Ubuntu Forums - FYI

[Patrick Asselman]

On 2013-07-24 12:02, Sajan Parikh wrote:
> On 07/24/2013 04:42 AM, Patrick Asselman wrote:
>> The problem remains that they are an American company, bound by 
>> American
>> law. The infamous Patriot Act can force companies to deliver data to 
>> the
>> government unencrypted (this may be accompanied with a "gag order",
>> preventing them to say anything about this).
>>
>> This *may* mean that they have a backdoor in their software 
>> (javascript
>> or plugin) so that they can comply with this law. If that is the 
>> case,
>> the security is only as good as the security of that back door. 
>> (Even if
>> they were not American, you would have to trust that there is no
>> backdoor or flaw in their software.)
>
> Patrick, I genuinely don't mean to be rude.  However, this is the
> ignorant, tinfoil hat response I was referring to.
>
> If you are theorizing that AES has any sort of 'backdoor' so that the
> secret Government bad guys with their black helicopters can knock on
> LastPass's door and gain access to your Twitter account...that's
> ridiculous thing I've heard and am counting you as a troll at this
> point.
>
> AES is an encryption standard used by just about everyone.  If there
> was an easy way to crack it, let me know because it would mean that
> many things are just plain broken.
>
> I will say that it'd be much easier for me to break into your house
> and find this notebook of yours than break a worldwide used 
> encryption
> system, each user having their own key.
>
> ref: https://lastpass.com/whylastpass_technology.php?fromwebsite=1
>
> LastPass use AES with your master password as the key.  So as long as
> your master password (last pass, get it?) is secure, you're 
> completely
> safe for the foreseeable future.
>
> I'm honestly surprised you 'trust' enough people on the planet to
> even participate in a mailing list.
>
> You scaring people away from LastPass does more harm than good.
> Using an offline password manager can be argued to be less secure as
> well depending on a few factors.  Really don't want to get into it
> here though.
>

You are staring blind on the security of AES. Read again, I'm not 
claiming AES has a backdoor, but rather that the bit of java code or the 
browser plugin that LastPass uses *may* (!) have one. You should always 
remember: Security is only as good as its weakest link. Just because the 
software uses AES does not mean it is safe.

It is easier to break into a house to obtain one person's password, but 
it is easier to break into an online system to obtain 10000000 person's 
passwords ;) If the rewards are big enough, people are going to try it.

I trust 99% of the people on this planet, but I do worry about that 1% 
that steals my bicycle at the supermarket, or filters half the internet 
in the name of terrorism prevention.

LastPass is probably an excellent tool for most passwords. All I'm 
saying is: don't count on it being 100% safe, and don't dismiss people 
using a paper notebook too easily. Some passwords may be better off 
stored in the paper book than in the cloud.

Yours trolly,
Patrick Asselman