Re: pySafe - for personal information security
 

Dear Mr. Aguilar,

Thanks for working on this application! I am sure that I will be able to use it for many years much to my satisfaction. However, I am writing to ask a fundamental security question before I begin to use it.

The obvious security flaw in such an application is that the user trusts the author not to have backdoor transmissions or access to the unencrypted data. I am a little uncomfortable putting all my most secret passwords into such a utility knowing this.

Although I searched on your garage entry and in this thread, I have seen no reference to the original source code. If I could compile the program (or, if it's python, just run it) from the original source, then I would have an opportunity to ensure there are no such backdoor shenanigans.

Please do not take this note as a personal slight--it's just the nature of wanting to store so much security information in one spot. To me, the best feature of any such program is that the source is available. Could you share, or tell me how I might otherwise look through it? That is, after all, the whole point of *nix, yes?

Cheers,

Bryce

Re: pySafe - for personal information security
 

Hi Bryce!

First of all, you are absolutely right making questions about the software considering that it maintains confidential information.

The source code is available in the garage, but private. Sorry for my mistake! Already made it public.

PySafe is writen in python, so the source of the program can be viewed in N900 itself, but the code is precompiled to save disk space. But if you want, you can download the source and replace the files.

Cheers!

Re: pySafe - for personal information security
 

Outstanding! Thank you for sharing =).

Re: pySafe - for personal information security
 

I like Password Safe because the database (file) is directly compatible with passord applications in Linux and Windows. So it is easy to sync from master password list to other devices just by using a copy.

Does pySafe use some widely supported password db system, or does it have its own?

Re: pySafe - for personal information security
 

PySafe uses its own file. In the future there will be a GUI to other systems, since its a python program (multiplatform), although this was not the intention.

If Password Safe has an open database format, readable by Python, and it's compatible with the rules of PySafe, could be possible to change to it.

The rules are: no fixed groups, no fixed items, no fixed details, may have sub-groups, and items may be outside a group.

Re: pySafe - for personal information security
 

Are you sure? I thought Password Safe for maemo 5 used an older file format that was not compatible with current desktop versions.

Re: pySafe - for personal information security
 

The primary db is on my Linux host with MyPasswordSafe.
Once a week I rsync it to N900 to be used in (Maemo) PasswordSafe.

Also, what is important to me, I can use text only CLI with pwsafe through ssh, if I need to.

Do not remember, but I think I am using the v2 db-format.

Maemo Password Safe has an annoying bug though when it has been idle long enough.

Re: pySafe - for personal information security
 

Is there a way to synchronize passwordsafe files with some password-tool running on Ubuntu Linux?

Re: pySafe - for personal information security
 

Your question is about pySafe and you mistyped, or it's about PasswordSafe?

By the way, pySafe isn't yet run outside the N900. But the version that I'm working, in Qt, will run in any device/SO that runs Python with Qt.

Re: pySafe - for personal information security
 

Way to go. Thanks for that.

Re: pySafe - for personal information security
 

That is great news! it will be great to be able to run the program on both desktop and N900 and still sync them (however that may be done: rsync, Unison, copy, etc).

May I add another suggestion?

Make it possible to do 3-way comparisons among pySafe databases. This feature should be triggered by the CLI. The 3 files to be compared are: base-file, file1-changed-from-base and file2-changed from base. This feature alone would revolutionize password programs. Here is the typical use case:

• The user adds some entries to her N900 pySafe db;
• The user makes some changes to her Desktop version of PySafe, forgetting to first copy the db from the N900;
• Some days later, the user uses Unison to synchronize many files between N900 and Desktop (example: music, pictures, videos, documents and the pySafe db).
• Unison notices that the pySafe db was edited on both places and so one version cannot overwrite the other without the user losing data.
• Because pySafe supports 3-way merge at the command line invocation, Unison calls "pySafe old-base-common.db desktop-db N900-db". Note: old-base-common is the last common version tracked by Unison that was equal on both devices.
• PySafe now asks for the passwords and displays a side by side comparison of differences between "desktop-db" and "N900-db". it can even merge things automatically, if there are no conflicting changes.
• The user taps the lists, indicating what changes are kept;
• PySafe then saves the results as the true merged file.
• Unison replicates the same new version on both devices
• The user lives happily forever, knowing that whatever and whenever she changes her pySafe db she will be sure that no changes will be lost.

Re: pySafe - for personal information security
 

Just wanted to say many thanks to Jaguilar for creating this program, it's excellent.

Re: pySafe - for personal information security
 

Can you release a technical document of the database format?

I was thinking of taking a shot to create a sync application for syncing between keepass and pySafe. I already did something simular for keyring (on Palmos): http://www.robvonk.com/projects-engl...passtokeyring/

I understand that you use blowfish and some compression but thats it. My Python skills are probably not good enough to figure out what you did.

Re: pySafe - for personal information security
 

@robbie

In the SCM section of the Garage you can checkout the sources and see how the file is read, in database.py file ("load" method).

But the file structure is very simple. To read, first you need to decompress, and after that decrypt. If the password is correct, the result will be a readable text:
1- the password is in the first line (for checking purposes only)
2- the second line is the version of the database (currently 2, but it will change soon)
3- third line is the MD5 checksum of the data
4- from the fourth line to the end is the data itself

Re: pySafe - for personal information security
 

Decompress is just gunzip i see. And my Delphi component knows how to handle blowfish so that shouldn't be a problem. I'll look into the file tomorrow.

thanks

Re: pySafe - for personal information security
 

I've managed to decrypt a small testfile but i see some strange things (see attached screenshot).

I have one group named 'Groep'
I have one item with two fields: Itemname, Pass
with the values Que and Quee

I see these items in the decrypted data but can't seem to make anything of the rest.

Any idea whats going on?

Re: pySafe - for personal information security
 

And again one step further. You're using pickle to save the data and Python adds these strange chars. I'm not sure if i can reproduce what they create.

What are your plans for version 3 of the data format? Any chance of change? And any chance of adding a last updated field per item? (so when you sync, you know what the last changed item is).

Re: pySafe - for personal information security
 

Yes....it's saved using pickle.

Unfortunately I have no intention of changing this, because Python does the data conversion (in other words: serialization) automatically. To change that I have to write a conversion routine, which would give a lot of work.

In the next version the only change for now, is the inclusion of one information on the details to say what should be the order of viewing them on screen.

There is no plan in changing this. My first priority is keep the program good enough to put it in the extras. After that I will start to think in synchronization.

Re: pySafe - for personal information security
 

And another step further. In the attachment you'll see the layout of the unencrypted data in hex format (length is decimal).

http://www.xs4all.nl/~gnista/dbformat.png

There are some things that i don't understand.

7D's are idents and 73 and 75's are unidents. Whats the difference? when to use which?

What are these 28's?

Anyone an idea?

Re: pySafe - for personal information security
 

Here is a Polish translation - PM me when more text strings translatoions required - happy to contribute to this great app (ex-Handy Safe user with KeepassX that is too limited for my needs)

Re: pySafe - for personal information security
 

@davss
Thanks for the translation! But I don't put it in the current version, cos I am writing the new one (and waiting for the PR 1.2...it's using Qt 4.6). But I guess that I will need your help in the translation of new version!

@robbie
I've changed the database format, and in the next version it will be using SQLite. I hope that it can make the things easier for you! :)

I will make a video and put in Youtube showing the new version...

Re: pySafe - for personal information security
 

Here is the video with the new version, recorded using Scratchbox and Xephyr:

http://www.youtube.com/watch?v=Tk03YoXpodA

It might be change yet...

Re: pySafe - for personal information security
 

no problem - just give me a shout when it's ready for translation. I can also do ES, PT if needed.

Re: pySafe - for personal information security
 

And again I asking for help to translate the internal messages! :)

Attachment 10344

I pretend test a little more the application and, if all goes ok, in the weekend the new version will be released.

TIA!

Re: pySafe - for personal information security
 

Thanks jaguilar ... I'm looking forward to your new version. Especially if there's a PC desktop version to go with it, too.

Simon

Re: pySafe - for personal information security
 

Hi,

Here is the french translation for the next version.

Ithier

Re: pySafe - for personal information security
 

13:22PM GMT0 - corrected one typo and reuploded attachment files.

Herewith Polish translation. Could you please make sure that your file for translation has encoding set to UTF-8 pls?

I've never developed anything for OSX but am thinking about making a client for it... anyone willing to help ?

Cheers, David

Re: pySafe - for personal information security
 

Spanish translation.

I hope all the strings fit in the dialogs :p

Re: pySafe - for personal information security
 

The program is intended to run in any place that can run Python programs (that's why I choosed PyQt instead PySide). I'm developing in a Scratchbox instance (the first priority is that it can run great in a N900), but sometimes run it in my Linux machine too (Mandriva 2010.0 64 bits).

It is....I guess! :)

Same as above...if OSX can run Python programs, then it can run pySafe without changes!

After done I will put a ZIP file somewhere with pySafe in the correct struture that will run in computers.

Re: pySafe - for personal information security
 

New version in the repository! See first post for details.

Re: pySafe - for personal information security
 

mine doesn't open

Re: pySafe - for personal information security
 

Nice! There are some sqlite components for Delphi (thats what i'm using) so that should be doable. Do you have any information how to get started? Is the complete database encrypted or individual fields? And did you add a last changed timestamp field? That makes syncing possible.

Re: pySafe - for personal information security
 

Doesn't work here either.

Re: pySafe - for personal information security
 

Same problem here: I run it, the window open with the pysafe title and then it closes.

I had to reinstall an old version.
For those interested, to install a working version, download http://repository.maemo.org/extras-d....7.2-1_all.deb and execute it with application manager.

Re: pySafe - for personal information security
 

It's the same for me too. It starts loading and after some seconds it comes back to the desktop... :confused:

Re: pySafe - for personal information security
 

Could you please run the program in the terminal??
This is the command:
And put here the error message.

Probably some dependency is missing. :(

Re: pySafe - for personal information security
 

Here for you:

Traceback (most recent call last):
File "./pysafe", line 3, in <module>
from mainwindow import pysafe
File "tmp/mainwindow.py", line 7, in <module>
File "tmp/rotation.py", line 3, in <module>
ImportError: No module named qt

Re: pySafe - for personal information security
 

Funny, mine is different:

Traceback (most recent call last):
File "/opt/pysafe/pysafe", line 3, in <module>
from mainwindow import pysafe
File "tmp/mainwindow.py", line 5, in <module>
File "tmp/util.py", line 4, in <module>
ImportError: No module named QtGui

Re: pySafe - for personal information security
 

the same for me

Re: pySafe - for personal information security
 

I have the same.

I'm on 1.2