Lastpass breach. Code stolen. No user data taken

britechguy said:
which is why your comments on security related issues are not given any particular weight by many.
Click to expand...
They are not meant to be. I'm just expressing my point of view. You know, free speech.
nlinecomputers said:
You don't think you have control over it so you adopt an illogical stance against it.
Click to expand...
True, but wait for the next news headlines...
 
Last edited:
Philippe said:
True, but wait for the next news headlines...
Click to expand...
For what? You do realize that this incident is a non-story. Unless the thieves actually find a backdoor. Which I am certain will not happen because I trust who has audited them. Though I admit I think Bitwarden has engaged in a better audit process. If you are really really concerned a would go with them. Bitwarden can be self-hosted so you control its use.
 
nlinecomputers said:
They don't understand cryptography
Click to expand...

And I don't understand cryptography, really, nor string theory, nor the exact way that mRNA works, nor all the details about how an internal combustion engine and all its controls work, etc., etc., etc.

The difference being that I was always taught that when you know that you don't know about something, you defer to subject matter experts when attempting to understand it (to the extent you can) and making decisions regarding it where you need something solid to stand on to do so.

One of the biggest issues in today's world, as I see it, is that far too many have elevated "Uncle Joe's friend, Terry, down the street," who happens to have an opinion about something they don't know the first thing about to the same plane as those who've dedicated their entire adult professional lives to a given subject. No, Terry does not know anything that deserves the respect or consideration that a subject matter expert in the field (regardless of the specific field) does. Even when "an educated guess" is required, that "educated" part is critical. It's the difference between informed opinion and, "well, it's what I believe, absent any evidence or ignoring all evidence."

We need to get back to a place where the legitimate role of gatekeepers and those vetting information is respected, because it's vital for the kind of world we've been living in since at least the early-ish part of the 20th century. Listening to the people who know, when you know that you don't know, is what intelligent individuals do without exception.
 
I am reluctant to chime in on this for a variety of reasons. I'm not a developer, nor do I write or understand code. My uneducated concern about breaches where source code is stolen is future rather than present tense. After all, I doubt they stole the code so they could develop a competing product without doing their own work. There is a reason they wanted the source code, whether to examine themselves or sell to someone who does. Somebody wants it, and not for altruistic motivations.
 
Mike McCall said:
I am reluctant to chime in on this for a variety of reasons. I'm not a developer, nor do I write or understand code. My uneducated concern about breaches where source code is stolen is future rather than present tense. After all, I doubt they stole the code so they could develop a competing product without doing their own work. There is a reason they wanted the source code, whether to examine themselves or sell to someone who does. Somebody wants it, and not for altruistic motivations.
Click to expand...
That’s a risk with any software.
 
nlinecomputers said:
That’s a risk with any software.
Click to expand...

Not to mention that it doesn't do a darned thing to break encryption where only the end user possesses the key.

Hence my earlier comment that if anyone wants the encrypted file that is my password vault I'll gladly send it to them. Unless quantum computing appeared tomorrow (and it's not going to) there is just no way that this data is going to be extractable by someone who has the vault but not the key.
 
nlinecomputers said:
Then use bitwarden it is open source.
Click to expand...
Or use LastPass. That seems to be open source now too.

Edited to add: This might actually be a good thing for LastPass, especially if they follow it up with an official release of their source. Modern cryptography doesn't rely on its algorithms being kept secret - in fact, it positively benefits from having many eyes scrutinize them precisely because of the possibility of an unseen flaw or hidden backdoor. A "publish and be damned" approach would be a great way to demonstrate that their product really is secure.
 
Last edited:
nlinecomputers said:
They don't understand cryptography
Click to expand...

britechguy said:
And I don't understand cryptography, really, nor string theory, nor the exact way that mRNA works, nor all the details about how an internal combustion engine and all its controls work, etc., etc., etc.
Click to expand...
And I don't really need to know or want to know.

nlinecomputers said:
You don't trust password managers and the only reason not to trust them is because you think Encryption doesn't work.
Click to expand...
My decision not to use a PW manager is about "trust" not cryptography or the phases of the moon or how my toenails grow. It's trust.
I DO think encryption works. I use an open source portable encryption program to encrypt my stuff before I store it on my own computer.
But never would I give anyone the password.

I dont trust anyone, whether its you, @nlinecomputers or my own mother.
 
GTP said:
And I don't really need to know or want to know.


My decision not to use a PW manager is about "trust" not cryptography or the phases of the moon or how my toenails grow. It's trust.
I DO think encryption works. I use an open source portable encryption program to encrypt my stuff before I store it on my own computer.
But never would I give anyone the password.

I dont trust anyone, whether its you, @nlinecomputers or my own mother.
Click to expand...
But your not giving anyone the password. Even if someone did steal the encrypted vaults, its the equivalent of someone stealing your encrypted hard drive. The data that is encrypted is pretty much irrelevant, encrypted data is encrypted data and if that data takes a couple hundred years to crack, if its even possible, then in my eyes its pretty safe. You and only you have the master password and secret key in terms of password managers, just like only you have the decryption key for your hard drive.
 
nlinecomputers said:
Password Manager Software company Lastpass reports that their network was breached and software code was stolen. They say no end user data was accessed in the breach. And even if it was the data is stored encrypted So it’s protected by that.

www.neowin.net

LastPass confirms breach, says user data is safe

Password management company LastPass has announced that its development environment was recently hacked. However, there are no signs of illicit access to user data at this point in time.
www.neowin.net www.neowin.net
Click to expand...
It's far easier to find weaknesses in uncompiled code than the binary created by compiling that code.
 
Even if the mathematical theories were flawless, hackers will start by looking at the algorithm used (how the math is applied), then proceed with the source code (how it is translated in computer language), then the way it's compiled, then how it interacts with the OS and if it's not enough, look at the hardware (and it's a whole new story). Without speaking about the weakest link: the user (social engineering, cognitive bias, etc.).

There is a reason why critical systems are air gapped. And sometimes it's not even enough.

So, let me stand behind my point here: there is no such thing as computer security.

I really hope no one here, if given the chance, would put the nuclear launch codes on the cloud :)
Anyway, my $0.02 ;)
 
Philippe said:
Even if the mathematical theories were flawless, hackers will start by looking at the algorithm used (how the math is applied), then proceed with the source code (how it is translated in computer language), then the way it's compiled, then how it interacts with the OS and if it's not enough, look at the hardware (and it's a whole new story). Without speaking about the weakest link: the user (social engineering, cognitive bias, etc.).

There is a reason why critical systems are air gapped. And sometimes it's not even enough.

So, let me stand behind my point here: there is no such thing as computer security.

I really hope no one here, if given the chance, would put the nuclear launch codes on the cloud :)
Anyway, my $0.02 ;)
Click to expand...
There’s nothing secret about the math. The encryption method is AES-256 encryption and PBKDF2 hashing. That’s an industry standard. To attack the password manager you have to breach the client because no decoding occurs on the server or in transit. If your client is under attack then you already have a security problem client or not. If I have managed to install a keylogger on your rig I can steal them in real time as you type them in, even if you are consulting a paper notebook to do so.

And unlike Trump I’m not holding nuclear secrets and neither is anyone reading this. The level of security is good enough for anyone here.
 
nlinecomputers said:
If I have managed to install a keylogger on your rig I can steal them in real time as you type them in, even if you are consulting a paper notebook to do so.
Click to expand...
This is my point: 100% security is an illusion at best. And complexity is not always a good friend of security...

nlinecomputers said:
The level of security is good enough for anyone here.
Click to expand...
Not everyone :)
 
Last edited:
Philippe said:
This is my point: 100% security is an illusion at best. And complexity is not always a good friend of security...


Not everyone :)
Click to expand...
Really? So you never make online purchases or deal with a bank that has website or the multitude of other transactions that require internet access?
 
nlinecomputers said:
So you never make online purchases or deal with a bank that has website or the multitude of other transactions that require internet access?
Click to expand...

And that would include virtually any credit card transaction these days, too.

The idea that any technology can be 100% reliable has always been a myth. The fact that good enough is way more than good enough for all practical intents and purposes when it comes to most modern computer security is still a fact.

I'm not going to lie awake at night waiting for my world to come crashing down because I do the things that everyone in the modern world does (whether they realize they're doing them or not). Every blessed thing there is to know about me is out there, sitting on a computer, somewhere and has been for most of my life. I have zero control over that.
 
nlinecomputers said:
So you never make online purchases
Click to expand...
Of course I do. I Just won't store my * passwords * on the cloud. As I said, I don't like the idea & I don't trust it. My call.

britechguy said:
The idea that any technology can be 100% reliable has always been a myth.
Click to expand...
Fair enough :)
40 bit DES, 56 bit DES, 128 bit AES... WEP, WPA, etc. all useless by now. So many memories...
 
Philippe said:
40 bit DES, 56 bit DES, 128 bit AES... WEP, WPA, etc. all useless by now. So many memories...
Click to expand...
Yes, technology moves on. Every encryption method broken has been replaced by higher more sophisticated encryption. Quantum computing will not be the end of encryption. It will just be the beginning of quantum-level encryption. The only risk is the overlap time where encryption is broken but not yet replaced. But so far new encryption methods have always come out before the outdated ones died. I don't see that changing.
 
  • Like
Reactions: GTP
You must log in or register to reply here.

Similar threads

Porthos
[TIP] Lock My PC Used By Tech Support Scammers, Dev Offers Free Recovery
Replies
8
Views
2K
Brett A
Brett A
GTP
(Davey Winder) Dashlane dents my confidence.....
Replies
9
Views
2K
PcTek9
PcTek9
phaZed
[SOLVED] How to uninstall Forticlient AV that was installed from EMS management dashboard?
Replies
2
Views
17K
Your PCMD
Your PCMD
SOHOtechRob
LastPass Vulnerability
Replies
10
Views
1K
drpcfix
drpcfix
nlinecomputers
[WARNING] 500 Million Yahoo Accounts Hacked by “state-sponsored actor”"
Replies
11
Views
2K
nlinecomputers
nlinecomputers
Back
Top