If it's 1password, then it's usually either a pw or a
login name. There's little need for the marker helping out there.

Günther, have we convinced you that your worries about this marker are
fairly insignificant, now?

Thomas

[Peter N Lewis]

On 12/06/2013, at 14:19 , Peter N Lewis <pe...@stairways.com.au> wrote:
> On 12/06/2013, at 3:06 , Brian Bucknam <br...@smilesoftware.com> wrote:
>> Thomas Tempelmann proposed a "ConcealedType" that would not appear at all in clipboard history utilities. That makes some sense.
>

> I like the idea, and agree with Peter: just stick with org.nspasteboard.ConcealedType and leave it to the clipboard history app to figure out what that means.

Sadly, org.nspasteboard.ConcealedType was never added to http://www.nspasteboard.org/Site/Transient.html and now I hear that 1Password 4 follows the guidance on that page for "concealing" passwords. I've got no idea what they specifically decided to do, but they haven't implemented org.nspasteboard.ConcealedType and so I suspect this will just further muddy the waters as to what the existing org.nspasteboard.* tokens really mean which is a shame.

Hopefully org.nspasteboard.ConcealedType will be added to the page at some point and then 1Password might add support for it.

Thanks,
Peter.

--
Keyboard Maestro 6.2 now out - control Mail, reveal a file, format AppleScripts and more.

[Brian Bucknam]

On Tuesday, October 8, 2013 4:17:49 AM UTC-7, Peter N Lewis wrote:

Sadly, org.nspasteboard.ConcealedType was never added to http://www.nspasteboard.org/Site/Transient.html and now I hear that 1Password 4 follows the guidance on that page for "concealing" passwords.  I've got no idea what they specifically decided to do, but they haven't implemented org.nspasteboard.ConcealedType and so I suspect this will just further muddy the waters as to what the existing org.nspasteboard.* tokens really mean which is a shame.

Hopefully org.nspasteboard.ConcealedType will be added to the page at some point and then 1Password might add support for it.

Since every proposed change, addition, or even use of existing org.nspasteboard.* tokens was found unacceptable or lacking by someone or another in this discussion group, I gave up trying to make any changes.

However, I agree that an org.nspasteboard.ConcealedType is potentially useful enough to ignore the critics and just go ahead with it, so I'll get that added to the web page.

Cheers,

Brian

[Thomas Tempelmann]

Brian Bucknam wrote:

Since every proposed change, addition, or even use of existing org.nspasteboard.* tokens was found unacceptable or lacking by someone or another in this discussion group, I gave up trying to make any changes.

However, I agree that an org.nspasteboard.ConcealedType is potentially useful enough to ignore the critics and just go ahead with it, so I'll get that added to the web page.

To my understanding, we kept too much focus on the other types, over which we could not agree. I had tried to keep the two things separate, which didn't work too well.

IIRC, the only dissent over the pw concealing was that some didn't find it useful (which can be overruled as others do find it useful, IMHO) and that some would prefer a timed mode. But overall, as Brian says, there's nothing about it that would cause conflict for us, as it does with the other types, right?

On Tuesday, October 8, 2013 4:17:49 AM UTC-7, Peter N Lewis wrote:

now I hear that 1Password 4 follows the guidance on that page for "concealing" passwords.

I don't understand. What part of "the guidance on that page" are they using if the page does not mention concealment of pws?

The thing that might have triggered them to look at the nspasteboard site is that I bugged them several times to please consider it. Maybe they finally got a look at it, even though they never gave me feedback on it.

Thomas

 

[Thomas Tempelmann]

Peter,
> Sadly, org.nspasteboard.ConcealedType was never added tohttp://www.nspasteboard.org/Site/Transient.html and now I hear that 1Password 4 follows the guidance on that page for "concealing" passwords
I suppose you heard that on inofficial ways and there's nothing you can
point out to us about this?

I'd like to get back to them about it and ask for some confirmation.

[Peter N Lewis]

On 10/10/2013, at 15:57 , Thomas Tempelmann <tho...@irradiatedsoftware.com> wrote:
> On Tuesday, October 8, 2013 4:17:49 AM UTC-7, Peter N Lewis wrote:
> now I hear that 1Password 4 follows the guidance on that page for "concealing" passwords.
>
> I don't understand. What part of "the guidance on that page" are they using if the page does not mention concealment of pws?

Agreed, but people are using those tokens in a lot of different ways and with different meanings (as can been seen by the lack of agreement we managed on what they actually mean and how to use them!), so there are a variety of ways they might be using those tokens while intending to conceal passwords.

> The thing that might have triggered them to look at the nspasteboard site is that I bugged them several times to please consider it. Maybe they finally got a look at it, even though they never gave me feedback on it.

>> Sadly, org.nspasteboard.ConcealedType was never added tohttp://www.nspasteboard.org/Site/Transient.html and now I hear that 1Password 4 follows the guidance on that page for "concealing" passwords
> I suppose you heard that on inofficial ways and there's nothing you can point out to us about this?
>
> I'd like to get back to them about it and ask for some confirmation.

I heard it from a user who got that response from their support people.

I'm not sure they have made public what they are doing yet, but I believe they will soon, and I believe it may still be a little in flux (1Password 4 is pretty new), so if the org.nspasteboard.ConcealedType was on the page, and if you "bugged" them one more time with it, they might well support it.

[Thomas Tempelmann]

I just learned that 1Password 4 now adds a marker to the pasteboard.

The marker is named "com.agilebits.onepassword" and its value
contains, sadly, just the same data that the other text flavors
already indicate. And it is _always_ present, even if 1pw puts some
non-secret data into the clipboard. Supposedly Alfred and Quicksilver
make use of it already.

Well, so there's now another flavor to test for, and it's not even
working as desired.

I've told their support so, after I begged them for probably 2 years
to do something smarter.
I give up now.

Thomas

[Brian Bucknam]

I made contact with some of the folks at Agile Bits in early October. I tried to convince them to use ConcealedType, or propose an alternative to this forum.

At that point they were pretty close to releasing the new version of 1Password, and I think that due to the stress of releasing a major upgrade, there was some confusion or miscommunication, and they ended up going with their own "com.agilebits.onepassword" marker. I think they understand now that "org.nspasteboard.ConcealedType" probably would have been a better choice, but it is released.

I've updated the page at http://nspasteboard.org/ to reflect the current state of things. 

Cheers,

Brian

[Peter N Lewis]

I don't care what marker they use, but if it isn't restricted to just password (or secure notes or such) then it's useless. Concealing usernames isn't helpful, and its hardly an improvement from concealing everything copied in 1Password (though perhaps marginally more useful in the web plugin).
Peter.

--
Keyboard Maestro 6.3 now out - enhanced Typed String trigger, fixed volume control actions, and more.