So is there any way to verify what this person is saying? I mean, from the way LastPass is evolving it doesn't seem unlikely to me -- but why is this tweet on HN? Is there any supporting evidence aside from an anecdote, does this Twitter account have a strong reputation of being credible, etc.?
Without context, I just don't understand why this anecdotal thread should be considered credible.
Disclaimer: I use FOSS password managers for everything possible but have to use LastPass for some non-personal stuff and I very much dislike it
It seems like a reasonably well written anecdote by someone who has some idea what they're talking about. It could obviously be false, but the consequences if he's right are potentially serious for a lot of HN users who might use LastPass. The consequences if he's wrong are a little extra reputational damage for LastPass, but that seems like a worthwhile tradeoff here.
Not everything posted on HN has to be verified true. The decision calculus here seems strongly in favor of signal boosting it, so that people who need to can take defensive action, even if it turns out to be wrong.
It's like a novice programmer blaming the compiler for a bug in their application. It's very unlikely to be true. What would you have the people who are using LastPass do, stop using it? Because some crypto dude stored their highly valuable keys in a system that literally copies their keys to any system they log into, to systems that are notorious for having very leaky abstractions and vast vulnerability surfaces?
> It's like a novice programmer blaming the compiler for a bug in their application.
The big difference between the two examples is this: LastPass is known to have bugs. Huge amounts of data were stolen from them and we just found out that it was a lot more than we thought.
For all we know, they were storing passwords in the clear somewhere.
Trivia note: the first compiled language I used was PL/I, and the compiler was notoriously buggy and would crash on well-formed programs. Our teacher told us to put do-nothing statements in when this happened (`PUT SKIP(0);` if I recall correctly), and with some trial and error, those would fix it.
> What would you have the people who are using LastPass do, stop using it?
Yes. After their last major breach I exported all my data and deleted all my credentials and account with LastPass. Seeing the details of this breach, I'm super happy I did.
I meant the major breach before this one, I believe that was the one that gave attackers access to their dev environment, which they used to steal the developer credentials they used to make this attack.
I don't agree that was enough of a reason to drop them. An attacker getting access to your dev environment, even if you're one of the largest security focus endeavours, is pretty much an inevitability. Someone's gonna get access to one of your engineers macbooks, no matter what.
The thing that's bad, is that apparently their developers have access to (backups off) production data. That implies that their security infrastructure is not different from regular startups at all so all of their marketing is just bullshit. They didn't sacrifice developer productivity for security on this point, so they can't be trusted to have sacrificed anything for security at any point.
It's a solid point, you really need to rotate all the credentials to be safe. I did that for the important accounts and don't share passwords between accounts. I'm sure there are still a few accounts here amd there that might be at risk.l, especially since it was specifically the backups that were compromised.
That's subjective and has no value in determining whether the post is true.
"Not everything posted on HN has to be verified true. The decision calculus here seems strongly in favor of signal boosting it, so that people who need to can take defensive action, even if it turns out to be wrong."
What? Proven true, no, any sort of evidence, yes. As for taking actions, there's a cost.
Why not? I have a security background. I see nothing wrong with that statement. Although what he actually said was:
"Initially I imagined I was targeted by a 0day or rootkit"
which actually does not make sense, because it implies he thinks those two things are fungible. He's obviously not a security expert, but he's also obviously not totally technically incompetent.
It's quite unlikely someone would risk burning a viable 0day without either going wide (and then we would've heard from a few more people) or going after a well outlined target that would be guaranteed to be worth more than the 0day itself.
The person in question is very wealthy. I know at one point his portfolio was 9 figures. That may have been at the peak of the bull market but I imagine path is still very rich. Is it worth a 0day, still not sure.
I guess my prior based on the way this guy was talking was that he probably had at least 6-7 figures in crypto stolen, which is worth it for a mid tier 0day. Especially if you think it's unlikely to actually get burnt.
To explain your comment a bit: It should be 0 day AND a rootkit, not OR. Plus the rootkit is not always needed or possible.
Also the people talking about “burning zero days”… every time you use an exploit (ignoring the exact meaning of 0 days) it doesn’t become burned by the first person. The hacker could use it on hundreds of people before it’s discovered and patched by whatever software it targets. That could take months.
It can certainly be "or": rootkits can come from your machine's supply chain, and lie mostly dormant for many months or years before activation. Rootkits can get installed after a non-zero-day-entrypoint vector e.g. simply tricking the user into running downloaded malware. etc.
If you have a security background then you know that 0days go for 6-7 figures and it's unlikely somebody would burn one of those on some random dude.
Way to make yourself feel important. It's not that you made some terrible choices yourself, like using a known-insecure password manager SaaS, or putting real money into crypto. Nono, somebody pulled a 0day on me, what can ya do? Shrugs
This. Why would we be critical of LastPass being secretive and/or wrong and then take a tweet at face value?
From one of the tweets:
> I did not download anything. My machines are clean, and I have physical 2fa on everything. None of the links or contracts I interacted with were malicious. Nobody else had physical access to my PC.
Yeah sure. Sounds like my aunt when she messed up her PC and loudly claims "but I didn't do anything!" Surefire sign that she did. Turns out it's true, every time.
I have no idea what this has to do with this discussion, and this just comes off as an ad hominem attack. Flat earthers claim that there's an economic interest in lying to them? And you think that claim is particularly genuine or even similar to this argument?
> You don't know if this person has nothing to lose
It is possible that they have some competing business and are trying to damage LastPass, but there's absolutely no evidence of that, nor any suggestion other than to double-check your credentials and your expected security if you are a LastPass customer. So, if they do have an interest, they're doing a particularly bad job of acting within it.
> Even if they have nothing to lose that doesn't mean they are being honest.
And we're not going to reach 100% certainty of any fact through discussion on a message board. It is interesting that some people spend a lot of effort trying to ensure this obscurity gets injected into the conversation, and it suggests that their own motivations should be questioned.
All in all, on the balance of apparent probabilities, there's more reason to trust this person than not. You can attempt to assail that logic if you like, but I would appreciate it if you stuck to the facts of the argument instead of kicking up dirt.
I personally don't use LastPass due do their history of failures. My point is that the tweet in question and people around here are insinuating that attackers have gained access to unencrypted passwords in the infrastructure of LastPass. This would a new low for LastPass and I would advice to not jump to conclusins gegarding this aspect unless other stories like this pop up, i.e., passwords getting hacked despite being resilient against brute force attacks.
Quite obviously there isn't anything and the handle indicating a crypto hack it's as non-credible as anything can be but some folks on HN still fall for the crypto hype.
This is your regular reminder that all crypto is scam , this is a simple mathematical fact.
Without context, I just don't understand why this anecdotal thread should be considered credible.
Disclaimer: I use FOSS password managers for everything possible but have to use LastPass for some non-personal stuff and I very much dislike it