Monthly Archives: June 2015

Change Your LastPass Master Password

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.

We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.

Joe Siegrist
& the LastPass Team

 

Frequently Asked Questions

Why haven’t I been notified by email? Emails are being sent to all users regarding the security incident. While this takes a bit longer than posting on the blog, we are working to notify users as fast as possible.

Do I need to change my master password right now? LastPass user accounts are locked down. You can only access your account from a trusted IP address or device – otherwise, verification is requested. We are confident that you are safe on your LastPass account regardless. If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.

via LastPass Security Notice | The LastPass Blog.

Posted in Cryptography, ID Cards and Identification | Comments Off on Change Your LastPass Master Password

The Style Trap

Robert Graham,

A lot of companies spend a great deal of time, and politically gnashing of teeth among developers, in order to draft style guidelines. This is garbage — it truly does not matter where you put braces, for example. Experienced coders have to be accustomed to reading various styles anyway. Here’s what you should do. Start a program asking anybody who is interested to come in after work in order to draft a new set of style guidelines. Fire everyone who shows up — they are political animals who are likely deadweight anyway. Then just pick a style guideline at random, like the Linux kernel style doc or the WebKit style.

— Errata Security, How to code: lesson 27

I don’t know if I’m persuaded by this, for all that it sounds good. I would expect that some coding styles impose some discipline on coders, making it hard to make careless errors — and easier for others to spot them. Plus shared expectations do make code easier to read and understand.

Then again, maybe modern coding languages have other tools that can notice when you leave out a ) or a }, or mis-specify a variable. It’s been a long time since I actually had to write code anyone else would see, much less work with.

Posted in Software | 3 Comments

Fun Fiction

Paul Ford, The Last Museum.

For some reason, I especially liked this line,

I realized when someone tried to get me involved in a private zoo-sharing plan that it had gone too far. I didn’t want to own a fractional giraffe.

This next bit wasn’t bad either,

Deep down we are all people of the screen, but the generation coming after don’t own cars. They don’t own phones. They rent access to communities. They design tastes and sounds. They network naturally. A young man walks down the street and a voice comes into his ear, and he stops and says to a young woman in front of him: “Cynda wants you to get milk.”

Some part of me keeps screaming, “why does he need to tell her? Why doesn’t someone just tell Cynda directly to get the milk?” Why, when we are surrounded with technology, would anyone build inefficiency into the system, involving more humans, making a mess of what should be a simple process involving robots and drones?

But they are who they are, and what am I going to do about it? Blog?

Indeed.

Posted in Readings | Comments Off on Fun Fiction

This Joke Is Older Than You Think

Jon Schwartz writes, Russian Oligarch Boris Berezovsky Wanted to Turn My Joke Into Reality. The joke is

One of my core political beliefs is that there would still be a Soviet Union if they’d been smart enough to have two communist parties that agreed on everything except abortion.

Obviously that’s a joke about the U.S., where we have two capitalist parties that largely agree on everything. The exceptions are issues that matter a lot to the regular people who make up the two parties’ bases, but are largely irrelevant to party elites who fund and run both of them.

I first heard a version of this in the early seventies, when someone told me what was already an old saw about Kwame Nkrumah being interviewed by an American reporter for the AP shortly after taking Ghana to a one-part state in 1964.

“Don’t you believe in democracy, sir?” the reporter asked.

“Oh you Americans,” Nkrumah supposedly replied, “You already have a one-party state, but with typical American excess you have two of them.”

Update: It seems I’ve blogged this joke before. More American excess?

Posted in Completely Different, Politics: US | Comments Off on This Joke Is Older Than You Think

Learning the Wrong Lesson from a Ripoff

Peter Himler draws the wrong conclusion from his bad experience with The F***ing Internet of Things — Adventures in Consumer Technology.

I soon learned that I had very few options in terms of service providers. The design of the Crestron system is quite complex, i.e., each system is programmed to the individual specs of the dealer and the dealer is the only one with the keys.

For my deep-pocketed and tech-luddite neighbors, this fact probably mattered little. If you have a $10-million dollar home, what’s tens of thousands of dollars? For us, however, it mattered.

Conversely, for the small group of local Crestron dealers, it’s a virtual bonanza.

Rather than conclude (as he does) that the makers of high-tech IOT-enabled products ought to remind their dealers to be less grasping, not to mention criminal, Himler should have concluded that we ought not to buy expensive (or mission-critical) products that have proprietary systems.

Open source, my friend, open source.

Posted in Sufficiently Advanced Technology | 1 Comment

The Past Isn’t Even Past

I remember it well:

Editor’s Preamble! Back in 1997 I gave a paper on crowdfunding – I believe the first ever proper paper, although there was one "lost talk" earlier by Eric Hughes – at Financial Cryptography 1997. Now, this conference was the first polymath event in the space, and probably the only one in the space, but that story is another day. Because this was a polymath event, law professor who’s name escapes Michael Froomkin stood up and asked why I hadn’t analysed the crowdfunding system from the point of view of transaction economics.

I blathered – because I’d not heard of it! But I took the cue, went home and read the Ronald Coase paper, and some of his other stuff, and ploughed through the immensely sticky earth of Williamson. Who later joined Coase as a Nobel Laureate.

The prof was right, and I and a few others then turned transaction cost discussion into a cypherpunk topic. Of course, we were one or two decades too early, and hence it all died.

Now, with gusto, Vinay Gupta has revived it all as an explanation of why the blockchain works.

Financial Cryptography: Coase's Blockchain – the first half block – Vinay Gupta explains triple entry.

Posted in Cryptography, Econ & Money | Comments Off on The Past Isn’t Even Past