Oddbean new post about | logout
 i'm not a diversification cuckoo, i am a hawk, i keep my eggs in one nest and i watch it real close, and put it where it's hard to get at.
 one of the rules of signals intelligence is you don't send out a message unless you want to risk it being decoded. bitwarden breaks that rule. even brave sync breaks it on the metadata side. if my devices were ONLY locating each other and not sharing any other information that would be ok for me, but then how is that any different from me managing my own backups and using the fattest pipe I can - 10gbit USB-C cable. 
 just to be clear, i only need one backup, which is my primary and only pc system volume. there is only one keepassxc database, with only one password, and all of that is securely duplicated onto my backup.

the more links in a chain the more chances one of them can be easily broken.

i write software designed to operate as independent systems interacting with each other, and every time two things are doing the same type of job at the same time, we have a problem that will eventually blow out into a huge hassle.

when i need to do a wipedown, i can get it done and everything gone in under an hour. good luck chasing all your stray bits and pieces when you gotta move fast. 
 OK

someone breaking AES-256 encryption is not in my threat model.
and i also can and do have a secure offline backup that can be restored anytime. it doesn't require chasing down stray bits.

but its a difference in design philosophy and I respect your approach. 
 i'm not so stupid as to think that AES-256, which isn't even a protocol actually, it's a collection of them, and the difference that matters, can be broken.

it's always side channels and handshakes and this sort of thing.

i don't know how my brave sync got breached but a device appeared on the list that i definitely did not put there. so i presume it was the browser itself was penetrated, and specifically the access to the memory where that key is stored.

i think you are way too trusting, and let's just leave it at that.

anyone who pins their security on a web browser is on the road to trouble.