Lastpass does encryption client side. The difference is that would require an active attack (pushing new code in an update) with a chance of being spotted by a reverse engineering attempt.
Who says that the backdoor hasn't been shipped since the first release and just sits there idle waiting for a nudge from the server?
A larger point that security is based on trust. Trust is based on assumptions, especially and exclusively when it's a closed source software. Assumptions that what the company says is true. Now we know that they can be forced to lie and any claims of the security just crumble as a house of cards.
Even if LastPass would've been an open-source, it made a little difference as the company could've been forced to distribute binaries made from altered sources. It wasn't easy to build trust before, but it's going to be nearly impossible to build it now. Though it's not to say there isn't plenty of people who are after pseudo-security and who are easily lulled by cross-my-heart promises squirting out of every second company now.
True, they could have shipped a backdoor since day 1 but it's unclear what their incentive would be to do so and they run the risk of it being found with a reverse engineering attempt.
Is there any basis in law under which the government can force a company to distribute altered binaries? If the government can force you to add a backdoor in your own product, in effect they have the power to demand that you perform free labour for them.
That would seem to form a basis for also demanding that a person work as a spy for them etc.
