pwman's comments

This has been the case since at least 2003... The agents also see you page history, search terms, can cobrowse with you to show you things. Anything to make them quicker and more effective is implemented.

Have you had your levels checked by your doctor? My doctor said I was low for a year, as they came up I started sleeping much better -- can't see many other differences.

That's not how AppArmor works provided you lock down your server software properly -- say the server running is NTP -- that NTP server is only able to read /etc/ntp/* and /usr/sbin/ntpd only able to write /var/log/ntp* only able to execute /usr/sbin/ntpd Now you've radically limited what an exploit of this particular server can mean.

LastPass

A request to https://1min-ui-prod.service.lastpass.com was necessary to attack this, that request has a referring URL sent by default by Chrome / Firefox / Safari.

Considering your size you should definitely checkout a trial of LastPass Teams: https://www.lastpass.com/teams

Full Disclosure: Work for LastPass

Interesting, I hadn't heard of Password Alert -- we should definitely share notes if you're open to it -- I'd love to be able to generalize what we're doing to other domains if we could -- it's unfortunately cpu intense how we're doing it.

Yes, we're pushing the notification to a new tab (which can't be blocked or interfered with) once it goes through QA -- likely early next week.

Also even multifactor now must be new location verified so the ability to exploit this is now extremely low. Any attempt utilize those credentials will be blocked an email will be generated just like what happened in the non-multifactor case.

Hopefully you've gained enough attention for the chrome issue: https://code.google.com/p/chromium/issues/detail?id=453093 to be implemented sooner rather than later, if you could do me a favor and follow it to keep the pressure on Google to help mitigate phishing risk we'd appreciate it.

LastPass has pushed Google for years to give us a way to avoid using the browser viewport: infobars was a solution to this issue -- you can see one of my pleas for it back in January 2012: https://code.google.com/p/chromium/issues/detail?id=39511

We do a lot to try to protect our usage of viewports using iframes, but it's not good enough and we'll figure out a way to do better. LastPass has generally told people to use the extension directly to login as it's more secure, we'll need to go further here as well.

Sean was clever using http://chrome-extension.pw which looks close -- but LastPass also detects you enter your master password on an incorrect domain and notifies you immediately of your mistake, mitigating this a great deal. This has existed for a long time before Sean's report and we did not implement as a response to Sean's bug report -- we implemented it as a general way for people to know about password resuse and to be notified of being phished.

Making this practical is a lot tougher than email phishing -- you really need an XSS on a page that people use to login, and unlike email phishing it is immediately caught.

LastPass doesn't have access to your symmetric key, it doesn't have access to your private RSA key either. It's all locally encrypted and locally generated. LastPass does have access to your public key (which is safe and makes sense).

This is accomplished the same way LastPass shares sites.

Washington DC has been doing it as long as I can remember:

https://en.wikipedia.org/wiki/Slugging

Basically pickup someone random so you can utilize HOV.

Heartbleed showed us that many certificate authorities reissue certificates from the original date they were first issued.

LastPass has AD Sync capability and has for years with large customers using it: https://enterprise.lastpass.com/enterprise-administration-ba...

Some of your sites are storing your password in plain text, see http://plaintextoffenders.com/ for a few.

Once a single one of those is hacked your method is exposed and it goes from improbable to practical.

Yes, but it's after 100,000 rounds of PBKDF2.

Understood -- you may want to consider a combination open source command line version + mobile + mac apps:

https://github.com/LastPass/lastpass-cli

If your coworkers aren't using something they're likely reusing company passwords, which is one of the key reasons to force using the extensions.

In fact LastPass didn't have it at first, but after dozens of impassioned pleas from people with disabilities we made the decision to add it with a very strong warning against using it.

LastPass Enterprise has a policy to disable it, which is recommended there.

Full Disclosure: I work at LastPass.

> "Turning on 2FA did not worked most of the times"

If you have a security issue here we'd appreciate a report at https://lastpass.com/security/ that said every report of this has always been a case of someone not reading the manual or FAQs so please checkout https://lastpass.com/support.php?cmd=showfaq&id=2775 first.

> "Sorry but I will never give trust to a password manager written in PHP"

The password manager is actually written in C++,Objective-C,Java,C# and JavaScript -- depending on platform. You seem to be focused on our website however (which only handles encrypted data with a key never get) which is written in Hack: http://hacklang.org/ actually, not PHP.

Regarding the user experience being less without extensions installed -- yes, that's true, we highly encourage installing those -- the extension-less access should really be used for emergencies only -- it's safer to login to the extensions since it's not relying on JavaScript you just downloaded, it's always preferred.

Mozilla used to be the best place in the world for extension developers -- it was natural to have your best extension on Firefox because you could release early and often. Active developers made the platform.

When Chrome came along they decided to go in a different direction entirely slowly making it more and more painful to accomplish what used to be easy in the name of security. The review process went from automatic if you were trusted to weeks and then months and then more than a quarter year. They started demanding source code. It became scary to release to addons.mozilla.org because you never knew how long it would be before your next release would be approved.

Mozilla needs to realize they're hastening their own demise - Chrome now offers better features than when Mozilla was the leader including releasing to a percentage of users and faster nearly invisible to the user updates. They should go back to their roots and embrace developers again.

Correct -- It's a pet peeve of mine when login processes obscure this saying invalid password when the sign up process doesn't -- if you're going to tell people usernames aren't available then you shouldn't be avoiding it on the login screen.