LastPass Cyberattack Response Worked as Designed

LastPass Cyberattack Response Worked as Designed
Cyberattack response
worked as designed

Here’s what I’d like to see in the news media: “LastPass quickly detected, contained, evaluated the scope of the incident, and secured all user accounts. LastPass cyberattack response worked as designed.”
My confidence and trust in this service has only increased after this incident:

LastPass Security Notice


LastPass Notice of Security Incident

As an avid fan and user of LastPass, I’ve been following this story with great interest:

We want to alert our community to a recent security incident & the actions we're taking to protect users. We are emailing all users now, but more information can also be found on our blog:

Posted by LastPass on Monday, June 15, 2015


Commenter epixoip, commenting in this ARS Technica article assesses the incident thusly:

Not much to sweat about here. Lastpass is doing things correctly, and their response is perfect.

If we could trust computers to keep secrets a secret, then we wouldn’t have to worry about protecting sensitive data at rest. But we can’t, so we do. Password databases can be compromised through a myriad of vectors — up to and including physical theft — and you have to plan for the eventuality that your database will be compromised. How you protect the data in the database is what really matters, and this is precisely why we have password hashing, and this is also why the threat model for password hashing starts with a compromised password database. Think of password hashing as an insurance policy. The stronger the password hashing is, the more time you buy for yourself and your users in the event of a breach: time to identify and contain the breach, time to notify your users, and time for your users to update their passwords.

Lastpass definitely understands this, as their password hashing is top-notch — possibly the strongest we’ve ever seen, especially for a company of this size. 105,000+ rounds of PBKDF2-HMAC-SHA256 is definitely no joke.

So while it never looks good when a security company is compromised, there are a lot of positives here:

– They quickly identified, contained, and evaluated the scope of the breach
– They promptly notified users about the breach (within 72 hours)
– They are certainly doing proper password hashing (strong insurance policy)
– Vault data obviously isn’t stored on the same system as authentication data, evidence of strong segmentation

All in all, Lastpass is doing things correctly, and I will definitely continue to support them.



Apple Music Connect

Connect is one of the most intriguing and exciting aspects of Apple Music, launching June 30th… CD Baby’s DIY Musician podcast #150 has an excellent overview:

#150: Roundtable – What artists need to know about Apple Music
Apple – Music – Connect

Apple – iTunes – Working with iTunes – Connect


Royalty Check: Streaming vs. Downloads

Some thoughts: 

In other words,

The purchase of a song or album (download, CD, vinyl) secures the licenses from the rights holders for you to listen to that song, or album, whenever you want, wherever you want, as many times as you want, for the rest of your life… and the royalties due those rights holders reflect those uses.

But a stream of a song needs only to secure licenses from the rights holders for one (1) listen by one listener… and the royalties due those rights holders for that stream reflect that use.



Apple Music News Round-Up


Guardian Interview with Jimmy Iovine and Eddy Cue after Apple Music Announcement

Stuart Dredge sits down with Jimmy Iovine and Eddy Cue for the Gaurdian, shortly after the Apple Music announcement during the WWDC keynote:

Apple Music interview: ‘Algorithms can’t do it alone – you need a human touch’