Kissake @kissake@qoto.org

@Jerry

I'm assuming you read the article, saw that the review of LastPass (LP) was from October of last year (after LP had publicly reported the close of the investigation of the August incident, before LP had recognized and announced the follow-on incident), read the review understanding that it was made in the past and still think it was so irresponsibly wrong that you can no longer trust the institution that produced it.

In that case, sure, you can reduce the number of sources of information you have. Given that you're moderately critical of the things you read though, wouldn't reading more widely, deeper and more critically be better than reading less?

In any case, I read the review, and IMHO it isn't wrong, for all that it is aimed at the less technical. The only thing it is clearly missing from today's perspective is the recent announced breech, which announcement is fully in line with the transparency that the review _does_ mention.

I understand being upset by the breech. Fundamentally our software ecosystem is built on sand, so I think that feeling of betrayal is misplaced if you feel betrayed by LP. They are just today's (yesterday's, at this point?) victims. Tomorrow there will be others.

@alethe

How about: "Have you ever been frustrated by your computer / phone / smart-assistant when you wanted it to do thing A, and instead it did thing B?

Sometimes that is because someone other than you wants B and has more control over your device than you do.

Information Security is about making sure that your device does what you want it to do, instead of what someone else wants it to do."

It doesn't focus on the information part, but fundamentally security is about control, and elementary students have probably already been frustrated by computers and probably already have a sense of ownership == control.

@AnthonyCollette

How about this: "The user interface (UI) failed to help the user to make choices in their own interests."

Note that you'll find a LOT of people advocating for UIs that fail to help users to make choices in their own interests, and instead help them to make choices in the best interests of the entity providing the UI. (examples _Everywhere_)

When you let arbitrary entities (nearly) completely control the UI ("the web") with little to no negative impact for negligent or even malicious behavior, we get ... "cybersecurity".

It really isn't about the victim. Experts make poor choices / click on the "wrong" thing too. Some people work to mitigate that (laudable), but we're building on a foundation of sand.

Shift the conversation by asking what needs to change to help the real human people make good decisions. They are intelligent active participants who are trying to do the right thing 99+% of the time.

@0x58

First, let me apologize for directing this rant at you. It isn't personal. You're just the person who espoused a laudable goal of "security before features" in the form of a question using #infosec and similar type tags I was watching when I was feeling salty.

If you're actually interested in an answer to your why question:

Money.

If you're interested in a longer answer:

The incentive structure for features is obvious. The incentive structure for security doesn't exist in any meaningful way. Note that incentive structures include disincentives like regulations and penalties. Also note that I am aware of PCI, HIPAA and CMMC, and they are a good start in a few ways, but fundamentally they are adorable when it comes to protecting real people who deal with ransomware and stalking and ubiquitous surveillance and all sorts of other BS that come from not being able to control their own systems.

Next:

You ask: "Why aren't we doing ourselves a favor...". At least one problem is that there are at least two entities described by "we" that are starkly different. One of them is the author. Another is the user. Arguably the user has all of the power here (until we have (more?) mandatory software) to enforce security (don't use the software if you can't tell whether it is secure), but there are strong economic and other (e.g. social) disadvantages for behaving that way.

Mis-configurations and vulnerabilities in cloud infrastructure is _a_ problem, sure, but it isn't even different from literally every other platform, so ....

If you are asking how to change that? Speak up. Find meaningful answers. Tell people those answers. Keep speaking up. Use those answers to do better.

Some suggestions to get started:

#capability (Capability based computer architecture), #sel4 (A modern provably secure OS).

To be clear, the above is barely a beginning (no notable software base, no well-known set of tools, certainly nothing near a UI...). The industry needs to change, which takes money (or the withholding of money, same thing), which takes people knowing about the problems, and then actually caring. So complaining is good. Let's do that. A lot.

@jesterchen The biggest challenge (IMHO) with split DNS is keeping the namespaces consistent (you don't want www.yourcompany.com to point to two different places depending on whether you are inside or outside the network). If you can minimize that problem, then you have a small cost to balance against the benefit of limiting the ability of someone outside your network to gather information.

That said, don't forget that your network boundary is probably somewhat cute to the determined, resourced attacker. By which I mean, don't rely on this effort to secure your internal hosts; you want to be hard and difficult to chew on the inside _as_well_as_ on the outside.

@Spokesoneill Given the current state of software / systems today, if you avoid any organization that has had a security breach, you will change organizations often, and you will only work with (relatively) inexperienced organizations. This is not to say you should seek out organizations that are breached regularly (just say "no" to sendmail).

For me, the answer is to make a decision based in part on technology (remove sensitive (e.g. unencrypted) information from the hands of others as much as practicable) and part on how responsibly the organization behaves, and the largest part on whether the tool will meet the needs.

If convenience is the number 1, 2 and 3 priority, maybe writing the passwords on the window in dry-erase marker makes sense (though that approach offers limited auto-fill). If absolute security is critical, put the password vault on a device with no wireless access (e.g. a piece of paper) and store it in a safe in a locked room with an alarm system and guards.

If instead you need to balance security and convenience, it makes sense to think about user interface / usability and where and when users might need access to their passwords.

KeePass2 is a lovely tool that I have used. It has some challenges (e.g. the passwords are in a database file that you then need to manage / distribute / avoid corrupting / keep in sync), but it works fine for some people.

I've used LastPass. It offers a lot more usability than KeePass for a number of use-cases (e.g. web browser, automatic sync of changes across devices).

LastPass trades off that the client (where you enter your password / the credentials are decrypted) is much more dynamic, which is the primary form of risk for the tool (i.e. if you used a compromised client software to access my vault, your credentials are compromised). As far as I know that hasn't happened, and the company seems to not be afraid to announce a breach when it is observed, so the recent announcement doesn't seem specifically concerning to me at the moment.

There are definitely some quality competitors to LastPass, including 1Password, Bitwarden, etc. that offer comparable usability and features. You should consider them also. The technical challenge of evaluating their technology is difficult but educational; that is probably for you or possibly even someone more technical rather than your users.

Also, ask your users what they do today in a way that isn't judgemental or accusatory. If you propose something, make sure it is at least as usable as what they do today, and seriously consider options that they are already familiar with.

@Haley_Sanderson_092018

It probably doesn't help, but I appreciate the work that people like you put into providing that data to the community.

Are there opportunities for streamlining the work that you can think of, help that others could provide in tooling or other support?

I start looking to automate processes after doing them twice, so I have a lot of respect for the effort involved.

@migratory Okay. I think I have a moderately clear picture at this point. I don't have any objection to the idea of cryptographic key based identifiers (with caveats), and I'm curious to see what develops in the direction you are pointing.

Do you see any meaningful next steps, and if so, what might be some examples? I recall you mentioned #yggdrasil , is that, or possibly recursive networking architectures, the target?

I could imagine a capability-style replacement for the "router" that many people have in their homes, that would provide essentially a translation layer. Would that be a positive step in your mind, or is that orthogonal or even the wrong direction?

Also, thanks a lot for engaging in this discussion with me; I appreciate getting to understand these ideas better.

@migratory @migratory I think I see what you are saying, and, again, I'm not saying it is impossible. I am saying that it sounds a lot more like a walled garden, where, with a capability underpinning, it is even harder to escape than current walled gardens.

I'm thinking Apple's app store vs. Android play store and FDroid and side-loading.

To put that in other terms, it isn't more vulnerable to censorship, but it might be more vulnerable to (or even require to some extent?) effective censorship.

In any case, I might just not see the pot of gold at the other end of this rainbow. What are the benefits of an IP-less, capability based networking approach that we could look forward to?

You mentioned lack of DDOS which sounds nice enough, but which I'm a little skeptical about and doesn't seem worth a re-architecture on its own. Are there other clear wins that are harder or impossible with our current approach?

@migratory I think I'm going to need to understand more about the proposal before I jump on board the network part of this vision. I'm a fan of capability systems for managing resources I'm responsible for, but networking and communication are designed to cross that type of boundary, and I have concerns (not necessarily objections, to be clear) whenever limits are imposed to communication.

I guess my question is: What does implementation look like?

The thing that I'm most concerned about is exactly the loss of that ability to perform arbitrary communication. Basically, the Great Firewall of China leaks like a sieve because: ACLs, so... great. I don't want to "fix" that. ISPs that spy on and control DNS today to (for example) monetize unregistered domains are likewise going to be incentivized to control public directories accessible by their customers.

Essentially, if someone or some entity is "allowing" public directories, I have serious concerns about that control being in a limited number of hands.

Against that backdrop, some level of DDOS being possible does not hurt my feelings.

@migratory I have challenges with all of them to some degree or another, but I agree that copyright is the most problematic.

Copyright was an interesting idea about how to integrate capitalism and creative work / culture / the commons in the context where it was easy to copy ideas, but it is clear that the capitalism side has crushed the culture side at this point, and it seems like the default answer is to double-down, rather than work to fix it.

I really appreciate the copyleft approach of using the copyright system to try to _enforce_ a commons, and I'm hopeful, if not optimistic, about the https://githubcopilotlitigation.com/ lawsuit, which will be an interesting test of whether courts will actually respect those copyrights as they would more obviously commercial copyrights.

@migratory , I think we may be enthusiastically agreeing on a desire to relegate the IP protocol to being a layer over which more interesting / meaningful addressing and communication can be used, rather than necessarily replacing it.

On the other hand, I guess I'm more excited by alternative addressing and communication technology than dismissive of the absolute workhorse that is the global IPv4 and IPv6 network. There are challenges with IP, in particular the implementation on the endpoints as you point out, but the ability to route bucketloads of packets from one side of the Earth to the other is such a fundamental building block that I'd want something absolutely astounding as an alternative (including in proven performance at scale) before wanting to get rid of it.

@migratory I feel like I'm largely on the same page, but I'm curious about some of the details of the things you're concerned about. I'm 100% interested in capability systems (#sel4 , #kataos ) and having computers as actual / reliable agents of the user.

I'm not nearly as clear on the objections you have to filesystems or IP (as in IPv4 / IPv6? networks), which seem less clearly related.

If you meant IP in the sense of "Intelectual Property", I'm curious if your objection is to copyright, patents, and/or trademarks, and if those objections are fundamental, or merely to the implementation of those concepts in practice?