Re: [PLUG] Lastpass - friend of foe

Rich Freeman on 17 Jan 2017 06:24:18 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Lastpass - friend of foe
Date: Tue, 17 Jan 2017 09:24:11 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=5NsHg1UGwBcCMR8PAFP+LesUF+ZSvVwCw3n8fttIffY=; b=bP/mEgSD9m/YPrRZan4CA0EHegMu5+CwSj9i+zaJpcOktKtlaixNhk12bVVQ+vd6w4 Hh6ZP9LhQJy4rB8OYDqHWF64ePAL+wS/lEzx1QCVEGowDekbQmmUmzDO+/Gm3rAppPtt lR0TtovtcSq0GMs/S/8ZtuyEtKxYjCBlzHjqTLMIwSnaUO6XRUx73KyrXg/BrpNd1Iaa HAEvhiR2rZYsncxUmB9xXV6ef4NEq+yWDfrW9/Wk/t4LXukitvrjpSws0pDVf1ODfHOq k5Je96jRPWBP6bbKXiw7LMWOAYadt+tg1bU0/Mc+agSKzwNB5fnvi7A4fhz3liYzx2bM OWzA==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Tue, Jan 17, 2017 at 9:03 AM, Rich Kulawiec <rsk@gsp.org> wrote:
>
> RSA painted a bullseye on themselves large enough to be seen from space
> because they accrued information deemed sufficiently valuable by (at
> least) one adversary who had the resources to acquire it.  And then
> they started making mistakes (see above) which, in combination,
> made them sufficiently vulnerable that (at least) one adversary
> was successful.
>

I'd go a step further and argue that the design was flawed simply due
to the fact that RSA was ever in a position to have the credentials on
the tokens.

It would have worked far better if the TOTPs were initialized by the
customer, not by the vendor.  This is how most modern devices work,
and it avoids this issue entirely.

> I think LastPass is doing exactly the same thing.

So, this is a fair argument to make.  The problem is that there aren't
exactly a lot of alternatives right now.  CKP on Chrome seems to be
the closest option, but from what I see on it online it is read-only
(that is, you can't generate new passwords using it, which is a bit of
a non-starter for me since I can't promise I'm at a Windows/X11
desktop when generating a new password.)

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Kulawiec <rsk@gsp.org>

References:
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] Lastpass - friend of foe
  - From: Christopher Barry <christopher.r.barry@gmail.com>
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] Lastpass - friend of foe
  - From: Paul Walker <pjwalker76@gmail.com>
- Re: [PLUG] Lastpass - friend of foe
  - From: Thomas Delrue <delrue.thomas@gmail.com>
- Re: [PLUG] Lastpass - friend of foe
  - From: Tim Allen <tim@peregrinesalon.com>
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Kulawiec <rsk@gsp.org>
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Kulawiec <rsk@gsp.org>
- Re: [PLUG] Lastpass - friend of foe
  - From: JP Vossen <jp@jpsdomain.org>
- Re: [PLUG] Lastpass - friend of foe
  - From: Rich Kulawiec <rsk@gsp.org>

Prev by Date: [PLUG] "You are not expected to understand this"
Next by Date: Re: [PLUG] Making android tablets do what I want
Previous by thread: Re: [PLUG] Lastpass - friend of foe
Next by thread: Re: [PLUG] Lastpass - friend of foe
Index(es):
- Date
- Thread