Don't be like LastPass
LastPass made some serious blunders: how they responded to the hack in August, code they created before August, and how they configured their backup system. All of that came to a head at the end of 2023 when the hackers from August used stolen credentials to download a backed up copy of customer information. Most of it was encrypted, but they still gained a lot of information. Many are calling for customers to leave the product. However, even if you're not a lastpass customer, there are lessons to be learned here. Learn those lessons and don't be like LastPass.
Mentioned in this episode:
Interview ad
there are lessons we can all learn from what happened to
Speaker:last pass and their customers.
Speaker:It's a complicated story.
Speaker:We do our best to boil it down to the essentials and to the lessons that we
Speaker:can learn from what happened to them.
Speaker:Hope you enjoy the episode.
W. Curtis Preston:hi, and welcome to Backup Central's Restore All podcast.
W. Curtis Preston:I'm your host, w Curtis Preston, aka Mr.
W. Curtis Preston:Backup.
W. Curtis Preston:And I have with me, uh, a guy who I think is gonna be.
W. Curtis Preston:, very excited as he lives vicariously through me over the next few months.
W. Curtis Preston:my, my electronic enthusiast Prasanna Malaiyandi how's it going?
W. Curtis Preston:Prasanna,
Prasanna Malaiyandi:I'm good, I'm always willing to spend other people's money, so
Prasanna Malaiyandi:or getting people to spend
W. Curtis Preston:say that.
W. Curtis Preston:This is like your, your exciting part of watching other people
W. Curtis Preston:sort of work through their.
W. Curtis Preston:spend their money.
Prasanna Malaiyandi:And it's what makes you happy, right?
Prasanna Malaiyandi:So it's like you're starting a project.
Prasanna Malaiyandi:No.
Prasanna Malaiyandi:Well, you're starting a project for enjoyment, right?
Prasanna Malaiyandi:I think everything, sorry.
Prasanna Malaiyandi:Most things in life that you do to improve your life costs money.
Prasanna Malaiyandi:So, There are some things that don't, of course, but there are some things
Prasanna Malaiyandi:where you're like, yeah, I work.
Prasanna Malaiyandi:I earn, I spend a lot of time working and putting in the time.
Prasanna Malaiyandi:There should be certain things which I should spend money on
W. Curtis Preston:So I'm probably going to buy what is referred to as
W. Curtis Preston:an ultra short throw, um, laser tv.
W. Curtis Preston:And, um, well, they, so in the, in the biz, they're, they call this a laser tv.
W. Curtis Preston:I, I don't know why, but it is a projector, right?
W. Curtis Preston:It's a screen and a projector and they're like, it's a laser
W. Curtis Preston:TV cuz it's lasers, but whatever.
W. Curtis Preston:Um, but that's what everybody calls it, right?
W. Curtis Preston:Um, but yeah, it's not gonna be cheap.
W. Curtis Preston:Right, because I want a ginormous screen.
W. Curtis Preston:I'm looking at it 120 inch screen.
W. Curtis Preston:Um, and, uh, I am most likely going to be buying, uh, I've already looked.
W. Curtis Preston:I'm gonna be buying basically last year's model, what is now last year's
W. Curtis Preston:model, because c e s was just a few weeks ago, or actually just last
W. Curtis Preston:week, I've already looked at the reviews of the stuff that people.
W. Curtis Preston:In, in ces and I'm like, yeah, I'm not paying for that.
W. Curtis Preston:Right.
W. Curtis Preston:Um, look, looking at stuff that's like double the price of what I'm looking at.
W. Curtis Preston:I will say the most frustrating part in terms of like looking at reviews
W. Curtis Preston:and stuff, um, has been the soundbar part, um, is the different levels of
W. Curtis Preston:it's, it's, Like with, with, with the projector, there is hands down, a winner.
W. Curtis Preston:Everybody agrees.
W. Curtis Preston:Bang for the buck.
W. Curtis Preston:It's this four movie theater.
W. Curtis Preston:That's the, the name of it.
W. Curtis Preston:It's actually like a, I think it's actually We Max that makes it, but
W. Curtis Preston:they've branded it for the US market.
W. Curtis Preston:The brand is four movie.
W. Curtis Preston:, that's the name of the brand and the name of the thing I'm buying is theater.
W. Curtis Preston:The four movie theater.
W. Curtis Preston:It's a little hokey, but everyone agrees.
W. Curtis Preston:It li like it, it, it literally universally, everyone agrees.
W. Curtis Preston:So that's the easy part.
W. Curtis Preston:They also generally agree on the screen.
W. Curtis Preston:Um, you know, a, um, a, what do they call, an ambient light rejecting screen
W. Curtis Preston:that is designed for u s t projectors.
W. Curtis Preston:Um, but when we get into the soundbar part, um, first
W. Curtis Preston:off, they cost way too much.
W. Curtis Preston:Second,
Prasanna Malaiyandi:It's all relative, Curtis.
W. Curtis Preston:it's so, it is so relative, right?
W. Curtis Preston:And you watch these different reviews, you're like, okay, I think, I think
W. Curtis Preston:I've, I think I've zoomed in on it.
W. Curtis Preston:And then you read, and then you watch a couple of other reviews and
W. Curtis Preston:they're like, oh, this one's crap.
W. Curtis Preston:This one's, yeah, well, it's good, but it sounds a little tweety.
W. Curtis Preston:It sounds a little, you know, this and that.
Prasanna Malaiyandi:so
W. Curtis Preston:it's not, it's speakers, it's surround speakers
W. Curtis Preston:are not nearly as good as the Samsung nine 90 T Biggie r.
W. Curtis Preston:You're like, all right, lemme go check that one out.
W. Curtis Preston:And then you, you know, and, um,
Prasanna Malaiyandi:How far down the rabbit hole did you end up
W. Curtis Preston:I.
W. Curtis Preston:Well, I, well, I know this.
W. Curtis Preston:I don't want to buy the thing that I saw the guy review.
W. Curtis Preston:Well, actually, let me rephrase that.
W. Curtis Preston:I do want to buy the thing that I saw the guy review from c e
W. Curtis Preston:s, which is the what, what's the
Prasanna Malaiyandi:the, the Nachi Nachi Dragon.
W. Curtis Preston:nakai?
W. Curtis Preston:The nachi dragon that he basically said it's the greatest
W. Curtis Preston:sound system he is ever seen.
W. Curtis Preston:Uh, but it's $3,500, which I.
W. Curtis Preston:Basically about two x of what I think I'll probably be spending.
W. Curtis Preston:Um, uh, I think I've ended up with the Samsung so far mentally where I'm at
W. Curtis Preston:as the Samsung H W Q nine 90 B, which
Prasanna Malaiyandi:Is that the one I told you?
W. Curtis Preston:system.
W. Curtis Preston:Is it really the one you told me when I started?
Prasanna Malaiyandi:I think it was.
W. Curtis Preston:Yeah, that's interesting.
W. Curtis Preston:We've, we've talked about this enough already.
W. Curtis Preston:Uh, I want to go to something that is, that is
Prasanna Malaiyandi:this is more fun.
W. Curtis Preston:to me.
W. Curtis Preston:Yeah, it is, it is more fun.
W. Curtis Preston:It is more fun to talk about.
W. Curtis Preston:But we're here today to talk about.
W. Curtis Preston:Password manager.
W. Curtis Preston:You know, we, we've, we've spoken about password managers, pr, what
W. Curtis Preston:do we think of Password managers?
Prasanna Malaiyandi:They are awesome.
Prasanna Malaiyandi:Everyone should use a password manager.
W. Curtis Preston:everyone should use a password manager.
W. Curtis Preston:You should either use a commercial one, like the one I happen to have.
W. Curtis Preston:I happen to have, uh, dash lane, not sponsored.
W. Curtis Preston:You have like an open source
Prasanna Malaiyandi:Yeah, I use Key Pass.
Prasanna Malaiyandi:Yep.
Prasanna Malaiyandi:I use Key
W. Curtis Preston:Yeah.
W. Curtis Preston:Key
W. Curtis Preston:pass.
W. Curtis Preston:Yeah.
Prasanna Malaiyandi:In fact, didn't we do an episode where we talked
W. Curtis Preston:We did, we did an episode where we
W. Curtis Preston:talked about these different
Prasanna Malaiyandi:With, yeah, with Chris Haner.
Prasanna Malaiyandi:Why you need a password manager?
Prasanna Malaiyandi:Episode 1 68.
W. Curtis Preston:Yeah.
W. Curtis Preston:Yeah.
W. Curtis Preston:So we're huge fans of password managers and last pass, uh, generally
W. Curtis Preston:ha, you know, has a good design.
W. Curtis Preston:Um, having said that, I think they made some, some really big mistakes.
W. Curtis Preston:Given the number of companies that have been hacked, will be hacked,
W. Curtis Preston:especially when we, when we start looking at ransomware, I don't
W. Curtis Preston:think that a company should be dinged just because they got hacked.
Prasanna Malaiyandi:Yep.
Prasanna Malaiyandi:Yep.
W. Curtis Preston:do you, do you agree with that?
Prasanna Malaiyandi:I a hundred percent agree.
Prasanna Malaiyandi:It's there.
Prasanna Malaiyandi:It's so hard to stay on top of everything, especially given a service you operate.
Prasanna Malaiyandi:And so there will be zero day exploits and other things that you can't plan for.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And they happen and it's just how quickly can you jump on top
Prasanna Malaiyandi:when something like that happens?
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:So we shouldn't ding 'em just because they may be hacked.
Prasanna Malaiyandi:Right.
W. Curtis Preston:Having
Prasanna Malaiyandi:But but I sets a
W. Curtis Preston:can d we can ding companies for why they got hacked, right?
W. Curtis Preston:If you got hacked, right, if your identity got stolen because
W. Curtis Preston:you painted your social security number on the front of your house,
Prasanna Malaiyandi:Yeah.
W. Curtis Preston:an idiot,
Prasanna Malaiyandi:Or you create an S3 bucket that you left public.
W. Curtis Preston:if you do something like that, Then, you know, we're just,
W. Curtis Preston:we're just gonna make fun of you, right?
W. Curtis Preston:We're just gonna bring you on.
W. Curtis Preston:And this is one of those things, you know, the, the, I, I was looking
W. Curtis Preston:at the Wired article about this, and their headline was basically, I
W. Curtis Preston:mean, here's some headlines, right?
W. Curtis Preston:So, uh, from Mashable Last Pass reveals just how bad that August breach was.
W. Curtis Preston:It was bad.
W. Curtis Preston:Um, The, the wired article basically said, it's time to dump this password manager.
W. Curtis Preston:And that's a strong statement, but I have to say, based on the things
W. Curtis Preston:that we're gonna talk about in this episode, uh, again, I, I was already a
W. Curtis Preston:customer of another, of another company, but it seriously draws into question.
W. Curtis Preston:Some of their thought processes and, and, and lack of processes.
Prasanna Malaiyandi:And just for people who aren't familiar, just think of like
Prasanna Malaiyandi:all the passwords for all your financial institutions and everything else, right?
Prasanna Malaiyandi:You're trusting the keys to the kingdom about you and everything you
Prasanna Malaiyandi:have access to, to a company, right?
Prasanna Malaiyandi:Everything's in a single, centralized place if something happens, if that data
Prasanna Malaiyandi:is, if that company is breached and the data is stolen, right, there's all your
Prasanna Malaiyandi:passwords for everything that's out there.
W. Curtis Preston:I'll just put this right.
W. Curtis Preston:I'll just put this right now.
W. Curtis Preston:If you're a LastPass customer and your, and the length of your password isn't
W. Curtis Preston:good enough, they your, your data's gone.
W. Curtis Preston:. Right?
W. Curtis Preston:And you need to go and change all meaning that your data has now been, it, it,
W. Curtis Preston:it, it should, you should be assumed.
W. Curtis Preston:Cuz that's basically what they told their customers.
W. Curtis Preston:They basically said, you know, if you've got, um, you know, uh, a password that's
W. Curtis Preston:that's not of, of a certain length, then um, it's gonna be, you know, it's
W. Curtis Preston:gonna be easily g where, where are
Prasanna Malaiyandi:Or, or, or
W. Curtis Preston:Prasanna, in terms.
W. Curtis Preston:of the,
W. Curtis Preston:of the, um, yeah.
W. Curtis Preston:What's, what's the recommended minimum password length these days?
Prasanna Malaiyandi:I don't know.
Prasanna Malaiyandi:I am actually not sure.
Prasanna Malaiyandi:I always just figure out like if I'm creating a password, whatever
Prasanna Malaiyandi:the max password is on a website, and I just use that, right?
Prasanna Malaiyandi:So for me it always varies, right?
Prasanna Malaiyandi:I always just err on the side of whatever's the largest.
W. Curtis Preston:Here's the one I was looking for.
W. Curtis Preston:There's a chart.
W. Curtis Preston:Here it is.
W. Curtis Preston:Yeah, this is it.
W. Curtis Preston:Okay.
W. Curtis Preston:Number of characters, assuming that you're using upper and
W. Curtis Preston:lowercase and a number, right?
Prasanna Malaiyandi:Mm-hmm.
W. Curtis Preston:Uh, I mean, I, I can, can we agree that we should not have any
W. Curtis Preston:thing measured in months or . So basically the question is, if you have numbers,
W. Curtis Preston:upper and lowercase nu letters, how long will it take modern, um, computers to
W. Curtis Preston:do a brute force guess of your password?
W. Curtis Preston:And today, if you're a 10 character password, it's seven months.
W. Curtis Preston:If you're an eight character password, it's one hour.
W. Curtis Preston:right?
W. Curtis Preston:If you have an eight character password with numbers, upper and lower case, by
W. Curtis Preston:the way, if you add symbols to that, it goes from one hour to eight hours.
W. Curtis Preston:So an eight character password with all of the stuff that you're
W. Curtis Preston:supposed to have in it is guessable in eight hours with modern technology.
W. Curtis Preston:So I, I would, I like numbers like.
W. Curtis Preston:2000 years, a hundred thousand years, right?
W. Curtis Preston:Um, and that those start appearing around 13 characters, right?
W. Curtis Preston:Um, according to this, an 18 character password, um, , I like this.
W. Curtis Preston:An 18 character password with numbers, upper and lowercase and symbols is
W. Curtis Preston:seven quadrillion years to guess.
W. Curtis Preston:So, what I've been doing is I've set my password length to 20 in
W. Curtis Preston:dash lane and, uh, and obviously I have to rein that back occasionally
W. Curtis Preston:when I get to a stupid website.
Prasanna Malaiyandi:Yeah.
W. Curtis Preston:Um, yeah, so basically if you, if, if your password,
W. Curtis Preston:I'm gonna say if your password is under 10 characters, then you need to.
W. Curtis Preston:Changing all your passwords now, if you're a last port, if you're a
W. Curtis Preston:last pass customers, now we should, we need to talk about why, but I
W. Curtis Preston:just wanna scare the crap out of
W. Curtis Preston:you
Prasanna Malaiyandi:I thought there was, I thought there was also another
Prasanna Malaiyandi:thing that they had mentioned of, maybe we'll talk about this later, maybe
Prasanna Malaiyandi:not, that they had used a different crypto algorithm in the beginning.
Prasanna Malaiyandi:So if you have really old passwords, it would
W. Curtis Preston:Oh, that's right.
Prasanna Malaiyandi:standard than newer passwords.
Prasanna Malaiyandi:So even if you have 24 characters or whatever else, if it's a password that
Prasanna Malaiyandi:was, I don't know what the timeframe was for that password or when they did
Prasanna Malaiyandi:that switch, but if you have an old password, you should probably change it.
W. Curtis Preston:So let's talk about what, where this started at.
W. Curtis Preston:Um, and that
Prasanna Malaiyandi:in the day,
W. Curtis Preston:hack, right?
W. Curtis Preston:Um, so there,
Prasanna Malaiyandi:But ju, do you wanna actually talk about
Prasanna Malaiyandi:it before the August hack?
W. Curtis Preston:what, what do you mean?
Prasanna Malaiyandi:Because are you gonna talk specifically about last
Prasanna Malaiyandi:pass breach that happened in August?
Prasanna Malaiyandi:Or do you also want to talk about, because before the last pass breach,
Prasanna Malaiyandi:right, there was the Twilio breach
W. Curtis Preston:Twi Twilio breach right there.
W. Curtis Preston:Well, there was Twilio, but you know, as, as, as far as I can tell, what
W. Curtis Preston:it was was it was the same threat actor that did a bunch of similar
W. Curtis Preston:attacks that they attacked Twilio.
W. Curtis Preston:Which that didn't mean anything to me, cuz to me that was like
W. Curtis Preston:some, uh, project management stuff.
W. Curtis Preston:And that's when I found out that Twilio owned Athie, guess who uses Athie?
W. Curtis Preston:Hello?
W. Curtis Preston:But basically what they did, uh, as far as I can see is they,
W. Curtis Preston:they used stolen credentials.
W. Curtis Preston:They got into the network, they were able to bad bypass MFA in
W. Curtis Preston:some way, and they were able to spend some time in the network.
W. Curtis Preston:And, uh, last pass.
W. Curtis Preston:The only credit I'm going to give to last pass is that they were
W. Curtis Preston:upfront about what happened, right?
W. Curtis Preston:So they were, but they weren't.
W. Curtis Preston:So they said that they, they had, they had able, they'd been
W. Curtis Preston:able to steal some source code.
Prasanna Malaiyandi:Yep.
W. Curtis Preston:And at first that's very concerning because the source code
W. Curtis Preston:could include source code of, of the, the product itself and somehow figure out
Prasanna Malaiyandi:Like exploits and weakness.
W. Curtis Preston:Right?
W. Curtis Preston:But the source code that we now know what, again, this is all at everything
W. Curtis Preston:I'm saying in this podcast is it appears, what it looks like they did was they
W. Curtis Preston:stole the source code of a script.
W. Curtis Preston:that was being used for backup.
W. Curtis Preston:Which, uh, what do you think?
W. Curtis Preston:I think Prasanna about a company that's a 200 million company
W. Curtis Preston:that's doing backups with a script.
W. Curtis Preston:And what was in this script?
W. Curtis Preston:Mind you, what was in the script?
W. Curtis Preston:Credentials.
W. Curtis Preston:So hard coded credentials.
W. Curtis Preston:So what do you think?
Prasanna Malaiyandi:Yeah, so, so the, so a, they shouldn't have been doing that.
Prasanna Malaiyandi:That's ridiculous.
Prasanna Malaiyandi:But I will give them credit for one aspect.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:I know a lot of times, and maybe you should throw out
Prasanna Malaiyandi:our disclaimer here, right?
Prasanna Malaiyandi:But I know a lot of times we talk about, um, actually, why
Prasanna Malaiyandi:don't you do the disclaimer.
W. Curtis Preston:All right.
W. Curtis Preston:So, uh, Prasanna and I work for different companies.
W. Curtis Preston:This is not, uh, an official podcast of either company.
W. Curtis Preston:He works for Zoom, I work for Druva.
W. Curtis Preston:And we're just a couple of dudes, gibber Javen about our opinions about stuff.
W. Curtis Preston:And these do not necessarily reflect the opinions of our respective employers.
W. Curtis Preston:And, uh, if you wanna join the conversation, this one or any other
W. Curtis Preston:conversation, you feel free to reach out.
W. Curtis Preston:W Curtis Preston gmail or WC Preston on Twitter.
W. Curtis Preston:And, uh, I, I might get a, I might get a new Twitter name.
W. Curtis Preston:I hear they're, they're auctioning them off.
W. Curtis Preston:I
W. Curtis Preston:might, you know, a couple, couple million dollars and I'll,
W. Curtis Preston:I'll buy a Twitter name, but,
Prasanna Malaiyandi:Elon Musk,
W. Curtis Preston:I don't think that one's available.
W. Curtis Preston:Um, the, uh,
Prasanna Malaiyandi:So, so,
W. Curtis Preston:sure to rate us and subscribe and all that stuff.
W. Curtis Preston:Yeah.
W. Curtis Preston:So go ahead.
Prasanna Malaiyandi:So going back, so.
Prasanna Malaiyandi:I hundred percent agree with you that they should never, like, no one should
Prasanna Malaiyandi:be hard coding credentials into a script.
Prasanna Malaiyandi:That is ridiculous.
Prasanna Malaiyandi:However,
W. Curtis Preston:one, no one should be
W. Curtis Preston:a 200 million company should not be doing shell scripts
Prasanna Malaiyandi:Yes.
Prasanna Malaiyandi:Well, let me, let me get to
W. Curtis Preston:Okay.
W. Curtis Preston:Sorry, I interrupted you.
Prasanna Malaiyandi:yeah.
Prasanna Malaiyandi:So yes, there are cases where you want to use automated tools or, uh, a
Prasanna Malaiyandi:service out there or a backup product to actually do it properly because
Prasanna Malaiyandi:no one wants to focus on backups.
Prasanna Malaiyandi:Everyone's gonna do a poor job if they build it themselves because it
Prasanna Malaiyandi:never gets a focus on the business.
Prasanna Malaiyandi:A hundred percent agree.
Prasanna Malaiyandi:However, I will say that there might be certain cases, right?
Prasanna Malaiyandi:I don't know what their infrastructure looks like, right?
Prasanna Malaiyandi:There might be cases where there is no standalone tool that can satisfy the
Prasanna Malaiyandi:needs of what they have right there.
Prasanna Malaiyandi:Maybe it's a very, very small percentage.
Prasanna Malaiyandi:Maybe they never looked, but I'm just giving them the benefit of the
Prasanna Malaiyandi:doubt and saying maybe it didn't work for their environment, and therefore
Prasanna Malaiyandi:someone went and wrote a shell script.
Prasanna Malaiyandi:That's all I have
W. Curtis Preston:not buying that.
W. Curtis Preston:I'm not buying that be because the, the problem, the, the, the,
W. Curtis Preston:the area, like I can see that of like maybe they're using Neo 4k and
W. Curtis Preston:nobody has a tool to back up Neo 4k.
W. Curtis Preston:And so they've got a shell script to back up NEO 4k.
W. Curtis Preston:I'll give them that, but that's not where, where the, where the,
W. Curtis Preston:where the problem was apparently in actually when it copied to the cloud.
W. Curtis Preston:There's a thousand companies, uh, that if you're running, they're most likely
W. Curtis Preston:running Linux or something right.
W. Curtis Preston:Somewhere.
Prasanna Malaiyandi:uh, oury.net.
Prasanna Malaiyandi:Remember we had
W. Curtis Preston:There, there's a bunch of companies and stuff that could
W. Curtis Preston:do this without hard coding your stuff.
W. Curtis Preston:So ba So I think, I think it's bad that a 200 million company
W. Curtis Preston:was using a shell script.
W. Curtis Preston:It's super bad that they were using, um, hard coded credentials
W. Curtis Preston:in that script . And then, um, and
Prasanna Malaiyandi:
Speaker:You know what's funny?
Prasanna Malaiyandi:
Speaker:You know what's funny?
Prasanna Malaiyandi:
Speaker:Wait.
Prasanna Malaiyandi:
Speaker:But before you get to that, they're a password manager company That is
Prasanna Malaiyandi:
Speaker:hard coding passwords, , you know?
Prasanna Malaiyandi:
Speaker:Isn't that a little ironic?
W. Curtis Preston:That unlike most of the things in the song, isn't
W. Curtis Preston:it ironic, uh, is actually ironic.
W. Curtis Preston:That is very ironic, right?
W. Curtis Preston:Um, a password management company that didn't.
W. Curtis Preston:. Yeah.
W. Curtis Preston:That's not, that's not good.
W. Curtis Preston:Yeah.
W. Curtis Preston:And by the way, what ended up happening is why you don't hardcode passwords
W. Curtis Preston:in, uh, and, and, and they use the word token somewhere, you know, it's slightly
W. Curtis Preston:different than a password, but whatever.
W. Curtis Preston:It's a password.
W. Curtis Preston:What happened was we go back to the August breach.
W. Curtis Preston:What it, what it looks like happened is they crawled the network.
W. Curtis Preston:They were able to grab some source code.
W. Curtis Preston:Remember that source code included the script.
W. Curtis Preston:The script happened to have credentials to log into the cloud
W. Curtis Preston:service where they copy their backups.
Prasanna Malaiyandi:Oh.
W. Curtis Preston:And so guess what?
W. Curtis Preston:They, that's what happened is they lo it's the, the, the hackers logged into the
W. Curtis Preston:cloud service that they use for backups and they exfiltrated the data, right?
Prasanna Malaiyandi:what was in these backups,
W. Curtis Preston:
Speaker:Well, nothing important.
W. Curtis Preston:
Speaker:Really lucky Prasanna.
W. Curtis Preston:
Speaker:Luckily, it was nothing important.
W. Curtis Preston:
Speaker:It was just everything it was.
W. Curtis Preston:
Speaker:It was the customer database, meaning like who are they?
W. Curtis Preston:
Speaker:Where do they live?
W. Curtis Preston:
Speaker:You know, how do they pay?
W. Curtis Preston:
Speaker:What address they live in, all that kind of stuff.
W. Curtis Preston:
Speaker:But it was also the actual vault, the actual, the crown jewels,
W. Curtis Preston:
Speaker:the usernames and passwords.
W. Curtis Preston:
Speaker:Now they are saying that with some caveats that we already talked about a little bit.
W. Curtis Preston:
Speaker:They are saying that they, um, that they're there.
W. Curtis Preston:
Speaker:That is, that that part is encrypted.
W. Curtis Preston:
Speaker:Right?
W. Curtis Preston:
Speaker:So the, the chance is that someone, Would be able to steal your password, your
W. Curtis Preston:
Speaker:username and password by decrypting your, because the, the, the encryption algorithm
W. Curtis Preston:
Speaker:is, it's a hashing mechanism that uses your password as part of the key.
W. Curtis Preston:
Speaker:Right?
W. Curtis Preston:
Speaker:Uh, it's,
Prasanna Malaiyandi:Like
W. Curtis Preston:I don't know if it's Yeah.
W. Curtis Preston:Like the master password.
W. Curtis Preston:Right.
W. Curtis Preston:Um, and, um, And so in order to decrypt it, someone would have
W. Curtis Preston:to guess your master password.
W. Curtis Preston:The, um, and that's why we're going back to the beginning.
W. Curtis Preston:The question is, how big is your master password?
W. Curtis Preston:And also, apparently in the instructions that they sent to customers.
W. Curtis Preston:Again, I'm gonna, I'm gonna give th this is the only nice thing I'm gonna say.
W. Curtis Preston:At least they were open with their customers as to.
W. Curtis Preston:Uh, how things went, right.
W. Curtis Preston:Very different, for example, than the, uh, Rackspace hack, right?
W. Curtis Preston:The Rackspace hack.
W. Curtis Preston:They, they have said very little, even though they've concluded their
W. Curtis Preston:investigation, they've said very little, uh, and they've said some things that
W. Curtis Preston:I don't think they can back up, whereas last pass really laid it out there.
W. Curtis Preston:they're like, here's what happened.
W. Curtis Preston:Here's where they got in, they got in, here's what they have.
W. Curtis Preston:And by the way, if you, if you got a, if your, if your master password is the
W. Curtis Preston:size or if you've done stuff, you know, a certain timeframe, if you, if you are a
W. Curtis Preston:last pass customer and you haven't taken a look at that, uh, you really should
W. Curtis Preston:, you really should look at that message.
Prasanna Malaiyandi:clarification question, Curtis, is did they say that
Prasanna Malaiyandi:both the username and the password were encrypted in the vault, or was it just.
W. Curtis Preston:So yeah, the username, the, um, uh, what there,
W. Curtis Preston:the only thing I remember that was not encrypted in the vault was the URL
W. Curtis Preston:that that particular password is for.
W. Curtis Preston:Um, so, so which, which, again, this is, this is why I was like,
W. Curtis Preston:it is just a number of things where it calls into question.
W. Curtis Preston:The, the decisions of the company.
W. Curtis Preston:Why, why
W. Curtis Preston:leave that one field?
W. Curtis Preston:Yeah.
W. Curtis Preston:Um, I think we have some theories, right?
W. Curtis Preston:We have some, because they wanted it unencrypted.
W. Curtis Preston:I think it there they had a reason, right?
W. Curtis Preston:We can theorize it doesn't really matter, but I think the reason, the only reason
W. Curtis Preston:to leave a field like that unencrypted is you had, you had use of that field,
Prasanna Malaiyandi:Yep.
Prasanna Malaiyandi:It would be interesting to look at their privacy policy.
W. Curtis Preston:It would be an interesting to look
W. Curtis Preston:at their privacy policy.
W. Curtis Preston:I bet a lot of people are looking at their privacy policy.
W. Curtis Preston:If I was a last pass customer, I don't know what I'd be thinking right now.
Prasanna Malaiyandi:So here's, I have two questions for you actually.
Prasanna Malaiyandi:One comment.
Prasanna Malaiyandi:One question.
Prasanna Malaiyandi:So the comment is, like you mentioned earlier, I think we should at
Prasanna Malaiyandi:least not congratulate last pass, but at least say that they've
Prasanna Malaiyandi:done a good job being transparent.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:We've seen so many other breaches
Prasanna Malaiyandi:where no information has come out, right?
Prasanna Malaiyandi:So I know we're harping on them right now, right?
Prasanna Malaiyandi:And giving them a bad time.
Prasanna Malaiyandi:But it's not because of what they've done after the breach.
Prasanna Malaiyandi:It's what happened before the breach.
Prasanna Malaiyandi:I think that's what we're concerned about on this.
W. Curtis Preston:Yeah.
W. Curtis Preston:And, and by the way, I, I need to go back to an earlier thought that
W. Curtis Preston:I, it came to me and it, it left.
W. Curtis Preston:And, you know, you know, that happens sometimes.
W. Curtis Preston:The problem with a hard coded, uh, you know, credential like
W. Curtis Preston:that is exactly what happened.
W. Curtis Preston:That someone who wasn't supposed to see the code will see the
W. Curtis Preston:code and will then use that.
W. Curtis Preston:do something bad, right?
W. Curtis Preston:To access stuff they're not supposed to access.
W. Curtis Preston:And, um, that's exactly what happened here.
W. Curtis Preston:Which again, I'm gonna go back to another, I don't think it was a decision, but
W. Curtis Preston:when you get hacked, like they got hacked and you know that a threat actor was
W. Curtis Preston:roaming around in your, in your computing environment for a few days, undetected.
W. Curtis Preston:What should be, what should you do next?
W. Curtis Preston:What should you do?
W. Curtis Preston:Immediately
Prasanna Malaiyandi:Well, a, you should probably take
W. Curtis Preston:beside, we already talked about notification.
W. Curtis Preston:Yeah.
W. Curtis Preston:Take everything down.
W. Curtis Preston:Look around.
Prasanna Malaiyandi:yeah.
Prasanna Malaiyandi:Take everything down, look around, rotate all your passwords,
W. Curtis Preston:There you
W. Curtis Preston:go.
W. Curtis Preston:That's, that's what I was reaching
W. Curtis Preston:for.
W. Curtis Preston:But, but the problem is when you've just got a hard-coded thing sitting in a shell,
W. Curtis Preston:, you're not necessarily gonna think about
Prasanna Malaiyandi:Well, and I, that's the thing is if they had known it was
Prasanna Malaiyandi:hard coded, like if they had tools to scan and look for passwords, right.
Prasanna Malaiyandi:They would never have let that happen.
Prasanna Malaiyandi:It looks like it slipped under the cracks.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And someone hard coded it just to get it out the door and
Prasanna Malaiyandi:no one went back and fixed.
Prasanna Malaiyandi:And this goes to a point you were bringing up earlier.
Prasanna Malaiyandi:At this point, right?
Prasanna Malaiyandi:If you can't focus on your backups and make it better, you're probably better
Prasanna Malaiyandi:off finding an automated tool or a product to fill that gap because they care about
Prasanna Malaiyandi:these things and they will make sure that you are doing things in the right way.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:And so you're less likely to end up with these issues.
W. Curtis Preston:Yeah.
W. Curtis Preston:And, and, and I know that not every company.
W. Curtis Preston:I mean, let's go back.
W. Curtis Preston:Go back to, go back to 30 years ago, right?
W. Curtis Preston:Uh, we are coming up like any day now.
W. Curtis Preston:It's gonna be 30 years for me in the IT industry.
W. Curtis Preston:And I was using Shell, I was at a 35 billion company and
W. Curtis Preston:I was using shell scripts.
W. Curtis Preston:I was, I was running dump, of course, back then, the idea of commercial backup tools.
W. Curtis Preston:So much a thing.
W. Curtis Preston:Arcserve Arc Serve was about the only one.
W. Curtis Preston:. It was Arcserve and there was Bud Tool.
W. Curtis Preston:I don't know if you've been around long enough to
Prasanna Malaiyandi:I've heard about Bud Tool.
Prasanna Malaiyandi:I never used it, but yet
W. Curtis Preston:and Alexandria.
W. Curtis Preston:That was which, which, which, you know who owns, you know who owned that.
Prasanna Malaiyandi:Hm.
W. Curtis Preston:They've been on the podcast.
W. Curtis Preston:Do you know who's owned that spec?
W. Curtis Preston:Spectra Logic owned Alexandria back in the day, they decided
W. Curtis Preston:to sort of focus on hardware.
W. Curtis Preston:I'm, I'm not saying that these things don't happen, but I will say that.
W. Curtis Preston:You know, that was a different time.
W. Curtis Preston:And basically, and even then I knew not to hardcode, username and passwords,
W. Curtis Preston:but the way the way backups worked back then was everything ran as root.
W. Curtis Preston:Right?
W. Curtis Preston:You, you created a script as root you Hadron that ran things as root.
W. Curtis Preston:and then because it ran its root and because you had R s H enabled
Prasanna Malaiyandi:Yep.
W. Curtis Preston:we didn't, we didn't have
Prasanna Malaiyandi:could do anything and
W. Curtis Preston:had RSSH enabled.
W. Curtis Preston:Rssh enabled without a password.
W. Curtis Preston:So from, from a central, right.
W. Curtis Preston:As long as you were root, you're root here, you're root over there.
W. Curtis Preston:That was, you know, back in the day, um, we had a script that would go
W. Curtis Preston:around and do our dumps and things like
W. Curtis Preston:that.
W. Curtis Preston:Um, and, um, We also had an RFS mounted tape drive.
W. Curtis Preston:I think we brought, I, I
Prasanna Malaiyandi:
Speaker:well, you talked about us.
Prasanna Malaiyandi:
Speaker:Yeah.
Prasanna Malaiyandi:
Speaker:Yep,
W. Curtis Preston:yeah.
W. Curtis Preston:RFS was remote file service, like predecessor to nfs, and,
W. Curtis Preston:but you could mount a tape drive.
W. Curtis Preston:It was kind of cool anyway, clearly it wasn't that cool
W. Curtis Preston:because it didn't , it didn't last,
W. Curtis Preston:but,
Prasanna Malaiyandi:Yeah.
W. Curtis Preston:Yeah, so I, I understand you're a small
W. Curtis Preston:company, um, and, and you can't get any budget for backups.
W. Curtis Preston:I, I understand.
W. Curtis Preston:I, I just, I would like to think that if that's where you work, if, if
W. Curtis Preston:you can't get any money for backups, I think that you should take a
W. Curtis Preston:stance, and I think that you should say, we need a commercial backup.
W. Curtis Preston:Right.
W. Curtis Preston:Um, I, I do th I and I do strongly believe in, in a SaaS based tool.
W. Curtis Preston:Not because I work for Druva, but because I've been that way for a long time.
W. Curtis Preston:Right.
W. Curtis Preston:The idea of.
W. Curtis Preston:Having somebody who's focused on it and does nothing but that
W. Curtis Preston:and you have a complete service.
W. Curtis Preston:Um, you know, and the cloud is a beautiful thing for that.
W. Curtis Preston:We have so much bandwidth these days that, you know, deduplication has enabled this.
W. Curtis Preston:I mean, it's just been so many things that have been, that have made cloud a
W. Curtis Preston:cloud SaaS backup service like my, my employer, happens to offer, um, for me.
W. Curtis Preston:It, it, it is the best backup option for most companies.
W. Curtis Preston:There's caveats, right?
W. Curtis Preston:Uh, most of the companies like mine, there's not a lot of them,
W. Curtis Preston:but they don't tend to do like the older Unix platforms, right?
W. Curtis Preston:Um, they don't tend to do as many database products.
W. Curtis Preston:They tend to focus on virtualization and the.
W. Curtis Preston:. Right.
W. Curtis Preston:Uh, and I'll, I'll say something that I say often is, if you've got 10
W. Curtis Preston:petabytes of data and a T1 line, Hmm.
W. Curtis Preston:That ain't gonna work.
W. Curtis Preston:Right.
W. Curtis Preston:, you need some
Prasanna Malaiyandi:but I'm guessing, just given last pass, right, they probably
Prasanna Malaiyandi:like how they've scaled out, right?
Prasanna Malaiyandi:The number of users on their platform.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:They're probably familiar with a lot of these sort of challenges anyway.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:It's just they sort of stopped at, and so I'm even wondering like,
Prasanna Malaiyandi:they focused on production, right?
Prasanna Malaiyandi:Making sure everything was up and was good to go there.
Prasanna Malaiyandi:They probably have some form of high availability and
Prasanna Malaiyandi:disaster recovery, hopefully.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:But who knows?
Prasanna Malaiyandi:And then it's just sort of, some people, like you said, forget about that arc or
Prasanna Malaiyandi:the backup side of things and recovery.
Prasanna Malaiyandi:And then I even wonder if there probably don't even consider anything
Prasanna Malaiyandi:around archive either, right?
Prasanna Malaiyandi:If I just think about the life.
W. Curtis Preston:Yeah.
W. Curtis Preston:I, I, I, um, I just think it's a matter of not prioritizing backup,
W. Curtis Preston:which I is a, is a historical problem.
Prasanna Malaiyandi:Yeah,
W. Curtis Preston:and I guess I'm just saying, I'm speaking to the, I'm
W. Curtis Preston:speaking to the person that understands the value of backup and recovery, and
W. Curtis Preston:that is our target listener, right?
W. Curtis Preston:Our target audience is somebody who understands the value
W. Curtis Preston:of, of, of backup, right?
W. Curtis Preston:So I'm saying if you're at a company that doesn't understand the value of backup,
W. Curtis Preston:I think it's time to, to make a stand.
Prasanna Malaiyandi:Yep.
W. Curtis Preston:Get it in writing that you recommend they do something else.
Prasanna Malaiyandi:and I think because typically it's an IT function, right?
Prasanna Malaiyandi:Who worries about backup, but this is where I think you go get champions
Prasanna Malaiyandi:who can help support your cause, like people in security because it's
Prasanna Malaiyandi:relevant for security folks as well.
Prasanna Malaiyandi:Or if you look at legal and compliance or other folks in the organization, right, to
Prasanna Malaiyandi:help support you and push to get things.
W. Curtis Preston:Yeah.
W. Curtis Preston:And use this story.
W. Curtis Preston:Right.
W. Curtis Preston:Use this story of what happens when you grow your own backup system and then reach
W. Curtis Preston:out to, you know, a number of companies.
W. Curtis Preston:Reach out to me.
W. Curtis Preston:I'll, I'll put you in touch with the right people.
W. Curtis Preston:Um,
Prasanna Malaiyandi:It's,
W. Curtis Preston:don't talk opinion.
W. Curtis Preston:He'll just, he'll just make a meeting.
Prasanna Malaiyandi:so it's interesting.
Prasanna Malaiyandi:I was just thinking about this a lot of times on the engineering
Prasanna Malaiyandi:side and product side, we always talk about tech debt, right?
Prasanna Malaiyandi:Things I wish I could have done, but I couldn't do because I had
Prasanna Malaiyandi:to get the product out the door.
Prasanna Malaiyandi:So I took some shortcuts and we'll fix it later and sometimes didn't ever get fixed.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:I think we haven't really talked about like the IT side of tech.
Prasanna Malaiyandi:Right, which like this could be, right?
Prasanna Malaiyandi:It's like, Hey, I needed to get backup done for that initial release,
Prasanna Malaiyandi:for instance, just to get things out the door and it's tech debt.
Prasanna Malaiyandi:I never had the chance to go back and fix it, do it right?
Prasanna Malaiyandi:Because there's never enough time, there's never enough budget, right?
Prasanna Malaiyandi:There's all these other priorities.
Prasanna Malaiyandi:So
W. Curtis Preston:One of my favorite phrases, it's never time to do it.
W. Curtis Preston:Right.
W. Curtis Preston:Always time to do it over, right?
W. Curtis Preston:Um,
Prasanna Malaiyandi:until you get to a fire drill like this,
W. Curtis Preston:Yeah.
W. Curtis Preston:So, yeah, so, so use this story.
W. Curtis Preston:So that's what I, I, so I, I, I tell you what, I, I, I would
W. Curtis Preston:have a hard time continuing to justify being a LastPass customer.
W. Curtis Preston:You do what you want.
W. Curtis Preston:Maybe they have features that you like, and maybe you feel that they've
W. Curtis Preston:learned their lesson, whatever.
W. Curtis Preston:I don't know.
W. Curtis Preston:Last pass, it made me, it made me think about the length and the
W. Curtis Preston:complexity of my dash lane password.
W. Curtis Preston:Um, so I got, I got, I changed it I was like, I, uh, and my wife and I
W. Curtis Preston:share the password manager, right?
W. Curtis Preston:So I had to, I had to explain my new super long password.
W. Curtis Preston:It's relatively simple to remember, right?
W. Curtis Preston:I went with the sort of the battery horse stable method rather than the XYZ nine,
W. Curtis Preston:Q five,
Prasanna Malaiyandi:was it basically u U s t p a l r one 20 d r a g o n.
W. Curtis Preston:Yeah, that's exactly what it was.
W. Curtis Preston:Um, yes.
W. Curtis Preston:Um, that's what be my, my password should be four movie theater, Samsung nine 90 B.
W. Curtis Preston:Actually, you know, the, the, the Vizio model numbers.
W. Curtis Preston:So, so that was one of the things I was looking at.
W. Curtis Preston:The Soundbars, the VIO model numbers are all like UX 95 3 70.
W. Curtis Preston:Right.
W. Curtis Preston:And the, the people that review 'em, they're just like, what is
W. Curtis Preston:What is this?
W. Curtis Preston:You know?
W. Curtis Preston:Um, that could be, that could be a good password, I'm just saying.
W. Curtis Preston:Um, but it's not long enough.
W. Curtis Preston:So, yeah, so I, I so, so, so, so that's the other thing.
W. Curtis Preston:So I think you should.
W. Curtis Preston:I think you should seriously reconsider your last best situation.
W. Curtis Preston:I think you should also look at, take this, take this opportunity
W. Curtis Preston:to upgrade your backup scripts, your up your backup system.
W. Curtis Preston:Look at a commercial backup system uses as a justification so you
W. Curtis Preston:to do what you probably want been wanting to do all along.
W. Curtis Preston:And then finally, uh, I guess I think it'll be finally, is take
W. Curtis Preston:a look at your master password.
W. Curtis Preston:Uh, you know, look at that table, um, that says, you know, uh, cuz basically
W. Curtis Preston:if your password, if your password manager is, um, you know, is guessable
W. Curtis Preston:in something measured in weeks or months or less than that, that's not good man.
Prasanna Malaiyandi:Yeah.
W. Curtis Preston:You know?
Prasanna Malaiyandi:And I think the other thing to mention is two things, right?
Prasanna Malaiyandi:We always talk about this enable two factor authentication or
Prasanna Malaiyandi:mfa where you can in addition,
W. Curtis Preston:you.
Prasanna Malaiyandi:right?
Prasanna Malaiyandi:Um, and then the other thing is even if you are using a password manager, if your
Prasanna Malaiyandi:password is like 10 years old, right?
Prasanna Malaiyandi:You probably do want to change it at some point, even though you're using a
Prasanna Malaiyandi:password manager, it's totally random.
Prasanna Malaiyandi:right.
Prasanna Malaiyandi:You do probably want to change it every once in a while.
Prasanna Malaiyandi:I'm guilty of this.
Prasanna Malaiyandi:I've actually started going through and changing passwords, but I
Prasanna Malaiyandi:realize, yeah, I haven't cycled some of these in a while, even though
Prasanna Malaiyandi:they're all randomly generated, but
W. Curtis Preston:Have I have I told you how many passwords I have?
Prasanna Malaiyandi:yes, you did.
W. Curtis Preston:It's, it's several hundred
Prasanna Malaiyandi:I thought, I thought in the podcast episode we
Prasanna Malaiyandi:did with Chris I think you both had a significant number of passwords.
Prasanna Malaiyandi:, let's put it like that.
W. Curtis Preston:Yeah, I think the only way I was able to do this,
W. Curtis Preston:because it doesn't list, doesn't show me in here like a number.
W. Curtis Preston:I had to, I had to actually export it and then, and then count the number of lines
W. Curtis Preston:in the file and then delete the file.
Prasanna Malaiyandi:Oh, Curtis.
W. Curtis Preston:Um, it's a lot.
W. Curtis Preston:I guess what I'm saying is it would take me a month to
W. Curtis Preston:update all my passwords, right?
W. Curtis Preston:Oh, but you know, by the way, Dashlane used used to have this really cool change
W. Curtis Preston:your password for you feature, and it worked at a lot of the popular websites.
W. Curtis Preston:They, they've abandoned that feature.
W. Curtis Preston:They said it was too hard to, to keep it updated.
W. Curtis Preston:Um, and.
W. Curtis Preston:Yeah.
W. Curtis Preston:Can you think of anything else we should be talking about
W. Curtis Preston:regarding this last pass thing?
Prasanna Malaiyandi:No.
W. Curtis Preston:Uh, I, I, one thing came to mind is, is if your company has
W. Curtis Preston:been the subject of some kind of hack of any kind, perhaps you should roam
W. Curtis Preston:around and look for scripts with, uh, you first change all your regular passwords.
W. Curtis Preston:And then roll around to see if you've got scripts with authentication crap in 'em.
Prasanna Malaiyandi:Or the other thing is change your passwords and then like
Prasanna Malaiyandi:if you're using aws, look at CloudWatch.
Prasanna Malaiyandi:It'll log when authentication failures happen.
Prasanna Malaiyandi:And now you can at least point yourself in the right direction of
Prasanna Malaiyandi:being like, Hey, I didn't know that.
W. Curtis Preston:And I'm assuming that the other providers have something
W. Curtis Preston:similar.
W. Curtis Preston:Right.
W. Curtis Preston:Um, it's
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:And hopefully you do have some form, form of auditing enabled in your
Prasanna Malaiyandi:systems to at least log failures
W. Curtis Preston:and
W. Curtis Preston:and by the way, that that's how uh, LastPass discovered was going on is they
W. Curtis Preston:had some stuff that was watching, right?
W. Curtis Preston:And they're like, we noticed some unusual activity in our account.
W. Curtis Preston:And, um, turns out somebody downloaded the backups of our stuff.
W. Curtis Preston:Ugh.
W. Curtis Preston:It's killing me, man.
W. Curtis Preston:Just killing me.
W. Curtis Preston:This is just a, just a really, uh, anyway, all right, well, um, on that
W. Curtis Preston:note, I hope that you're watching this on 120 inch screen If you,
W. Curtis Preston:if you're one of those who, if you only listen, you should check out
W. Curtis Preston:the, the, the, the video version we have over@backupcentral.com.
W. Curtis Preston:You get to see our, our beautiful faces and, and this and this.
W. Curtis Preston:The camera is in the wide shot.
W. Curtis Preston:Is my book in the wide shot?
W. Curtis Preston:Yeah Yeah it is.
W. Curtis Preston:Okay.
W. Curtis Preston:My book's in the wide shot.
W. Curtis Preston:So you can see a, the, the book is whoop.
W. Curtis Preston:There, there there is.
W. Curtis Preston:It's closer than it or than it normally is because I'm sitting in
W. Curtis Preston:the middle of the room because I'm, I, I thought I was gonna get baseboards
W. Curtis Preston:today and turns out I, I didn't.
W. Curtis Preston:Um, so all, everything, everything is in the middle of my.
W. Curtis Preston:It's, and I, and I've got like, literally, I have nowhere to move.
W. Curtis Preston:Like, regardless of which way I move, there's, there's something around me.
Prasanna Malaiyandi:Well, hopefully you'll value back to normal soon, Curtis.
W. Curtis Preston:Hopefully.
W. Curtis Preston:Hopefully.
W. Curtis Preston:All right, well thanks for, uh, listening folks.
W. Curtis Preston:And remember, remember to subscribe so that you can restore it all.
Listen On
