What kind of pragmatism would you prefer? LastPass messed up way more than they are willing to admit. And it’s not like nobody warned them before, quite a few of the issues which turn out to be very problematic now aren’t news – I brought them up years ago as did others. LastPass should be warning users now and suggesting mitigation steps, instead they claim that nobody has a reason to worry.
This is a compelling article, I feel more motivated now to reconsider my options. FWIW, my $0.02 feedback on pragmatism: as a user, it would be nice to have more what-to-do-about-it for non-security-experts. Also I didn’t love the parts of the article where you speculated about LastPass’ motivations and process (even if they turn out to be true!) The opening paragraph is making assumptions about the timing, which could backfire pretty badly if you’re wrong. You also speculated about the web site storing master passwords, justified by saying “they absolutely could, and you wouldn’t even notice.” They could do a lot of things, including selling passwords to the highest bidder. From my non-expert point of view, it’d be more helpful & pragmatic to stick to known facts and not whip additional fear into what is most definitely a bad situation.
Thing is: this is the third article on the topic I wrote in the past few days. Covering your options wasn’t the goal here, it’s in the first article: https://palant.info/2022/12/23/lastpass-has-been-breached-wh.... Particularly the “executive summary” at the start.
As to the “speculations”: I have sufficient experience with LastPass press releases to assume the worst whenever they omit details that they should definitely know. On a number of occasions they covered security vulnerabilities that I found, and I know how they operate.
Mind you, I would be more than happy to learn that I’m wrong. But this isn’t a situation where “hope for the best” is a viable approach.
Note: I did not claim that LastPass is storing master passwords. They claim that they built their system in a way that they cannot. And I merely point out that this isn’t true: they could have built their system in such a way, but they chose not to, despite being warned about it repeatedly.
The statement you objected to was used to demonstrate that a specific claim by LastPass ("As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass") offers no guarantees that your master password is known only to you. This, in turn, leads to the conclusion that, even if you followed all of LastPass's guidance on master password security, the prudent thing would be to take some action - something that LastPass explicitly denied later in the statement.
I'm sorry if you find this disturbing, but I do not see why it should not be said.
> which could backfire pretty badly if you're wrong
That's an odd take. Who could it backfire on? LastPass has already fumbled their own response to this crisis. If not him, others would speak up. If he's wrong, then he loses credibility. The upside is that, if he's right, we're even more aware that LastPass is not a company worth dealing with.
I completely disagree. The article makes an extremely strong case that the press release was designed to mislead people into downplaying both the severity of the situation, and the depth of incompetence at LastPass (both of which are matters of considerable importance for all current and prospective LastPass customers.) Attempting to mislead people is considerably more serious than mere incompetence.
The best (if not only) way to make these points is to analyze the PR statement itself. Any paraphrasing or generalization would just give LastPass an opportunity to reply with more non-sequiturs.
Dissembling circumlocution and omission is a feature of PR communication, designed to mislead anyone who is not intimately familiar with all the details. I would like to se more analysis of this sort.
> Security professionals seem to have a common trait of thinking they know better.
The author here does know better than the people running LastPass.
I disagree, this article did not come off this way to me, as all the comments were brief and backed up with supporting materials. In addition, the usage of words that would convey feelings the author had about the company were nonexistent — they described the actions taken (or not taken) by the company and left the reader to come to their own conclusions.
Agreed. The tone was objective and factual. It's too bad the owners of LastPass failed to heed the criticisms that preceded this incident. FYI for anyone carping about LP's legal liability here: read the disclaimers (and indemnification agreement) in their TOS (personal or business). It's a real howl, and pretty much software industry standard.
Some good points in there, but limited pragmatism.