I like the idea of canaries in documents, I think is a good point but obviously it only applies to certain types of data. Still a good idea.

Looking at OP, they seem a small shop, with a limited budget. Seriously the best recommendation I think is to use some kind of remote storage for data (works as long as the employee complies) and to make sure the access control is done in a decent way (reducing the blast of employee behaving maliciously). Anything else is probably out of reach for a small company without a security department.

Maybe I sounded too harsh, that’s just because in this post I have seen all kinds of comments who completely missed the point (IMHO) and suggested super complicated technical implementations that show how disconnected some people can be from real technical operations, despite the good tech skills.

DLP solutions are honestly a joke. 99% of the case they only cost you a fortune and prevent nothing. DLP is literally a corporate religion.

What you mentioned also makes sense if you are windows shop running AD. If you are not, setting it up to lock 1 workstation is insane.

Also, the moment the data gets put on the workstation you failed. Blocking USB is still a good idea, but does very little (network exfiltration is trivial, including with DLP solutions). So the idea to use remotely a machine is a decent control, and all efforts and resources should be put in place to prevent data leaving that machine. Obviously even this is imperfect, because if I can see the data on my screen I can take a picture and OCR it. So the effort needs to go in ensuring the data is accessed on a need basis.

Jamf doesn’t do anything for this problem, besides costing you a fortune in both license and maintenance/operation. Especially if you are not a Mac shop.

MDM at most can be used as a reactive tool to do something on the machine - as long as the one with the machine in their hand leaves the network connection on.

There are much cheaper solution to do that for 1 machine, and -as others correctly pointed out- the only solution (partial) here is not storing the data on a machine you don’t control. Period.

Yeah, that’s what I wrote too, but that is still a very fragile way. For once, you depend on a network connections, or in the local firewall not blocking you etc.

Reactive, on-demand ssh is something you can do for tech support, not for security imho.

Disk encryption is a control against lost or stolen device and malicious physical access (kinda). Storing the data elsewhere is more a control (or the basis for controls) against malicious insiders.

Your ability to SSH in the machine depends on the network connectivity. Knowing the IP does nothing if the SSH port is not forwarded by the router or if you don’t establish a reverse tunnel yourself with a public host. As a company you can do changes to the client device, but you can’t do them on the employee’s network (and they might not even be connected there). So the only option is to have the machine establish a reverse tunnel, and this removes even the need for dynamic DNS (which also might not work in certain ISPs).

The no-sudo is also easier said than done, that means you will need to assist every time the employee needs a new package installed, you need to set unattended upgrades and of course help with debugging should something break. Depending on the job type, this might be possible.

I still think this approach (lock laptop) is an old, ineffective approach (vs zero-trust + remote data).

Useful for standardized management of fleets, but requires personnel to maintain and configure it, but I don’t think it’s very effective (or feasible - I doubt they will even join the call for a 1-device contract) for what OP needs.

This is honestly an extremely expensive (in terms of skills, maintenance, chance of messing up) solution for a small shop that doesn’t mitigate at all the threats posed.

You said correctly, the employee has the final word on what happens to the data appearing on their screen. Especially in the case of client data (I.e., few and sensitive pieces of data), it might even be possible to take pictures of the screen (or type it manually) and all the time invested in (imperfect) solutions to restrict drives and network (essentially impossible unless you have a whitelist of IPs/URLs) goes out the window too.

To me it seems this problemi is simply approached from the wrong angle: once the data is on a machine you don’t trust, it’s gone. It’s not just the employee, it’s anybody who compromises that workstation or accesses it while left unlocked. The only approach to solving the issue OP is having is simply avoiding for the data to be stored on the machine in the first place, and making sure that the access is only for the data actually needed.

Data should be stored in the company-controlled infrastructure (be in cloud storage, object storage, a privileged-access workstation, etc.) and controls should be applied there (I.e., monitor for data transfers, network controls, etc.). This solves both the availability concerns (what if the laptop gets stolen, or breaks) and some of the security concerns. The employee will need to authenticate each time with a short-lived token to access the data, which means revoking access is also easy.

This still does not solve the fundamental problem: if the employee can see the data, they can take it. There is nothing that can be done about this, besides ensuring that the data is minimised and the employee has only access to what’s strictly needed.

1 in russian is один, I think it’s quite different from one/uno/un (especially since the о is pronounced а). 2 and 3 are instead extremely similar (два три). Does it actually still come from the same root?

While not being competent in this subject, I found it very fascinatinf that ugro-finnic languages (which are not indoeuropean AFAIK) like Finnish or Estonian are so wildly different, so that 1 2 and 3 are üks, kaks, kolm (in Estonian), for example.

I read the post, hence my points. I am not really looking for answers, because I don’t have questions, I had observations. You on the other hand seem to have your whole opinion formed on this inaccurate post, and I would expect someone in your position to look for more perspectives, when you clearly are not. You seem instead on a crusade against the company (good for you), and even if all the post was true, because they spent too much on t-shirts, invested too much in AI products (that I repeat, are opt-in)? Because they don’t comply with a technicality of GDPR? Lol Ok, more power to you.

Also, what I mean by a subscription is that I cancel it and I am done. I didn’t invest in it in any shape or form, what I paid I consumed already, there is no feeling of wasting previous investment in a running subscription.

Judging from your attitude, your lack of content, your very annoying “homie”, your inability to address any point against the content of the article, I am guessing either you are the author and you are butthurt that is not taken as gospel, or you just have ulterior motives and you are here just to stir shit (instead of “spreading awareness”). Either way, I have already invested too much time writing responses to your silly comments. I will show you how good I am in avoiding the sunk cost fallacy and block you, despite the time invested in the conversation.

Cya

I answered with more stuff in other comments, but you didn’t address any of that anyway.

I personally have no brand faith, I am a happy customer and the moment the company doesn’t adhere to my principles I will dump it. There is no sunk cost as it’s a running subscription (you keep mentioning this, so I though I will say it).

That said, if I see someone claiming they have a “blase” approach to privacy or they don’t care about it, I will point out that this is complete bullshit. Using the missing “download my data” feature to support this claim is outright pathetic.

To be even more precise, as a socialist I don’t like many of Vlad’s ideas that tend towards libertarianism. That said, the company has a good amount of worker ownership, it operates on principles I currently respect and that are miles higher than the standard tech company. I am absolutely in favour of supporting positive business in a field where companies are disgusting on average, and in cases evil.

Now, if you have anything else than childish arguments I am happy to discuss them. I have pointed to a number of inaccuracies in the article, there are outdated data (like the number of employees) and subjective views from the author. You are posting this article everywhere like it’s some kind of holy grail of gotchas, when it’s not. There are some good points (financial reporting exists, is not 100% transparent - which is not due, the amount spent for the t-shirts was IMHO not a great idea, etc.), but the fundamental points against the company are shacky at best. As I said elsewhere, all the shpiel about AI etc. is fully addressed in kagi own site where they clearly explain what they mean, for example. The features are actually pretty nice, even for someone like me who is not a fan of LLMs, and the results are quite accurate (the post author claims they are almost always wrong) from my experience.

BTW my searches are unlimited :)

They don’t own the T-shirt factory. It is a simple sentence, they used a small Serbian (I think) company. The business entity is to import goods.

It’s a formal difference but shows how sloppy that post is.

So, again, sorry for trying to point out that the CEO of Kagi does NOT care about privacy, GDPR, or transparency!

Privacy != anonymity. They satisfy the most important aspects of the GDRP, like data and scope minimization, clear explanation of what data they collect and why, a fantastic privacy policy. They don’t let you download a file with your email address in it, woah.

That article is quite dense with inaccurate information (e.g. they own a T-shirt factory), and a lot of guesses. There is no need to listen to a random guy idea about kagi’s AI approach when they have that documented on their site.

Also, the “blase attitude to privacy” is because of a technicality of GDPR? (Not having the ability to download a file with your email address) I am a big fan of GDPR, and their privacy policy is the best I have seen (I read the pp of every product I use and I often choose products also based on it), so really I don’t care about the technical compliance to GDPR (I am not an auditor), but the substantial compliance.

All-in-all, the article raises some good points, but it is a very random opinion from a random person without any particular competencies in the matter. I would take it for what it is tbh

EDIT: To add a few more:

• They achieved profitability (BTW, 2 years of operation and being profitable with 30k users, they really don’t know what they are doing /s)
• Their price changed twice. It was raised once, and the change was reverted later on, with unlimited searches. For me that is a great sign, especially considering the transparency of telling exactly how much each search costs for them.

Source: see https://blog.kagi.com/what-is-next-for-kagi (published ~1 month after the linked post).

An article full of inaccuracies, but the most interesting bit is, all these conversations are possible because they clearly explain their views, which are publicly available on their website (for example, the philosophy behind the use of AI - which BTW is opt-in).

How is that an example of being opaque is beyond me.

FWIW, the default “programming” lens works quite well in Kagi, you can also create your own lens if you have a set of websites from which you routinely search info, and there are tons of bangs already (which can also be mapped to lenses BTW). In addition, you can downrank AI/SEO stuff when you find it (it is downranked by default in kagi), so that over time your results are quite clean.

Looking at keepassXC doc I couldn’t find such setup. Maybe it’s possible, but maybe it also leads to trouble down the road. The “official way” seems to use cloud storage.

You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices.

I mention that but with a specific context.

• people with certain ISPs will need to use the relay transfer feature because direct connections can’t be established. Similarly, if you work in an office and you use the corporate network, you usually can’t have device-to-device working (can be both from a technical POV and from a policy POV).
• even with 0 data transfers, servers still have some trust in establishing your direct connections. I know that syncthing uses keys to establish connections, but that’s why I mentioned CVEs. If there is one, your sync connection could be hijacked and sent elsewhere. It’s a theoretical case, I don’t think it’s very likely, but it’s possible. The moment you have a server doing anything, you are extending trust.

In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM

And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.

If this makes you paranoid

Personally it doesn’t. As I said earlier, it’s way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.

I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily.

You can say many things, but that keepass + syncthing is easier is not one of them. It’s a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn’t have (I mentioned a few, maybe you don’t need them, but they exist).

I don’t know how or why you would have vault conflicts, but it really does sound like something fixable

At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don’t want to think about how to sync my password across devices, and since I moved to bitwarden I don’t have to. This way I don’t need to think about it, and also my whole family doesn’t have to. Win-win.

That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it’s a win.

Agree on the versioning issue. In fact I mentioned that the issue is convenience here. It is also data corruption, but you probably are aware of that if you setup something like this. Manually merging changes is extremely annoying and eventually you end up forgetting it to do it, and you will discover it when you need to login sometime in the future (I used keepass for years in the past, this was constantly an issue for me). With any natively sync’d application this is not a problem at all. Hence +1 for convenience to bitwarden.

However KeePassXC’s sync feature does sync the vault.

How does it work though? From this I see you need to store the database in a cloud storage basically.

For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate.

I use this method for my notes (logseq). Never had synchronization problem, but a lot of battery drain if I let syncthing running in the background.

Nothing else passes through it unless you opt into using relaying in case you have NAT issues.

I guess this can be very common or even always the case for people using some ISPs. In general though, you are right. There is of course still the overall risk of compromise/CVEs etc. that can lead to your (encrypted) data being sent elsewhere, but if all your devices can establish direct connections between each other, your (encrypted) data is less exposed than using a fixed server.

If you are paranoid, the software is open source and you can host your own relays privately,

This would also defeat basically all the advantages of using keepass (and family) vs bitwarden. You would still have your data in an external server, you still need to manage a service (comparable to vaultwarden), and you don’t get all the extra benefits on bitwarden (like multi-user support etc.).

To be honest I don’t personally think that the disclosure of a password manager encrypted data is a big deal. As long as a proper password is used, and modern ciphers are used, even offline decryption is not going to be feasible, especially for the kind of people going after my passwords. Besides, for most people the risk of their client device(s) being compromised and their vault being accessible (encrypted) is in my opinion way higher than -say- Bitwarden cloud being compromised (the managed one). This means that for me there are no serious reasons to use something like keepass (anymore) and lose all the convenience that bitwarden gives. However, risk perception is personal ultimately.

Few reasons, with the most important being convenience. Syncthing is going to see just a binary blob as the password storage is encrypted. This means it is impossible for syncthing to do proper synchronization of items inside the vault. Generally this is not a problem, but it is if you happen to edit the vault on multiple devices and somehow syncthing didn’t sync yet the changes (this is quite common for me on android, where syncthing would drain the battery quite quickly if it’s always actively working). For bitwarden on the other hand the sync happens within the context of the application, so you can have easy n-way merge of changes because its change is part of a change set with time etc.

Besides that, the moment you use syncthing from a threat model point of view, you are essentially in the same situation: you have a server (in case of syncthing - servers) that sees your encrypted password data. That’s exactly what bitwarden clients do, as the server only has access to encrypted data, the clients do the heavy lifting. If the bitwarden server is too much of a risk, then you should worry also of the (random, public, owned by anybody) servers for syncthing that see your traffic.

Keeshare from my understanding does use hosting, it uses cloud storage as a cloud backend for stateful data (Gdrive, Dropbox etc.), so it’s not very different. The only difference would be if you use your private storage (say, Synology Drive), but then you could use the same device to run the bit/vaultwarden server, so that’s the same once again.

The thing is, from a higher level point of view the security model can only be one of a handful of cases:

• the password data only remains local
• the password data is sync’d with device-to-device (e.g. ssh) connections
• the password data is sync’d using an external connection that acts as a bridge or as a stateful storage, where all the clients connect to.

The more you go down in the list, the more you get convenience but you introduce a bit of risk. Tl;Dr keepass with keyshare/syncthing has the same risks (or more) than a Bitwarden setup with bitwarden server.

In addition to all the above, bitwarden UX is I would say more developed, it has a better browser plugin, nice additional tools and other convenience features that are nice bonuses. It also allows me to have all my family using a password manager (including my tech illiterate mom), without them having to figure out anything, with the ability to share items, perform emergency accesses etc.

Edit: I can’t imagine this comment to be deemed off topic, so if someone downvoted simply to express disagreement, please feel free to correct or dispute what I wrote, as it would certainly make for an interesting conversation! Cheers

As someone from Rome, I feel you. Pickpocketing is somewhat an issue. In more than 20 years living in the city (before I moved) I never suffered from it, but it’s very common among tourists (especially in the underground and certain bus lines). It sucks and often police does nothing because by the time they catch the people (if they do), everything is gone anyway.

That said, beside pickpocketing Rome is very safe (or at least most of the places where a tourist would go, except maybe the surroundings of Termini station).