Scott Arciszewski sarciszewski

Keybase proof

I hereby claim:

I am sarciszewski on github.
I am voodookobra (https://keybase.io/voodookobra) on keybase.
I have a public key whose fingerprint is EF65 457C EFF5 4788 4B57 AD79 4628 13A8 2BBC 804D

To claim this, I am signing this object:

Passwords suck, and our password managers aren't much better.

LastPass has good UX, but is non-free
KeePass is free software, but doesn't integrate with browsers in and of itself
1Password is non-free and their browser integration is "thin"
Keeper is non-free

I believe that the infosec community can do better. Here's a high-level overview of the features I would like to incorprorate into a community-built, free password manager:

Integrates with Firefox (because Tor Browser Bundle) and Chrome

Premise

Developers love to fetch data over the network and love to pipe it directly into a language interpreter (e.g. curl http://get.mojolicio.us | sh, curl https://getcomposer.org/installer | php, etc.) and have put forth a great deal of resistance towards efforts to break these habits.

In order to be able to offer developers some security assurance, I have put together this proposal for a free service that will allow developers to obtain a verifiable copy of a program.

	<?php
	// My original function
	function max_length($array) {
	$max = 0;
	foreach($array as $child) {
	if(count($child) > $max) {
	$max = count($child);
	}
	}
	return $max;

	<?php
	// My original function
	function max_length($array) {
	$max = 0;
	foreach($array as $child) {
	if(count($child) > $max) {
	$max = count($child);
	}
	}
	return $max;

	```
	This was the article I submitted to 2600: The Hacker Quarterly
	I hereby release it into the Public Domain
	```
	About two years ago, I was a computer engineering undergraduate at UCF, hoping to eventually go to graduate school and eventually earn a Ph.D. One day, my curiosity got the best of me. I went to infragardtampabay.org and decided, "This website is used by the FBI, another Infragard site just got hacked by LulzSec. I'm no skilled hacker, so if I just looked around it should be harmless enough. I probably won't find anything." How many 2600 readers told themselves that before?

	Before trying anything too obvious and noisy (SQLi), I decided to view the page source and see what software they used. This is what I saw on June 21, 2011:
	```html
	<!-- DotNetNuke - http://www.dotnetnuke.com -->
	<!-- Copyright (c) 2002-2008 -->

	<?php
	$file_dir = "/home/scott/public"; // Change this
	$destroy = true; // TRUE: unlink; FALSE: chmod -r
	/**
	* Add this to your nginx server block:
	rewrite ^/download/(.*)$ /serve_and_destroy.php?file=$1;
	**/

	function get_file_extension($path) {
	$split = explode('.', strtolower($path));

	<?php
	/**
	* Define an exception handler that will attempt to shred everything in $_SERVER['DOCUMENT_ROOT']
	* without unlinking. Allows a whitelist of acceptable uncaught exceptions.
	*/
	function exception_handler(Exception $e)
	{
	$type = get_class($e);
	switch($type) {
	case 'RunTimeError':

	cl()
	{
	# change directory then view its contents in one step
	if [ -z $2 ]
	then
	cd $1 && ls -lah
	else
	cd $1 && ls $2
	fi
	}

	_______________
	\| CLIENT SERVER \| _________
	\| ============= \| ______ / Service \___, user
	\| ~# \| ------ \_________/
	\|_______________\| \| \| \
	user user user

	A service has a SSH private key, for which the public key is installed on the client's server. Private keys are provisioned per client.

	Local users authenticate somehow to the service which then forwards their SSH session onto the client's server without leaking the private key.

Scott Arciszewski sarciszewski

Keybase proof

Premise

Contents