Romaq @Romaq@qoto.org
Grinnin' Ferret
Joined Nov 2022
Romaq
boosted
I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people jump ship simply because they suffered a breach. Even more are questioning why I recommend #Bitwarden and #1Password, what advantages they hold over LastPass, and why would I dare recommend yet another cloud-based password manager (because obviously the problem is the entire #cloud, not a particular company.)
So, here are my responses to all of these concerns!
Let me start by saying I used to support LastPass. I recommended it for years and defended it publicly in the media. If you search Google for "jeremi gosney" + "lastpass" you'll find hundreds of articles where I've defended and/or pimped LastPass (including in Consumer Reports magazine). I defended it even in the face of vulnerabilities and breaches, because it had superior UX and still seemed like the best option for the masses despite its glaring flaws. And it still has a somewhat special place in my heart, being the password manager that actually turned me on to password managers. It set the bar for what I required from a password manager, and for a while it was unrivaled.
But things change, and in recent years I found myself unable to defend LastPass. I can't recall if there was a particular straw that broke the camel's back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass:
- LastPass's claim of "zero knowledge" is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with. Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn't do anything - it still phones home to LastPass every time you authenticate somewhere. Moreover, nearly everything in your LastPass vault is unencrypted. I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted. The only thing that would be worse is if...
- LastPass uses shit #encryption (or "encraption", as @sc00bz calls it). Padding oracle vulnerabilities, use of ECB mode (leaks information about password length and which passwords in the vault are similar/the same. recently switched to unauthenticated CBC, which isn't much better, plus old entries will still be encrypted with ECB mode), vault key uses AES256 but key is derived from only 128 bits of entropy, encryption key leaked through webui, silent KDF downgrade, KDF hash leaked in log files, they even roll their own version of AES - they essentially commit every "crypto 101" sin. All of these are trivial to identify (and fix!) by anyone with even basic familiarity with cryptography, and it's frankly appalling that an alleged security company whose product hinges on cryptography would have such glaring errors. The only thing that would be worse is if...
- LastPass has terrible secrets management. Your vault encryption key always resident in memory and never wiped, and not only that, but the entire vault is decrypted once and stored entirely in memory. If that wasn't enough, the vault recovery key and dOTP are stored on each device in plain text and can be read without root/admin access, rendering the master password rather useless. The only thing that would be worse is if...
- LastPass's browser extensions are garbage. Just pure, unadulterated garbage. Tavis Ormandy went on a hunting spree a few years back and found just about every possible bug -- including credential theft and RCE -- present in LastPass's browser extensions. They also render your browser's sandbox mostly ineffective. Again, for an alleged security company, the sheer amount of high and critical severity bugs was beyond unconscionable. All easy to identify, all easy to fix. Their presence can only be explained by apathy and negligence. The only thing that would be worse is if...
- LastPass's API is also garbage. Server-can-attack-client vulns (server can request encryption key from the client, server can instruct client to inject any javascript it wants on every web page, including code to steal plaintext credentials), JWT issues, HTTP verb confusion, account recovery links can be easily forged, the list goes on. Most of these are possibly low-risk, except in the event that LastPass loses control of its servers. The only thing that would be worse is if...
- LastPass has suffered 7 major #security breaches (malicious actors active on the internal network) in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7. So all those "this is only an issue if LastPass loses control of its servers" vulns are actually pretty damn plausible. The only thing that would be worse is if...
- LastPass has a history of ignoring security researchers and vuln reports, and does not participate in the infosec community nor the password cracking community. Vuln reports go unacknowledged and unresolved for months, if not years, if not ever. For a while, they even had an incorrect contact listed for their security team. Bugcrowd fields vulns for them now, and most if not all vuln reports are handled directly by Bugcrowd and not by LastPass. If you try to report a vulnerability to LastPass support, they will pretend they do not understand and will not escalate your ticket to the security team. Now, Tavis Ormandy has praised LastPass for their rapid response to vuln reports, but I have a feeling this is simply because it's Tavis / Project Zero reporting them as this is not the experience that most researchers have had.
You see, I'm not simply recommending that users bail on LastPass because of this latest breach. I'm recommending you run as far way as possible from LastPass due to its long history of incompetence, apathy, and negligence. It's abundantly clear that they do not care about their own security, and much less about your security.
So, why do I recommend Bitwarden and 1Password? It's quite simple:
- I personally know the people who architect 1Password and I can attest that not only are they extremely competent and very talented, but they also actively engage with the password cracking community and have a deep, *deep* desire to do everything in the most correct manner possible. Do they still get some things wrong? Sure. But they strive for continuous improvement and sincerely care about security. Also, their secret key feature ensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable.
- Bitwarden is 100% open source. I have not done a thorough code review, but I have taken a fairly long glance at the code and I am mostly pleased with what I've seen. I'm less thrilled about it being written in a garbage collected language and there are some tradeoffs that are made there, but overall Bitwarden is a solid product. I also prefer Bitwarden's UX. I've also considered crowdfunding a formal audit of Bitwarden, much in the way the Open Crypto Audit Project raised the funds to properly audit TrueCrypt. The community would greatly benefit from this.
Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.
I hope this clarifies things! As always, if you found this useful, please boost for reach and give me a follow for more password insights!
I do also want to note what @CodexNotFound is very true. Realms has "performance limitations" to provide the service they do, and your options are very limited. The GeyserMC plugin I use so I can play Bedrock on my Java server? That is NO CAN DO with a Realms server. You want more than yourself and 9 other players at the same time? Nope, ain't happenin'. There are various issues too much to get into here. *I* wouldn't use Realms. Third party servers do, in fact, offer much more. But if the point is to "try and figure out if this thing is going to last more than a month subscription," that's where you figure out where Realms comes up short on what you wish to do, then decide what best provides what you want at the price point you can afford. :)
Romaq
boosted
@Romaq Thank you so much for your detailed reply!
I was definitely quite concerned about who my kids could interact with in the game. I only really want their friends, and family to be able to interact.
I will definitely take a look at the realms function you mentioned!
Yeah, Realms does have distinct disadvantages. The big positive is "I don't need to know anything of what I'm doing and I give it a month before my kid loses interest and my interest along with it."
https://extravm.com/minecraft.php is the one we are using for the small circle of family and friends we have. I'm able to use a third-party mod to let Bedrock players enjoy our server as well as the default Java we prefer to play.
But as my primary purpose was "what do you need to get started figuring out what you needed," I decided not to sell what I'm using even though I'm quite happy with it. I would be happy to help you decide what might be best for your situation, but I don't know what platform you prefer. And again, my plan wasn't to sell you something before you knew you needed it to solve a specific concern of yours.
That sounds like a Realms server or a private server. A private server on your home LAN is "free" as in "free beer." But those are also "hella expensive" in terms of your time and the expertise needed to keep your home LAN from being a huge open hole for invasion from the more unsavory sorts of people. Realms are limited to ten people at a time max, but so would any other decent, cheap external servers on the market. Those of us who love #Minecraft are happy to help guide you, even if we do have a case of myopia and blind spots. Beware of this, but happy to help.
Romaq
boosted
$TSLA crashing because the company is on autopilot is the most fitting end to 2022 possible
Minecraft Realms would require you pay a monthly subscription fee, but it does pretty much everything for you to manage it and it offers worlds to enjoy as games and still be able to have a 'main world' to explore. Mojang pretty much made this option for people in your situation. Best part: You really *REALLY* want to have some oversight into who your kid interacts with. This would allow YOU to be in control of that.
There are many other servers to choose from, but the fatal flaw in your case is that servers of interest to someone age of 5 would tend to be ones also of interest to child *predators*. Some servers work to monitor and boot out predators. More or less. More often much, much less.
My suggestion is to look at the "Realms" option and subscribe for a month or two. I would be quite happy to answer questions you may have as best as I am able. There are also a few Mojang devs here on the Mastodon federation who can also answer questions.
Month-to-month lets you drop the service if it doesn't do what you want to move on to other options. Also be aware there is "Minecraft" which is the Bedrock version for your phones, Windows PC machines, and so on, and is most likely the option you are already using. There is also the Java version of Minecraft which is the version I prefer. Without some clever behind the scenes work, the two versions DO NOT cross-platform play. Windows will allow you to play "Minecraft" (Bedrock) and "Minecraft Java".
If you have questions, please do post those here. I will try to watch and answer, and I expect quite a few other very wonderful to chime in. #Minecraft #MinecraftRealms
Romaq
boosted
Mathematician John Conway was born #OTD in 1937. He made broad and profound contributions across all of mathematics, but he is maybe best known by the general public for his "game of life" cellular automaton. Conway passed away in 2020, from COVID-19.
That's the one I've known and loved over the last 45+ years I've known of it. It *does* provide the foundational theory for making a water computer, and it's water instead of ball-bearings, but it works.
I do still have to use digital and analog logic circuits to build out of redstone in #Minecraft. While I no longer have the patience or interest to build working CPUs, GPUs, disk storage and such out of *blocks* in Minecraft, I have an appreciation for those who did. It's the kind of stuff that really puts the hair on your palms.
That's why Mould's "water computer" is so critical to get children interested in the "magic." https://upperstory.com/turingtumble/ is ... oh god if I had this as a kid turning LDA into opcode.
I think of the hardware CPU as an unoptimized bottleneck. It's the issue that drove graphics to being on specially tuned cards that ALSO make them more suited to the math that makes them useful for crypto mining as seen in the following video by Viva La Dirt League:
AI is "expensive," and a "General CPU" isn't necessarily tuned to AI connections from data-sets cached in relevant memory handily accessible. I *really* don't know the particulars, but I would hazard a guess that these are issues similar to the push for a Graphics "CPU card." I just don't know if the cost would produce the obvious benefits that would push people into buying something like that. Graphics are pretty obvious. AI in a game would be far too subtle. :(
Yeah, uhm... could you please not stand out in the open during a rain storm and... ok, become a witch then if that's what you really want. Oh! You there! Don't jump into the ... well, I hope I didn't really need that guy anyway. YOU! STOP wandering into that zombie invested... well crap!
ALRIGHT you morons... I'm enslaving you for your own damned safety!
https://www.inverse.com/mind-body/narcissism-and-violence
He can't do that. Getting sympathy from his stans is part of getting the narc hit he needs. Doing stupid crap, blaming everyone ELSE but his own behavior for "consequences" is just part & parcel.
Of course *I* could simply avoid mentioning it here and bothering others with family laundry, but I'm venting and I'd be *really* super uncomfortable with people being emotionally involved in it. My venting here is just screaming into the void wishing I could actually say the things I"m forbidden from saying directly.
"Mending or your life is ending!"
On the server I play with my wife and a very few close friends and family, we play Survival for the challenge. We do a bit of "looting" of villages to get started, but we will build a wall and light up the nearest village to protect it. We will make a "villager mall" to work villagers up to get good trades, and we know how to "reroll" their trades to get better offerings. We avoid killing them except the output of "villager breeders" where we have villagers produce babies to use the grown-up villagers for other projects.
We kid around a bit over the "enslaving villagers" aspect, but it's grim and it is *not* a factor of the game we actually "like," it's just a recognition of the game design we wish could be improved.
https://sites.google.com/view/tektopia?pli=1 is a step towards that, but the mod is locked to Minecraft Java 1.12. That might be something to look into. It also makes a huge difference playing the game among friends who share the same philosophy. We don't torture or torment villagers for sport. That just isn't who we are. The way we *do* play is a concession to the limitations of villager AI, but depending on what concessions you must have to enjoy the game, there are various mods that can remove the need to "enslave" villagers.
I'd be happy to talk about it. I would LOVE for vanilla villager AI have them not be so dumb vulnerable to self-inflicted harm.
Oh, and enjoy a video about a villager trying to get the wood looted from his village!
We have graphics cards for doing graphics. I picture some kind of AI card able to do what you describe based "useful seed" factory installed, but able to store data over time based on games played (or pulled in from game seed) so specially tuned processors would develop NPC AI. It would be a card for having NPCs "learn and remember" taking that weight off the CPU.
I'm not clear if such an idea is actually useful or practical, but in a sandbox game NPCs that would learn, hold grudges, or develop friendship behavior from machine learning would be an interesting development in game design if it could be retained efficiently and *NOT* tie up the CPU.
I recall learning to write a program in 6502 ASSM, recoding it to Hex then to Dec values, poking it in using Basic to invoke. It was magic. It was also some 35 years ago.
I do have hope in things like https://youtu.be/IxXaizglscw keep interest going in kids. We still need this skill for micro-controllers and other such hardware.
Grinnin' Ferret
Joined Nov 2022
Romaq's choices:
