This is to be expected when you have ignorant people reporting on things that they are not willing to educate themselves about. Anyone who wrote sensational garbage about the LastPass event didn't bother to understand how LastPass works and what the real potential of any breach could be.
Frankly, it leaves me exhausted in the same way the regular stream of sensational ignorant responses to violent video games, boobs in video games, or explicit lyrics in music leave me exhausted. It's extremely difficult to fight an ignorant public being exploited by a willfully ignorant and sensationalistic media.
The likes of Tech Crunch et al who should be in a position to counter such mainstream media reactions and behavior are all too often, unfortunately, jumping right into the fray and showing that they can be just as counter-productive as any big old-media outlets.
Exactly that. I really want to do an HN post asking people to curb all of the sensationalist headlines (especially if you haven't fully researched the situation).
I just feel like it will get lost in the noise though
At least headlines on HN are frequently edited to make them true.
That was always one of the things that drove me batshit crazy about slashdot -- nominally it has editors, but they let straight up flame-bait submissions go through.
Slashdot's discussion of the Lastpass situation was titled LastPass Password Service Hacked and linked to an article at Kaspersky where their title said LastPass Probably Breached.
I use lastpass and 1password. FWIW, I the guys at AgileBits did a pretty reasonable job of not gaming lastpass's bad day. They did a blog post about a relevant detail of their own security, which really seems like a reasonable thing to do on a day like that.
In which case Kaspersky is already being untruthful, which is hardly surprising, considering they sell a competing product. I would expect more honesty when a company reports on it's own game: if you understand full well how subtle things are, then let your reporting reflect that.
People are encouraged to use the original headlines, and someone who tries to de-sensationalize a headline will complained at (and article-flagged and downvoted) more than someone who posts a sensational title as-is.
Hanlon's razor[1]. They may very well believe that what they are writing is true. Most people don't engage in dishonesty easily, but they are quick to fool themselves into believing they aren't being dishonest.
Hanlon's Razor really should only be applied when you don't have other evidence. In the case of tech crunch, I'm fairly well convinced that they will take any news event in the most sensationalist light possible, regardless of their knowledge of the facts.
It's part of the HN comment-formatting parser. It often seems to happen with wikipedia URLs in particular, most sites just take apostrophes and such out.
The media may suck, but I remember cperciva saying that tarsnap signups actually increased after a security bug (http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-...) - prospective customers were impressed by his response. In fact, my opinion of KeePass is higher after this incident ("seem to be properly paranoid") than before ("who?").
Not to be anal here, but the original article is about LastPass[0] as opposed to KeePass[1], which is another password manager (NB: KeePass is locally hosted).
This is the only sane post I've read about this incident. All the major tech sites blew it way out of proportion. LastPass did everything right, and yet every headline was along the lines of "LastPass has been hacked, panic!".
They deserve better, especially seeing as how transparent they were about the whole situation and how they handled it.
Actually, I think that LastPass overreacted. Seeing the possibility of a breach, and alerting customers is definitely the right thing. But they went so far as to lock customers out of their own data -- it was two full days before my wife was able to get into our bank account.
I'd tend to look at these types of services as a convenience, nothing more. If you allow yourself to become reliant on them for access to your personal data, like banking, etc., then I'd say that you put too much faith/trust in them. Shit happens, all the time, despite the best intentions of people working hard to make sure it doesn't.
Your memory must be much better than mine. Recommended procedure is to use a different and secure password for every site you care about, right? That's three bank accounts, several work-related accounts, a couple of social media sites, etc. I'd have to remember at least 20 difficult passwords on a daily basis.
It's a hell of a lot easier to do if you don't make it about straight random memorization though.
I have a little memory association I do with every site I need an account/pass for, based on various characters out of books I've read.
Every site has a character I've associated with it, to make it easier to remember, and I have a simple (to me) algorithm I use to generate the password that includes various capitalization and special characters.
Sure, it might take a bit of work early on to remember stuff, but if you learn how to memorize things effectively, it makes it much easier.
Mind you, I also know all my CC numbers, passport number, drivers license, etc., as well, so maybe I'm just weird.
I have to look at my phone every time someone asks me for my phone number. I don't know if this means that my brain is dying or that I don't bother remembering information that I can easily look up...
I use my memory for all my passwords (lots) and quite a few client / account numbers.
I like to do it that way cos it's fast, but on the odd occasion, maybe once a year, I have a 'bad day' when I can't remember -any-.
That's the marketing offer. I use lastpass for all my websites, but not for my master email, paypal and banks. I have over 120 accounts here and there for websites I test. Before I had three password one for paypal, one for email and one for everything else, then came the gawker debacle. I completly trust lastpass for my twitter account, facebook, affiliation programs, etc...
I do exactly the same. Lastpass has my social sites passwords, and other not-so-relevant sites. I commit to memory my hard-to-guess passwords for email, bank and Paypal accounts.
it was two full days before my wife was able to get into our bank account
Most banks have phone numbers that you can call if you don't know your password. Some banks even let you reset your password if you know your account number and SSN.
Recently I needed to get my password for my bank account in France (I live in China)... They gave it over the phone after I only gave them my bank account number, my birthday and my name... I then went on to my bank account and transferred money.
With banks this secure, I really don't worry about keeping the login information in something like lastpass
I'm can't if you're saying that banks are secure or insecure. BTW, your name is Guillame Maury, and your birthday is 03/07/1982.
Anyway, I also live in China, and have had problems with banks being so secure that it becomes inconvenient. A few months ago I tried to get into my ING account, for which I'd lost the password. Although I managed to authenticate my identity over the phone, they could only send me a new password to my address in the UK. However, this is a house my family no longer lives in... so the whole affair involved contacting the new occupants to forward the new password letter on to someone I knew. I've also had problems with Natwest's online payment system giving me an "unknown failure" message. After calling up, I found that the system had flagged my transaction as suspicious due to my location as revealed by my IP address. When dealing with such issues, I often feel like I'm trying to steal my own identity.
Anyway, after looking at the options I decided to use PasswordCard to manage my passwords, which is a physical solution (www.passwordcard.org). It's a card of random numbers, symbols and letters that you can print out. You then take a sequence of such symbols to form each new password that you need. I decided not to use a standard password manager since it's not very portable between machines (I travel quite a bit, and also with the current rate of technology change it's likely that in a few years I'll be using a device and OS that doesn't exist yet).
I was being sarcastic when I said that it was secure....
It's true that sometimes having very secure banks can be a pain... But, I would much rather have a bank that is very secure and a bit of a pain to sometimes access compared to a bank like mine where it's trivially easy to get access to someone's bank account...
I currently use 1password because it's not hosted, it's portable and I find it quite convenient...
BTW: You got my name but haven't got my correct birthday date. I've avoided having it in clear on internet because of identity thefts :-)
If you ever drop by Shanghai, feel free to hit me up for a drink
But why? What are you worried about? The anti-fraud systems being employed by your bank are damned good. Moreover, All banks (U.S.) provide fraud protection... Looking at my Bank's website for a moment reveals that a potential attacker could, I assume, change my ATM PIN (If they already knew it) do some bill pay, and possibly create an ACH transfer... Which I could reveal as fraudulent to my bank...
Why should I be worried about this? I'm not trolling... I just don't understand what we are all supposed to be afraid of.
Something like this? https://www.pwdhash.com/ You can use the same password but the local browser plugin will use the site's URL to hash the password you type into something unique to that URL. I haven't used it personally and haven't researched it in detail but I like the concept.
Sounds like supergenpass which was implemented in Javascript as a bookmarklet, which is pretty good idea, except that any website with malicious code could grab your master pass from the DOM, and then they could use that for your account on any other website.
It looks like pwdhash works around this by functioning as a browser plugin (making your master password in accessible from the DOM) but I'd still be slightly worried about browser exploits allowing malicious sites to get at your master password.
It's remarkably hard to get this right. pwdhash notes[1] that being a browser plugin stops JavaScript grabbing the password, but it's still possible with Flash. Third-party ports to other browsers don't even have the JS protection.
pwdhash still leaks the length of the password since it aims to give users visual feedback of characters being typed.
Then you've also got the issue of automatic update of plugins being compromised. The question is really: is it more secure than the alternatives?
Would you rather have a slight inconvenience and have a company act in your best interests (security and safety), or would you prefer your data run the risk of compromise?
I'd like to be able to decide for myself how much risk to expose myself to. In this case, all signs were for minimal risk, so I think that they went overboard.
You can do that by not using LastPass. Offering "yeah, I want a little security, but not too much" would be kinda silly; they want their data to be safe.
I'm curious why she was locked out. I'm a LastPass user and the only thing I noticed is that my Chrome browser plugin had logged me out. I was able to log in with no problems, though, and the plugin continued to autofill websites as usual.
I couldn't log in for about 20 minutes at some point - which was bad, because I was at work, and stored work credentials via LastPass.
"Sorry, boss, can't work on that bug because I don't have my Redmine password. I also don't have the password for our build machine, so I can't sudo anything."
I liked the transparency. That's actually why I signed up and started using LastPass after the 'incident.' I figured a company that would react the way that they demonstrates a lot of integrity. People expect great products, so it is very difficult to give somebody a product that exceeds expectations. Service, however, is rarely expected to be great. It's far easier to exceed expectations in that area. So when I see great service (which I think LastPass provided), I'm a fan.
This reminds me of the recent story of an Applebee's (an American chain restaurant) employee that accidentally served alcohol to a toddler. All the commentary I read on the story said that the employee should be fired. But as long as it was an honest mistake, that's a terrible idea. No employee will ever be as careful with drinks as that guy will now. You shouldn't ask for experience when looking for employees and then fire them for getting it.
You have to be careful though because sometimes a mistake like that is not an honest mistake, but carelessness. To bring it back to the topic at hand, LastPass (possibly) made an honest mistake somewhere. Sony is careless. Fire Sony, run to LastPass because now they will be even more paranoid.
Wait a second. I mean it's nice and all that LastPass was being overly cautious. But how reassuring is it that they noticed an anomaly but weren't able to figure out what it was?
And this is a serious question, as I'm no expert in the field, but it seemed strange to me that they couldn't explain what actually happened with any certainty.
Here is an attempt to answer your serious question.
When was the last time that you "could have sworn" that you left your keys on the desk, but they're on the counter instead. Suppose that happened; it almost certainly means you just misremembered where you left your keys, but there is a TINY chance that someone might have stolen the keys, copied them, and put them back in the wrong place.
Just to be 100% certain, you immediately call a locksmith, and get your locks changed. And all the neighbors start talking about how poor you are at security for having allowed a burglar into your house.
THAT would be a reasonable analogy for what LastPass did.
Yes, I didn't need an analogy. I wanted to know why, in a secure house which presumably had cameras and sign in sheets, why couldn't they review the video tapes to see if someone had actually taken the keys or not. (to extend your analogy)
I would bet that many of us who manage servers have multiple anomalies in logs we can't explain, but we just don't scan our logs in enough detail to find the anomalies in the first place.
The fact that LastPass has methods to notice small anomalies like this is reassuring.
If they were logging access logs, the logs may have not shown what was accessed specifically in a program. Just ip addresses connecting to machine/software but no request disclosure. They have reasonable suspicion to be overly cautious: "After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)."
I hope they explain how they are going to resolve this for the future.
Don't know if there would have been a way for LastPass to disclose this information without getting the response they did, but in addition to the stupid the coverage they got, they pulled me in as a customer after seeing how goot they were at what they did. So I think there were good fallout from the coverage as well.
Agreed - I recently started using LastPass based on various recommendations around the web. Knowing they are paying this much attention to things increases my confidence rather than decreasing it.
Does LastPass know my passwords?
If so, why it needs to know my passwords?
I thought that my passwords are encrypted on my computer with master password known only to me, but same master password leaves my computer every time I log in to LastPass site via their website.
Could someone point me to where it is detailed how they manage without knowing my password or where it is explained why they need to know it?
The sad thing is that most people who were previously unfamiliar with LastPass probably won't dare to try it out now. That's the kind of press LastPass just didn't deserve.
Actually I've decided to give LastPass a shot DUE to how well they've handled this, and knowing that they will probably have a sufficiently paranoid response to situations in the future, as well as knowing they have an excellent hash algorithm in place.
Unfortunately you are right for the overwhelming majority of users who will see "LastPass Hacked!" then note "Don't use LastPass".
I hope that LastPass realised that they would receive this negative publicity by handling this event so publicly, and that they went ahead and did it anyway. That would show great integrity. If something similar happens again and they sweep it under the carpet to avoid a repeat of this bad publicity, then they're the same as every other company.
It would be interesting to see statistics on how much the negative press actually affected LastPass. It seems likely that the sort of people who would use LastPass is also the sort of people capable of deciding for themselves how safe their data are.
I agree on the overall subject but I'm still shocked that LastPass hasn't got anything better than "spike in the traffic" IDS, better logging etc? If you are in a business with this kind of data you have to expect to get hacked everyday and you have to be ready for it. Even your business plan should include this stuff.
Unless they have a really awkward reason not having proper idea about possible hack is not a good sign.
A security breach is never OK. Disclosure helps but does not absolve anyone. We cannot accept that these things just happen.
Besides, it's a password manager. Of course it's going to be held to a higher standard of security. It failed at the one and only thing it is supposed to do.
The explanation given (slight chance others may have accessed encrypted password data) and the action taken (locking user accounts) don't go together and led to the media frenzy.
Frankly, it leaves me exhausted in the same way the regular stream of sensational ignorant responses to violent video games, boobs in video games, or explicit lyrics in music leave me exhausted. It's extremely difficult to fight an ignorant public being exploited by a willfully ignorant and sensationalistic media.
The likes of Tech Crunch et al who should be in a position to counter such mainstream media reactions and behavior are all too often, unfortunately, jumping right into the fray and showing that they can be just as counter-productive as any big old-media outlets.