I’ve seen several people recently discussing how LastPass protects your LastPass master password and your encrypted site password data (a.k.a., your vault). If what some of those people were saying were true, then LastPass wouldn’t be as secure as I thought it was. This gave me pause, since I use LastPass to store all my passwords, so I decided to do some research to try to understand for myself exactly how it works. Now that I’ve done that, it seems to me that others might benefit from my research, and in any case writing it down will clarify it in my own mind, so here it is.
For many years, I’ve been working assiduously to rid my (postal) mailbox of junk mail. The ongoing damage to the environment caused by the many tons of junk mail sent every day to people who don’t even bother to look at it is offensive, and want nothing to do with it.
I wrote back in 2011 about Frank Shaw at Vanguard Realty, a local Realtor who simply refused, despite my repeated requests, to stop sending me junk mail.
Since then, I’ve made two additional requests to other employees of the office to stop sending me junk mail, but it has not helped — I’ve received at least eight more mailings from Vanguard Realty, the most recent one just yesterday. (That most recent mailing, incidentally, engaged in the time-honored junk-mailer tradition of using a completely blank envelope with no return address, a transparent attempt to trick the recipient into opening something that they would otherwise throw away unopened.)
These mailings aren’t just paper. Mr. Shaw insists on sending me refrigerator magnets once or twice a year with the Patriots or Red Sox season schedule on them. Those is even worse for the environment than paper junk mail, and anybody who knows me knows that I have absolutely no use for them.
I’ve received junk mail from numerous other real-estate agents over the years, and most of them have been both willing and able to stop sending it when asked. Vanguard Realty’s failure to do so is indicative of either incompetence or a marked lack of respect for the people from whose business they wish to profit. Therefore, if you’re looking for a real-estate agent, I reiterate the recommendation I posted in 2001 that you choose someone else.
Those of us who help create and maintain “the internet” that everyone benefits from are now tasked with helping the world recover with one of the biggest, if not the biggest, security holes in the history of the internet.
To be certain they aren’t vulnerable, users need to change their passwords at every site that was at any point vulnerable to a Heartbleed attack. But a site has to be patched, and its SSL certificate has to be reissued with a newly generated secret key, before its password should be changed; otherwise, the new password is just as vulnerable to Heartbleed as the old one was. What’s more, you can’t just look at the start date of an SSL certificate to determine whether it was reissued, because that doesn’t tell you whether the site was patched before the certificate was deployed, and worse than that, some CAs (e.g., Digicert) quite reasonably re-key certificates without changing their original start dates.
I have passwords at over 500 sites. I’m sure there are people who use many more sites than that. Manually figuring out which sites need their passwords changed, and when to change them, and keeping track of which ones have been changed, is an impossible task.
What we need is a standard, widely adopted way for web sites to indicate, in a way that can be easily interpreted by software, whether they were ever vulnerable to Heartbleed, and if so, when the vulnerability was patched. Then browsers and password keepers such as LastPass can easily determine and track which user passwords need to be changed, and warn the user.
Don’t use a self-signed SSL certificate for your web site.
Way to go, Incapsula!
“You know what the great thing is about owning your own business? You don’t have to do anything you don’t want to.”
That’s what you told me this morning when your food truck arrived 10 minutes past its scheduled opening time and still hadn’t opened 10 minutes after that. That’s what you told me after I waited for you in 10-degree weather for 20 minutes, until my gloved fingers had lost all feeling. That’s what you told me when I commented to you, “You know, when it’s this cold, you really have to be here on time.”
Android phones have this awesome feature whereby your list of installed applications, your application settings, your Wi-Fi settings, etc., are backed up automatically inside your Google account, such that when you set up a new phone and link it to your Google account during the initial setup, all that stuff gets restored automatically, making for a lot less work for you returning your phone to the condition you want it to be in.
However, if you have two-factor authentication enabled on your Google account, it doesn’t work properly, or at least it didn’t for me. Here’s what happened:
- I turned on my newly factory reset phone.
- During the initial setup process, I entered my Google account username and password.
- The setup app told me I had to log in on the internet (i.e., through the browser) because of my two-factor authentication.
- I logged in on the internet, including entering the two-factor authentication code I received as a text message.
- The setup process proceeded to completion.
- I discovered after it was done that my Google account had not been successfully configured into the phone.
- I configured the account again. This time it worked, but my apps and settings were not restored.
- I couldn’t find any way to tell the phone to restore my apps and settings at that point.
Moral of the story: if you’re setting up a new phone or resetting and rebuilding your old one, and you want your apps and settings to be restored, then turn off two-factor authentication completely until the phone is set up, and only then turn it back on.
Today, I embarked upon a magical journey, a journey of discovery, a journey of oneness with the environment. In a word, a journey of recycling.
For several years, I’ve been accumulating junk of various sorts on a shelf under my workbench with the intention of eventually figuring out how to dispose of it in an environmentally sound way. Today, I decided to throw it all into boxes and try to get rid of it.
What would you say if I told you that there’s a Boston business that adds more than 34 tons per week of trash to the City of Boston’s waste stream*, trash that the residents of Boston end up paying to dispose of to the tune of >$100,000 per year**? What would you say if I then told you that the business that does this has managed to figure out how to get other businesses to pay for it, ripping them off in the process?
Ladies and gentlemen of Boston, say hello to “Globe Direct in association with RedPlum”!
Subject: Rude sales call from Boston Herald
My wife and I (you can find us in your records under our home phone number [elided]) are no longer Boston Herald subscribers. We currently have no desire to resume our subscription. Since we canceled our subscription, your sales department has called us several times trying to get us to resume. This needs to stop. The most recent call, a few minutes ago, was incredibly rude.
The email identity thief who has been using my email address on-line for years, who apparently goes by the name Diallo Mamadou Oury in real life, has just posted this inexplicable comment on my blog. I posted a response, but I somehow doubt he’ll read or respond to it.
I sure wish I knew what the hell he gets out of all this.