
LastPass Disclosure Shows Why We Can't Have Nice Things - thirsteh
http://throwingfire.com/lastpass-disclosure-shows-why-we-cant-have-nice-things/
======
pstack
This is to be expected when you have ignorant people reporting on things that
they are not willing to educate themselves about. Anyone who wrote sensational
garbage about the LastPass event didn't bother to understand how LastPass
works and what the real potential of any breach could be.

Frankly, it leaves me exhausted in the same way the regular stream of
sensational ignorant responses to violent video games, boobs in video games,
or explicit lyrics in music leave me exhausted. It's extremely difficult to
fight an ignorant public being exploited by a willfully ignorant and
sensationalistic media.

The likes of Tech Crunch et al who should be in a position to counter such
mainstream media reactions and behavior are all too often, unfortunately,
jumping right into the fray and showing that they can be just as counter-
productive as any big old-media outlets.

~~~
wh-uws
Exactly that. I really want to do an HN post asking people to curb all of the
sensationalist headlines (especially if you haven't fully researched the
situation).

I just feel like it will get lost in the noise though

~~~
starwed
At least headlines on HN are frequently edited to make them true.

That was always one of the things that drove me batshit crazy about slashdot
-- nominally it has editors, but they let straight up flame-bait submissions
go through.

~~~
pstack
Slashdot's discussion of the Lastpass situation was titled _LastPass Password
Service Hacked_ and linked to an article at Kaspersky where their title said
_LastPass Probably Breached_.

 _sigh_

~~~
niels_olson
I use lastpass and 1password. FWIW, I the guys at AgileBits did a pretty
reasonable job of not gaming lastpass's bad day. They did a blog post about a
relevant detail of their own security, which really seems like a reasonable
thing to do on a day like that.

[http://blog.agile.ws/2011/05/defending-against-crackers-
pean...](http://blog.agile.ws/2011/05/defending-against-crackers-peanut-
butter-keeps-dogs-friendly-too/)

------
martinp
This is the only sane post I've read about this incident. All the major tech
sites blew it way out of proportion. LastPass did everything right, and yet
every headline was along the lines of "LastPass has been hacked, panic!".

They deserve better, especially seeing as how transparent they were about the
whole situation and how they handled it.

~~~
CWuestefeld
Actually, I think that LastPass overreacted. Seeing the possibility of a
breach, and alerting customers is definitely the right thing. But they went so
far as to lock customers out of their own data -- it was two full days before
my wife was able to get into our bank account.

~~~
nettdata
Was that their failing or yours?

I'd tend to look at these types of services as a convenience, nothing more. If
you allow yourself to become reliant on them for access to your personal data,
like banking, etc., then I'd say that you put too much faith/trust in them.
Shit happens, all the time, despite the best intentions of people working hard
to make sure it doesn't.

~~~
pavel_lishin
> I'd tend to look at these types of services as a convenience, nothing more.

How do you go about keeping all of your usernames and passwords secure, then?

~~~
nettdata
Call me crazy, but I use my memory. I also use RSA fobs for the important/big
stuff.

~~~
pavel_lishin
Your memory must be much better than mine. Recommended procedure is to use a
different and secure password for every site you care about, right? That's
three bank accounts, several work-related accounts, a couple of social media
sites, etc. I'd have to remember at least 20 difficult passwords on a daily
basis.

~~~
nettdata
Maybe it is... who knows.

It's a hell of a lot easier to do if you don't make it about straight random
memorization though.

I have a little memory association I do with every site I need an account/pass
for, based on various characters out of books I've read.

Every site has a character I've associated with it, to make it easier to
remember, and I have a simple (to me) algorithm I use to generate the password
that includes various capitalization and special characters.

Sure, it might take a bit of work early on to remember stuff, but if you learn
how to memorize things effectively, it makes it much easier.

Mind you, I also know all my CC numbers, passport number, drivers license,
etc., as well, so maybe I'm just weird.

~~~
pavel_lishin
Maybe not weird, but definitely better than me. I remember my driver's
license, my phone number, my girlfriend's, and my parents'. That's about it.

The mnemonic is a good idea. I've thought about doing that - but then I fear
that I'd forget the mnemonic :)

~~~
cheez
I have to look at my phone every time someone asks me for my phone number. I
don't know if this means that my brain is dying or that I don't bother
remembering information that I can easily look up...

------
DanielStraight
This reminds me of the recent story of an Applebee's (an American chain
restaurant) employee that accidentally served alcohol to a toddler. All the
commentary I read on the story said that the employee should be fired. But as
long as it was an honest mistake, that's a terrible idea. No employee will
ever be as careful with drinks as that guy will now. You shouldn't ask for
experience when looking for employees and then fire them for getting it.

You have to be careful though because sometimes a mistake like that is not an
honest mistake, but carelessness. To bring it back to the topic at hand,
LastPass (possibly) made an honest mistake somewhere. Sony is careless. Fire
Sony, run to LastPass because now they will be even more paranoid.

------
arn
Wait a second. I mean it's nice and all that LastPass was being overly
cautious. But how reassuring is it that they noticed an anomaly but weren't
able to figure out what it was?

And this is a serious question, as I'm no expert in the field, but it seemed
strange to me that they couldn't explain what actually happened with any
certainty.

~~~
mcherm
Here is an attempt to answer your serious question.

When was the last time that you "could have sworn" that you left your keys on
the desk, but they're on the counter instead. Suppose that happened; it almost
certainly means you just misremembered where you left your keys, but there is
a TINY chance that someone might have stolen the keys, copied them, and put
them back in the wrong place.

Just to be 100% certain, you immediately call a locksmith, and get your locks
changed. And all the neighbors start talking about how poor you are at
security for having allowed a burglar into your house.

THAT would be a reasonable analogy for what LastPass did.

~~~
arn
Yes, I didn't need an analogy. I wanted to know why, in a secure house which
presumably had cameras and sign in sheets, why couldn't they review the video
tapes to see if someone had actually taken the keys or not. (to extend your
analogy)

~~~
swombat
And they do - and the cameras and sign sheets didn't explain the mysterious
key movement. So they're replacing the locks.

------
rkalla
Don't know if there would have been a way for LastPass to disclose this
information without getting the response they did, but in addition to the
stupid the coverage they got, they pulled me in as a customer after seeing
_how_ goot they were at what they did. So I think there were good fallout from
the coverage as well.

~~~
aquark
Agreed - I recently started using LastPass based on various recommendations
around the web. Knowing they are paying this much attention to things
increases my confidence rather than decreasing it.

------
pdenya
I love this reaction. Signing up for an account with them now after seeing how
seriously they monitor security.

------
scotty79
Does LastPass know my passwords? If so, why it needs to know my passwords?

I thought that my passwords are encrypted on my computer with master password
known only to me, but same master password leaves my computer every time I log
in to LastPass site via their website.

Could someone point me to where it is detailed how they manage without knowing
my password or where it is explained why they need to know it?

~~~
crocowhile
Nope they don't know your password, they just have the salted hash.

------
karamazov
Hopefully people using the service and those interested in it will read past
sensationalist articles, and actually check out the service.

~~~
thirsteh
The sad thing is that most people who were previously unfamiliar with LastPass
probably won't dare to try it out now. That's the kind of press LastPass just
didn't deserve.

~~~
mail2345
Actually I've decided to give LastPass a shot DUE to how well they've handled
this, and knowing that they will probably have a sufficiently paranoid
response to situations in the future, as well as knowing they have an
excellent hash algorithm in place.

Unfortunately you are right for the overwhelming majority of users who will
see "LastPass Hacked!" then note "Don't use LastPass".

~~~
vabole
They are good at what they do. But they might become more careful about
disclosing the problems next time.

------
mike-cardwell
I hope that LastPass realised that they would receive this negative publicity
by handling this event so publicly, and that they went ahead and did it
anyway. That would show great integrity. If something similar happens again
and they sweep it under the carpet to avoid a repeat of this bad publicity,
then they're the same as every other company.

------
nathanb
It would be interesting to see statistics on how much the negative press
actually affected LastPass. It seems likely that the sort of people who would
use LastPass is also the sort of people capable of deciding for themselves how
safe their data are.

------
fmavituna
I agree on the overall subject but I'm still shocked that LastPass hasn't got
anything better than "spike in the traffic" IDS, better logging etc? If you
are in a business with this kind of data you have to expect to get hacked
everyday and you have to be ready for it. Even your business plan should
include this stuff.

Unless they have a really awkward reason not having proper idea about possible
hack is not a good sign.

------
extension
A security breach is never OK. Disclosure helps but does not absolve anyone.
We cannot accept that these things just happen.

Besides, it's a _password manager_. Of course it's going to be held to a
higher standard of security. It failed at the one and only thing it is
supposed to do.

------
16s
The explanation given (slight chance others may have accessed encrypted
password data) and the action taken (locking user accounts) don't go together
and led to the media frenzy.

