
The DEA Demanded Passwords from LastPass - johns
https://www.forbes.com/sites/thomasbrewster/2019/04/10/what-happened-when-the-dea-demanded-passwords-from-lastpass/
======
dmurdoch
> Even when requests do come in, the company can only provide limited data,
> they added. That includes customer contact information, billing addresses
> and IP addresses. It could also reveal what apps a customer is storing
> passwords for in LastPass

> what apps a customer is storing passwords for

I guess that means if you have any passwords stored for a website you don't
want anyone to know about, put it under a note with an unrelated or gibberish
title? The fact they reveal the apps is kinda lame.

~~~
aasasd
> _put it under a note with an unrelated or gibberish title_

More like, don't use Lastpass if they can't keep all your password-use data on
the client side, which is supposed to be their entire shtick? This detail
about the metadata leak should be the main outtake, if not the news of the
day.

When I looked into using Lastpass, I asked them on the support forum why their
own documentation says they can alert you when emails you use on websites
appear in leaks, if the password database is supposed to be inaccessible by
the Lastpass backend. They said I'm reading the docs wrong and it's only the
Lastpass account email that they alert about. I re-checked the docs: nope,
clearly says website accounts that I put into the database.

Here's the thread, which has a screenshot of the docs at that time:
[https://forums.lastpass.com/viewtopic.php?f=12&t=165485](https://forums.lastpass.com/viewtopic.php?f=12&t=165485)

In the end they said the checks are done locally—by downloading dozen-gigabyte
leak archives like the exploit.in, I guess? But still I suppose the alert
emails are sent server-side. And the support saying I was “misquoting the
manual” was enough for me.

~~~
GoMonad
> In the end they said the checks are done locally—by downloading dozen-
> gigabyte leak archives like the exploit.in, I guess?

I would guess they are doing the checks with a technique called k-anonymity.
It doesn't require sending the password, nor does it send too much data to the
client. Troy Hunt offers a service using this technique.

~~~
aasasd
They could do that in theory, yes, but we don't know if they did so back in
2015, or what they did at all. Because there was no documentation as to what
actually was happening—except that emails which are in a leak are very likely
exposed to the Lastpass backend, since LP sends a notification to that
address.

And my objection here is not to a leak of passwords (as they're not what is
checked)—I don't want my emails or usernames to be thrown around either.

------
Nerevarine76
This actually makes me feel even better about LastPass

~~~
goodfight
/s?

------
milkytron
> Police were also able to bypass encryption on the suspect’s CyberPowerPC,
> where they discovered an extension app for LastPass.

Mentioning the brand of CyberPowerPC here is irrelevant in my opinion. Last I
checked, they only really make cases and do fancy lighting on custom builds
which are generally used for gaming and running Windows.

It would have been more relevant to say Windows PC, or whatever OS the PC was
running.

But I suppose it's a bit much to expect Forbes writers to be in tune with
this, and the police might not have given more details beyond the brand name.

~~~
zaroth
More importantly, _how_ were they able to bypass the encryption?

~~~
jstarfish
The easiest way to break encryption at rest on anybody's CyberPowerPC(tm) is
to capture the machine in its powered-on (and unencrypted) state.

