The Dulin Report

Browsable archive from the WordPress export.

Results (69)

On the role of Distinguished Engineer and CTO Mindset Apr 27, 2025 The future is bright Mar 30, 2025 My giant follows me wherever I go Sep 20, 2024 On Amazon Prime Video’s move to a monolith May 14, 2023 One size does not fit all: neither cloud nor on-prem Apr 10, 2023 Some thoughts on the latest LastPass fiasco Mar 5, 2023 Comparing AWS SQS, SNS, and Kinesis: A Technical Breakdown for Enterprise Developers Feb 11, 2023 Why you should question the “database per service” pattern Oct 5, 2022 Stop Shakespearizing Sep 16, 2022 Monolithic repository vs a monolith Aug 23, 2022 All developers should know UNIX Jun 30, 2022 Scripting languages are tools for tying APIs together, not building complex systems Jun 8, 2022 Java is no longer relevant May 29, 2022 There is no such thing as one grand unified full-stack programming language May 27, 2022 Best practices for building a microservice architecture Apr 25, 2022 In most cases, there is no need for NoSQL Apr 18, 2022 What programming language to use for a brand new project? Feb 18, 2020 TDWI 2019: Architecting Modern Big Data API Ecosystems May 30, 2019 Returning security back to the user Feb 2, 2019 Microsoft acquires Citus Data Jan 26, 2019 Adobe Creative Cloud is an example of iPad replacing a laptop Jan 3, 2019 The religion of JavaScript Nov 26, 2018 Let’s talk cloud neutrality Sep 17, 2018 A conservative version of Facebook? Aug 30, 2018 On Facebook and Twitter censorship Aug 20, 2018 What does a Chief Software Architect do? Jun 23, 2018 Facebook is the new Microsoft Apr 14, 2018 Quick guide to Internet privacy for families Apr 7, 2018 Node.js is a perfect enterprise application platform Jul 30, 2017 Design patterns in TypeScript: Chain of Responsibility Jul 22, 2017 I built an ultimate development environment for iPad Pro. Here is how. Jul 21, 2017 Singletons in TypeScript Jul 16, 2017 The technology publishing industry needs to transform in order to survive Jun 30, 2017 Rather than innovating Walmart bullies their tech vendors to leave AWS Jun 27, 2017 Copyright in the 21st century or how "IT Gurus of Atlanta" plagiarized my and other's articles Mar 21, 2017 Emails, politics, and common sense Jan 14, 2017 Windows 10: a confession from an iOS traitor Jan 4, 2017 Collaborative work in the cloud: what I learned teaching my daughter how to code Dec 10, 2016 Don't trust your cloud service until you've read the terms Sep 27, 2016 I am addicted to Medium, and I am tempted to move my entire blog to it Sep 9, 2016 What I learned from using Amazon Alexa for a month Sep 7, 2016 Why I switched to Android and Google Project Fi and why should you Aug 28, 2016 In search for the mythical neutrality among top-tier public cloud providers Jun 18, 2016 Files and folders: apps vs documents May 26, 2016 What can we learn from the last week's salesforce.com outage ? May 15, 2016 Why it makes perfect sense for Dropbox to leave AWS May 7, 2016 JEE in the cloud era: building application servers Apr 22, 2016 Managed IT is not the future of the cloud Apr 9, 2016 JavaScript as the language of the cloud Feb 20, 2016 OAuth 2.0: the protocol at the center of the universe Jan 1, 2016 Operations costs are the Achille's heel of NoSQL Nov 23, 2015 IT departments must transform in the face of the cloud revolution Nov 9, 2015 Top Ten Differences Between ActiveMQ and Amazon SQS Sep 5, 2015 What Every College Computer Science Freshman Should Know Aug 14, 2015 Ten Questions to Consider Before Choosing Cassandra Aug 8, 2015 Your IT Department's Kodak Moment Jun 17, 2015 Smart IT Departments Own Their Business API and Take Ownership of Data Governance May 13, 2015 We Need a Cloud Version of Cassandra May 7, 2015 Building a Supercomputer in AWS: Is it even worth it ? Apr 13, 2015 Ordered Sets and Logs in Cassandra vs SQL Apr 8, 2015 Exploration of the Software Engineering as a Profession Apr 8, 2015 What can Evernote Teach Us About Enterprise App Architecture Apr 2, 2015 Microsoft and Apple Have Everything to Lose if Chromebooks Succeed Mar 31, 2015 Where AWS Elastic BeanStalk Could be Better Mar 3, 2015 Docker can fundamentally change how you think of server deployments Aug 26, 2014 Infrastructure in the cloud vs on-premise Aug 25, 2014 Cassandra: a key puzzle piece in a design for failure Aug 18, 2014 Cassandra: Lessons Learned Jun 6, 2014 Things I wish Apache Cassandra was better at Feb 12, 2014

Some thoughts on the latest LastPass fiasco

March 5, 2023

There are a few engaging lessons we can learn from the latest LastPass fiasco:

Apparently, the bad actors involved in those incidents also infiltrated a company DevOps engineer's home computer by exploiting a third-party media software package. They implanted a keylogger into the software, which they then used to capture the engineer's master password for an account with access to the LastPass corporate vault. After they got in, they exported the vault's entries and shared folders that contained decryption keys needed to unlock cloud-based Amazon S3 buckets with customer vault backups.

First, let's dispense with the notion that password vaults like 1Password or LastPass are problematic. For as long as some applications and services rely on passwords, there is no better alternative for securing your online accounts.

Let's also dispense with the notion that using a personal computer for work is inherently problematic. BYOD policies are pretty standard and effective. The fact that the attackers infiltrated an engineer's home computer is irrelevant, and there is little evidence that employer-issued computers are any more secure.

An employer-issued computer cannot be trusted to be more secure than a personal one. Employers install software meant to monitor employees in the name of security. That software may include key loggers.

Your work computer may be configured to route all network traffic via a corporate proxy or a SaaS security service. Your SSL traffic may be intercepted and, at the very least, logged. Like LastPass exposed vulnerabilities, who is to say that a SaaS security service is immune?

One may inevitably use their work computer for personal tasks. At the very least, you'll have to use your work computer to set up your benefits and 401k and upload copies of your government IDs. You may need to log on to check your pay stubs or download your tax documents. All of these personal activities are reasonable on a work computer. It may be far more likely that your personal passwords will leak out via your work computer than your employer's corporate secrets via your home computer!

It would be best if you were very paranoid. There are bad actors and incompetent people who will one day leak your private data, and it will happen. There are things you can do, though.

Configure MFA on your password vault. Do not use a software-based token generator or SMS for this. Use a phishing-proof security key. I setup a YubiKey for my family 1Password account.

When using your 1Password vault on a work computer, be aware that the second factor is only verified on a new device once. It is not used to decrypt your vault. Only install your vault on truly trusted devices. (Hint: your work computer isn't one of those devices, see my notes above).

Use MFA with all of your accounts. A YubiKey can be used as an OTP generator, but it can only manage ~32 secrets on one key. You also need to keep a backup. I configured YubiKey as a second factor for my most sensitive accounts, including those used as SSO: Apple and Google — the rest I allow to be managed by 1Password.

Always check the lock icon in the browser. This article from Opera explains how to use it better than I can.

It's good to be paranoid about your online security.

Employers are rightfully paranoid about corporate secrets being compromised by bad actors. Some of the worst data breaches were caused by employees.

Employees, however, should be equally paranoid about their personal secrets being compromised for the same reasons. If corporate secrets can be leaked due to a colleague's mistake or malfeasance, so can your personal data entrusted to your employer.

Act accordingly and trust no one.