The other slight concern would be that if you're using their printed personal grid as a second factor of authentication, any data breach might have included a copy of your personal grid, which they could then use. Of course, that would only be useful if they also bruteforced your password, since they have to be used in combination. The solution is simple enough - go into your account settings and generate/print a new personal authentication grid. Or . . . at least . . . do that when they aren't overloaded from all the traffic and you can access your settings.
By "minding your own passwords", do you mean "mentally keep a checklist of every password you use at every website and for every service you access in your head"? Or do you mean "use your own shit and hope it's secure on your machine and in whatever way you use to sync it to other machines that you access rather than a cloud service"?
Lastpass released this information yesterday and they did not state that they were hacked as the submitter does nor do they state that they were probably hacked as the article does. They stated that there was a mismatch in the amount of traffic between some of the servers and that whenever this occurs, they do an investigation, which usually turns out to be nothing. They felt it was probably nothing, but since they were unable to (so far) determine exactly what accounted for the difference in data transfers, they wanted to take the safe road and enforce a password change on all accounts.
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.
We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.
The problem I found is that the only games that didn't completely suck were ones that required multiple people to enjoy. Even if the networking/chat stuff wasn't fucking embarrassingly lacking on the device, it wouldn't be the same as playing those games with people next to you. So the enjoyment factor and amount of use almost certainly relies completely on how many people who have around you who want to play videogames - and will. If you have few or none, it's a doorstop. And what it really comes down to is that it's a platform filled with mediocre or bad games only saved by the experience with half-drunk goofballs in your living room.
I don't expect the next Wii to be anything more than Nintendo catching up to 2005. Not that I particularly care, anymore. I was pretty excited when I bought mine, but thanks to all the grandmaware, momware, littlesisterware, and other general shovelware, I haven't touched mine since the week Boom Blox came out (three years ago). I couldn't even tell you where my Wii is, right now. I think it has been out in the garage in a box after moving a year ago. If I stumble across it, I might set it up just in case anyone ever wants to use it when they visit -- but if I don't . . . *shrug*.
Your voicemails/transcriptions have a button you can check to mark whether or not it was accurate. Presumably, that is what they mean. Nobody besides *you* listens to them. On the other hand, if that is somehow not the case . . . . then . . . fuck no.
No, it will magically never ever *ever* go away, no matter what is ever done, because the government has a reasonable threat to wield over society and leveraged against their freedom from now until eternity.
Also, really? People firing into the air and honking horns and crap because we killed one terrorist a decade later? I guess the local (insert commercial sports team whose accomplishments make us feel better about our own drab lives here) hasn't done much this week, so they have to get drunk and retarded over *something*.
You'll get an as yet unspecified piece of content for free, 30 days of PSN Plus (which gets you auto-downloaded patches and some DLC discounts, I guess - big deal), and 30 days of Qriocity.
None of which I'm interested in. I'd rather they just assure me it won't happen again and clean up their shit, instead.
You have to figure out what value there is in the computational power required to decrypt ten million records just to get access to the records which contain credit card that haven't expired or been canceled already and aren't over there limit or otherwise hamstrung. I suspect it easily becomes more expensive than the payoff is worth. Especially since you still can't do anything with the information (without the security number on the back, you can't buy something online and without the physical card, you can't buy something in person). Maybe credit card thieves are more complicated than I understand, but it really doesn't sound like this is a high risk situation.
If it was, I think the credit card companies themselves would be screaming from the top of the hills to get people to cancel their cards since they want credit card fruad even less than Sony (I presume).
Yeah, the Slashdot is (surprise) misleading. We already knew they probably got hold of credit card information and that while the user information was stupidly NOT encrypted, the Credit Card information *was*. So I'm not really sure what the concern is, even if they got ten minute encrypted credit card records.
Microsoft is even worse about it than Sony. I used my credit card to buy some points on XBLA and add them to my account and then wanted to remove my credit card (because my XBLA subscription is paid ahead through 2013, so it's not like I'll need the card tethered to keep my subscription for lapsing).
Unfortunately, Microsoft won't let you remove your credit card, unless you add another valid credit card, first.
The big deal is that it will impact your credit score, which is as vital as the home you live in, the car you drive, the clothes you wear, and the size of your dick in modern society. If you have to file a fraud alert on your credit report to keep any trouble from arising, it'll likely ding your score. Also, when you call your credit card company, they probably won't just say "we'll wipe those out and send you a new card". My understanding (and the way it was when it happened to me a few years ago) was that even the act of simply *losing* a card -- that is, not knowing that it was stolen or used nefariously, but simply misplaced -- was enough to warrant them to close the account and open a new account for me. Closing or canceling accounts negatively impacts your credit score as does your current open accounts having a short life (since they'd be opened right after the other was closed).
They do offer them for recurring transactions. It's just kind of a hassle, because you have to login to the banking site, go to your credit card, go to the section that launches the generator app, generate some cards, write down the info, then go enter it in wherever you're making a purchase. Too many steps, but better than nothing.
In fact, I just did this last night. I created a credit card that is tied to my real credit card that can only be used at CCP to pay for my EVE-Online accounts. It expires in 12 months and the exact amount that each account subscription costs per month can be deducted from the card every month and no more than that. Then, I have one for PSN and another for XBLA that have no monthly limits, but have a simple "life time" limit (but with a 12 month expiration).
Again, a real hassle, but at least I know that if someone gets my information as part of a database theft, I am only exposed in as much as the total amount I have put on that card -- and even then, *only* payable to the company the data was stolen from. I hope for a simpler solution some day, but I can deal with it for now, versus the alternative of being totally screwed.:)
That sounds like it's just a debit card, right? The same thing is done, here. You can get a debit card (although they still might not issue one to you if you don't have a decent credit score) and use it just like a credit card, but it takes the money out of your bank account directly instead of adding to a tab that you pay at the end of the month.
But what do you do about safeguarding actual *credit card* transactions? Especially online ones? All you need to make a credit card based purchase is the card (in person) or the digits on the card (online). Most purchases online these days require the CV2 code from the back, but since that's on the physical card itself along with everything else, everyone you have ever handed your card to can know it and any place you've ever made a purchase from online can know it.
I use Bank of America. I know people talk a lot of trash about them, but I have had a good experience with them for about seven years, now. In fact, I moved 1500 miles away from home six years ago and Bank of America doesn't even have a branch in this state, but they are still my bank simply because it's too much bother to get another bank when I don't have any real gripes about my current one.
Anyway, they offer ShopSafe, which is similar to what you describe. I never used it before, because it seemed like such a hassle. After this PSN breach (which contained my account info, too, but fortunately a credit card that expired as of yesterday, anyway, so no huge concern), I began to use the feature.
The problem is that it only addresses online purchases that will be mailed. When I order groceries from Safeway and they take a copy of my physical real credit card, that exposes all of my information (enough that the person could then go online and make purchases). Same with ordering a pizza or any other countless services. But at least online, it's reduced a bit.
I just hate that it involves logging into the BofA site, navigating to the credit card section, going to ShopSafe which is a tiny little applet that you have to scroll around just to view the contents of everything (I'm on a 2560x1600 monitor and the applet takes up maybe 200x300 pixels -- argh). Then I have to enter my security code from the back of my real card. Then I have to tell it what kind of card to generate (regular or subscription). Then I have to tell it how long it's good for and how much it's good for (per month or total). Then I have to write that information down. Then I have to go to the site I want to use it at and enter it. Then I have to go back to the applet through all those steps again if I want to modify it. I just did enough to pay my bills and the few services I pay for (github, rackspace, steam, etc) this weekend and even with just the regular payments I need to make, I wound up having to generate 17 "sub"-credit-cards. Ridiculous.
Corporations ARE people. They are deemed artificial persons with all the Constitutional protections and rights of 'real' people (and the added benefits of a corporation, to boot). The SCOTUS has upheld this in their previous decisions. Therefore, if a corporation is a person and you are a person, and this is a country of "we the people", then representing the interests of a Fortune 100 that happens to line the coffers of political campaigns and legislative actions becomes just as viable and just as much a duty of office as the interest of you and me.Well, more-so, I suppose -- since I'm certainly not donating any finances to their campaigns.
You and I may not agree with the concept of Corporate Personhood, but that doesn't change the reality of it.
Slashdot Mirror
The other slight concern would be that if you're using their printed personal grid as a second factor of authentication, any data breach might have included a copy of your personal grid, which they could then use. Of course, that would only be useful if they also bruteforced your password, since they have to be used in combination. The solution is simple enough - go into your account settings and generate/print a new personal authentication grid. Or . . . at least . . . do that when they aren't overloaded from all the traffic and you can access your settings.
By "minding your own passwords", do you mean "mentally keep a checklist of every password you use at every website and for every service you access in your head"? Or do you mean "use your own shit and hope it's secure on your machine and in whatever way you use to sync it to other machines that you access rather than a cloud service"?
Lastpass released this information yesterday and they did not state that they were hacked as the submitter does nor do they state that they were probably hacked as the article does. They stated that there was a mismatch in the amount of traffic between some of the servers and that whenever this occurs, they do an investigation, which usually turns out to be nothing. They felt it was probably nothing, but since they were unable to (so far) determine exactly what accounted for the difference in data transfers, they wanted to take the safe road and enforce a password change on all accounts.
ORIGINAL LASTPASS STATEMENT FROM MAY 4TH
(source: http://blog.lastpass.com/2011/05/lastpass-security-notification.html)
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.
We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.
We don't have a lot that indicates an i
The problem I found is that the only games that didn't completely suck were ones that required multiple people to enjoy. Even if the networking/chat stuff wasn't fucking embarrassingly lacking on the device, it wouldn't be the same as playing those games with people next to you. So the enjoyment factor and amount of use almost certainly relies completely on how many people who have around you who want to play videogames - and will. If you have few or none, it's a doorstop. And what it really comes down to is that it's a platform filled with mediocre or bad games only saved by the experience with half-drunk goofballs in your living room.
I don't expect the next Wii to be anything more than Nintendo catching up to 2005. Not that I particularly care, anymore. I was pretty excited when I bought mine, but thanks to all the grandmaware, momware, littlesisterware, and other general shovelware, I haven't touched mine since the week Boom Blox came out (three years ago). I couldn't even tell you where my Wii is, right now. I think it has been out in the garage in a box after moving a year ago. If I stumble across it, I might set it up just in case anyone ever wants to use it when they visit -- but if I don't . . . *shrug*.
Your voicemails/transcriptions have a button you can check to mark whether or not it was accurate. Presumably, that is what they mean. Nobody besides *you* listens to them. On the other hand, if that is somehow not the case . . . . then . . . fuck no.
It's going to last forever, anyway. We've always been at war with Eastasia.
No, it will magically never ever *ever* go away, no matter what is ever done, because the government has a reasonable threat to wield over society and leveraged against their freedom from now until eternity.
Also, really? People firing into the air and honking horns and crap because we killed one terrorist a decade later? I guess the local (insert commercial sports team whose accomplishments make us feel better about our own drab lives here) hasn't done much this week, so they have to get drunk and retarded over *something*.
You'll get an as yet unspecified piece of content for free, 30 days of PSN Plus (which gets you auto-downloaded patches and some DLC discounts, I guess - big deal), and 30 days of Qriocity.
None of which I'm interested in. I'd rather they just assure me it won't happen again and clean up their shit, instead.
You have to figure out what value there is in the computational power required to decrypt ten million records just to get access to the records which contain credit card that haven't expired or been canceled already and aren't over there limit or otherwise hamstrung. I suspect it easily becomes more expensive than the payoff is worth. Especially since you still can't do anything with the information (without the security number on the back, you can't buy something online and without the physical card, you can't buy something in person). Maybe credit card thieves are more complicated than I understand, but it really doesn't sound like this is a high risk situation.
If it was, I think the credit card companies themselves would be screaming from the top of the hills to get people to cancel their cards since they want credit card fruad even less than Sony (I presume).
Yeah, the Slashdot is (surprise) misleading. We already knew they probably got hold of credit card information and that while the user information was stupidly NOT encrypted, the Credit Card information *was*. So I'm not really sure what the concern is, even if they got ten minute encrypted credit card records.
Microsoft is even worse about it than Sony. I used my credit card to buy some points on XBLA and add them to my account and then wanted to remove my credit card (because my XBLA subscription is paid ahead through 2013, so it's not like I'll need the card tethered to keep my subscription for lapsing).
Unfortunately, Microsoft won't let you remove your credit card, unless you add another valid credit card, first.
The big deal is that it will impact your credit score, which is as vital as the home you live in, the car you drive, the clothes you wear, and the size of your dick in modern society. If you have to file a fraud alert on your credit report to keep any trouble from arising, it'll likely ding your score. Also, when you call your credit card company, they probably won't just say "we'll wipe those out and send you a new card". My understanding (and the way it was when it happened to me a few years ago) was that even the act of simply *losing* a card -- that is, not knowing that it was stolen or used nefariously, but simply misplaced -- was enough to warrant them to close the account and open a new account for me. Closing or canceling accounts negatively impacts your credit score as does your current open accounts having a short life (since they'd be opened right after the other was closed).
They do offer them for recurring transactions. It's just kind of a hassle, because you have to login to the banking site, go to your credit card, go to the section that launches the generator app, generate some cards, write down the info, then go enter it in wherever you're making a purchase. Too many steps, but better than nothing.
In fact, I just did this last night. I created a credit card that is tied to my real credit card that can only be used at CCP to pay for my EVE-Online accounts. It expires in 12 months and the exact amount that each account subscription costs per month can be deducted from the card every month and no more than that. Then, I have one for PSN and another for XBLA that have no monthly limits, but have a simple "life time" limit (but with a 12 month expiration).
Again, a real hassle, but at least I know that if someone gets my information as part of a database theft, I am only exposed in as much as the total amount I have put on that card -- and even then, *only* payable to the company the data was stolen from. I hope for a simpler solution some day, but I can deal with it for now, versus the alternative of being totally screwed. :)
That sounds like it's just a debit card, right? The same thing is done, here. You can get a debit card (although they still might not issue one to you if you don't have a decent credit score) and use it just like a credit card, but it takes the money out of your bank account directly instead of adding to a tab that you pay at the end of the month.
But what do you do about safeguarding actual *credit card* transactions? Especially online ones? All you need to make a credit card based purchase is the card (in person) or the digits on the card (online). Most purchases online these days require the CV2 code from the back, but since that's on the physical card itself along with everything else, everyone you have ever handed your card to can know it and any place you've ever made a purchase from online can know it.
I use Bank of America. I know people talk a lot of trash about them, but I have had a good experience with them for about seven years, now. In fact, I moved 1500 miles away from home six years ago and Bank of America doesn't even have a branch in this state, but they are still my bank simply because it's too much bother to get another bank when I don't have any real gripes about my current one.
Anyway, they offer ShopSafe, which is similar to what you describe. I never used it before, because it seemed like such a hassle. After this PSN breach (which contained my account info, too, but fortunately a credit card that expired as of yesterday, anyway, so no huge concern), I began to use the feature.
The problem is that it only addresses online purchases that will be mailed. When I order groceries from Safeway and they take a copy of my physical real credit card, that exposes all of my information (enough that the person could then go online and make purchases). Same with ordering a pizza or any other countless services. But at least online, it's reduced a bit.
I just hate that it involves logging into the BofA site, navigating to the credit card section, going to ShopSafe which is a tiny little applet that you have to scroll around just to view the contents of everything (I'm on a 2560x1600 monitor and the applet takes up maybe 200x300 pixels -- argh). Then I have to enter my security code from the back of my real card. Then I have to tell it what kind of card to generate (regular or subscription). Then I have to tell it how long it's good for and how much it's good for (per month or total). Then I have to write that information down. Then I have to go to the site I want to use it at and enter it. Then I have to go back to the applet through all those steps again if I want to modify it. I just did enough to pay my bills and the few services I pay for (github, rackspace, steam, etc) this weekend and even with just the regular payments I need to make, I wound up having to generate 17 "sub"-credit-cards. Ridiculous.
You spelled 'liberation' wrong. :P
Corporations ARE people. They are deemed artificial persons with all the Constitutional protections and rights of 'real' people (and the added benefits of a corporation, to boot). The SCOTUS has upheld this in their previous decisions. Therefore, if a corporation is a person and you are a person, and this is a country of "we the people", then representing the interests of a Fortune 100 that happens to line the coffers of political campaigns and legislative actions becomes just as viable and just as much a duty of office as the interest of you and me.Well, more-so, I suppose -- since I'm certainly not donating any finances to their campaigns.
You and I may not agree with the concept of Corporate Personhood, but that doesn't change the reality of it.
Yes, but corporations are people, too. And, therefore, are also the people.
And enforce them for you.
If we're going to be imperialists, let's go all the way and at least get some land out of it so we can all benefit; not just the corporations!
Seems like the Leave it to Beaver version should be written in Haskell.
(Hey, what do you want, all the funny shit was taken.)
You must be new here.
How much O'Brien?
SLUTS! :P