Rich Kulawiec on 9 Jan 2017 04:53:11 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Lastpass - friend of foe |
On Sat, Jan 07, 2017 at 09:46:21PM -0500, Tim Allen wrote: > I've been using LastPass for a while, and am dreading the day when they > inevitably get hacked and I have to change all my passwords. You *should* dread that day, especially if it's already history. Given that you have zero visibility into their security, how do you know this hasn't already happened? How will you know when it does? A judicious attacker will not make obvious blunders like announcing the hack on Twitter or trying to sell the entire database en masse. They'll look at what they've harvested and very carefully, very slowly, crack and use only the worthwhile credentials one at a time. Given that approach, how will LastPass know? And if they do figure it out, why should they tell you? Again: you have zero visibility into *their* security. So if the attacker doesn't do you the favor of alerting you, why should they, when it will damage their business model? Surely you don't expect them to commit corporate suicide in order to protect you. Why should they? Your data is not *their* data. Your users/customers are not *their* users/customers. They can remain silent indefinitely with full deniability ("we didn't know"). So...why should they speak? What, exactly, is in it for them? There is no way for you to tell the difference between the states "secure" and "compromised" because you've put your passwords into a black box you can't control and can't watch. And it gets worse: you are a target of value V1. Maybe V1 is large. Maybe it's small. But we can reason that it's unlikely an attacker will spend 10*V1 to attack you, because it yields lousy ROI. Nobody spends $250K to rob a bank with $25K. So absent some other one-off factor like politics or ideology or a really serious personal grudge, your threat model doesn't need to include an attacker spending 10*V1. However: you're only one target. What's at sitting at LastPass is data of value V = V1 + V2 + V3 + ... + Vn, where n is the number of operations who've done what you've done. You don't know what n is. You don't know what V17 or V283 or any of the others are because you don't know who they are or what their value is. So you don't know what V is. The only things you know are (a) it's larger than V1, potentially MUCH larger, and (b) as n increases, V increases. You have signed yourself up for a threat model based on V...NOT V1. You have thus not only taken on a much larger risk, you don't know and can't know how large that risk is. This is the point where you should be sweating, getting off LastPass, and changing all your passwords as fast as you possibly can. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug