Archive

The Dulin Report

Browsable archive from the WordPress export.

Results (45)

The future is bright Mar 30, 2025 On Amazon Prime Video’s move to a monolith May 14, 2023 One size does not fit all: neither cloud nor on-prem Apr 10, 2023 Some thoughts on the latest LastPass fiasco Mar 5, 2023 Comparing AWS SQS, SNS, and Kinesis: A Technical Breakdown for Enterprise Developers Feb 11, 2023 There is no such thing as one grand unified full-stack programming language May 27, 2022 Which AWS messaging and queuing service to use? Jan 25, 2019 Using Markov Chain Generator to create Donald Trump's state of union speech Jan 20, 2019 Adobe Creative Cloud is an example of iPad replacing a laptop Jan 3, 2019 Facebook is the new Microsoft Apr 14, 2018 Leaving Facebook and Twitter: here are the alternatives Mar 25, 2018 Rather than innovating Walmart bullies their tech vendors to leave AWS Jun 27, 2017 Architecting API ecosystems: my interview with Anthony Brovchenko of R. Culturi Jun 5, 2017 TDWI 2017, Chicago, IL: Architecting Modern Big Data API Ecosystems May 30, 2017 Online grocers have an additional burden to be reliable Jan 5, 2017 Windows 10: a confession from an iOS traitor Jan 4, 2017 What I learned from using Amazon Alexa for a month Sep 7, 2016 Why I switched to Android and Google Project Fi and why should you Aug 28, 2016 Amazon Alexa is eating the retailers alive Jun 22, 2016 In search for the mythical neutrality among top-tier public cloud providers Jun 18, 2016 What can we learn from the last week's salesforce.com outage ? May 15, 2016 Why it makes perfect sense for Dropbox to leave AWS May 7, 2016 Our civilization has a single point of failure Dec 16, 2015 IT departments must transform in the face of the cloud revolution Nov 9, 2015 Setting Up Cross-Region Replication of AWS RDS for PostgreSQL Sep 12, 2015 Top Ten Differences Between ActiveMQ and Amazon SQS Sep 5, 2015 What Every College Computer Science Freshman Should Know Aug 14, 2015 Ten Questions to Consider Before Choosing Cassandra Aug 8, 2015 Big Data Should Be Used To Make Ads More Relevant Jul 29, 2015 Book Review: "Shop Class As Soulcraft" By Matthew B. Crawford Jul 5, 2015 Attracting STEM Graduates to Traditional Enterprise IT Jul 4, 2015 Smart IT Departments Own Their Business API and Take Ownership of Data Governance May 13, 2015 Guaranteeing Delivery of Messages with AWS SQS May 9, 2015 We Need a Cloud Version of Cassandra May 7, 2015 The Clarkson School Class of 2015 Commencement speech May 5, 2015 Building a Supercomputer in AWS: Is it even worth it ? Apr 13, 2015 Ordered Sets and Logs in Cassandra vs SQL Apr 8, 2015 Microsoft and Apple Have Everything to Lose if Chromebooks Succeed Mar 31, 2015 Where AWS Elastic BeanStalk Could be Better Mar 3, 2015 Trying to Replace Cassandra with DynamoDB ? Not so fast Feb 2, 2015 Why I am Tempted to Replace Cassandra With DynamoDB Nov 13, 2014 Infrastructure in the cloud vs on-premise Aug 25, 2014 Cassandra: a key puzzle piece in a design for failure Aug 18, 2014 Cassandra: Lessons Learned Jun 6, 2014 Things I wish Apache Cassandra was better at Feb 12, 2014

Some thoughts on the latest LastPass fiasco

March 5, 2023

There are a few engaging lessons we can learn from the latest LastPass fiasco:




Apparently, the bad actors involved in those incidents also infiltrated a company DevOps engineer's home computer by exploiting a third-party media software package. They implanted a keylogger into the software, which they then used to capture the engineer's master password for an account with access to the LastPass corporate vault. After they got in, they exported the vault's entries and shared folders that contained decryption keys needed to unlock cloud-based Amazon S3 buckets with customer vault backups.




First, let's dispense with the notion that password vaults like 1Password or LastPass are problematic. For as long as some applications and services rely on passwords, there is no better alternative for securing your online accounts.



Let's also dispense with the notion that using a personal computer for work is inherently problematic. BYOD policies are pretty standard and effective. The fact that the attackers infiltrated an engineer's home computer is irrelevant, and there is little evidence that employer-issued computers are any more secure.



An employer-issued computer cannot be trusted to be more secure than a personal one. Employers install software meant to monitor employees in the name of security. That software may include key loggers. 



Your work computer may be configured to route all network traffic via a corporate proxy or a SaaS security service. Your SSL traffic may be intercepted and, at the very least, logged. Like LastPass exposed vulnerabilities, who is to say that a SaaS security service is immune?



One may inevitably use their work computer for personal tasks. At the very least, you'll have to use your work computer to set up your benefits and 401k and upload copies of your government IDs. You may need to log on to check your pay stubs or download your tax documents. All of these personal activities are reasonable on a work computer. It may be far more likely that your personal passwords will leak out via your work computer than your employer's corporate secrets via your home computer!



It would be best if you were very paranoid. There are bad actors and incompetent people who will one day leak your private data, and it will happen. There are things you can do, though.





  1. Configure MFA on your password vault. Do not use a software-based token generator or SMS for this. Use a phishing-proof security key. I setup a YubiKey for my family 1Password account.




  2. When using your 1Password vault on a work computer, be aware that the second factor is only verified on a new device once. It is not used to decrypt your vault. Only install your vault on truly trusted devices. (Hint: your work computer isn't one of those devices, see my notes above).




  3. Use MFA with all of your accounts. A YubiKey can be used as an OTP generator, but it can only manage ~32 secrets on one key. You also need to keep a backup. I configured YubiKey as a second factor for my most sensitive accounts, including those used as SSO: Apple and Google — the rest I allow to be managed by 1Password.




  4. Always check the lock icon in the browser. This article from Opera explains how to use it better than I can.




It's good to be paranoid about your online security. 



Employers are rightfully paranoid about corporate secrets being compromised by bad actors. Some of the worst data breaches were caused by employees. 



Employees, however, should be equally paranoid about their personal secrets being compromised for the same reasons. If corporate secrets can be leaked due to a colleague's mistake or malfeasance, so can your personal data entrusted to your employer.



Act accordingly and trust no one.

Last updated January 20, 2026. Return to home.