Archive

The Dulin Report

Browsable archive from the WordPress export.

Results (54)

On the role of Distinguished Engineer and CTO Mindset Apr 27, 2025 Software Engineering is here to stay Mar 3, 2024 Some thoughts on recent RTO announcements Jun 22, 2023 Some thoughts on the latest LastPass fiasco Mar 5, 2023 Working from home works as well as any distributed team Nov 25, 2022 If we stop feeding the monster, the monster will die Nov 20, 2022 Why I am a poll worker since 2020 Nov 11, 2022 Using GNU Make with JavaScript and Node.js to build AWS Lambda functions Sep 4, 2022 Scripting languages are tools for tying APIs together, not building complex systems Jun 8, 2022 Automation and coding tools for pet projects on the Apple hardware May 28, 2022 Am I getting old or is it really ok now to trash your employer on social media? May 25, 2022 Peloton could monetize these ideas if they only listen May 15, 2022 Most terrifying professional artifact May 14, 2022 Good idea fairy strikes when you least expect it May 2, 2022 A year of COVID taught us all how to work remotely Feb 10, 2021 Should we abolish Section 230 ? Feb 1, 2021 This year I endorse Joe Biden for President Aug 26, 2020 Making the best of remote work - Coronavirus blues Mar 16, 2020 The passwords are no longer a necessity. Let’s find a good alternative. Mar 2, 2020 All emails are free -- except they are not Feb 9, 2019 Returning security back to the user Feb 2, 2019 Which AWS messaging and queuing service to use? Jan 25, 2019 Using Markov Chain Generator to create Donald Trump's state of union speech Jan 20, 2019 Adobe Creative Cloud is an example of iPad replacing a laptop Jan 3, 2019 A conservative version of Facebook? Aug 30, 2018 Fixing the Information Marketplace Aug 26, 2018 On Facebook and Twitter censorship Aug 20, 2018 What does a Chief Software Architect do? Jun 23, 2018 Facebook is the new Microsoft Apr 14, 2018 Quick guide to Internet privacy for families Apr 7, 2018 Leaving Facebook and Twitter: here are the alternatives Mar 25, 2018 When politics and technology intersect Mar 24, 2018 The technology publishing industry needs to transform in order to survive Jun 30, 2017 Architecting API ecosystems: my interview with Anthony Brovchenko of R. Culturi Jun 5, 2017 Don't trust your cloud service until you've read the terms Sep 27, 2016 I am addicted to Medium, and I am tempted to move my entire blog to it Sep 9, 2016 Amazon Alexa is eating the retailers alive Jun 22, 2016 In search for the mythical neutrality among top-tier public cloud providers Jun 18, 2016 In Support Of Gary Johnson Jun 13, 2016 LinkedIn needs a reset Feb 13, 2016 In memory of Ed Yourdon Jan 23, 2016 We Live in a Mobile Device Notification Hell Aug 22, 2015 Ten Questions to Consider Before Choosing Cassandra Aug 8, 2015 On Maintaining Personal Brand as a Software Engineer Aug 2, 2015 Social Media Detox Jul 11, 2015 Book Review: "Shop Class As Soulcraft" By Matthew B. Crawford Jul 5, 2015 We Need a Cloud Version of Cassandra May 7, 2015 Ordered Sets and Logs in Cassandra vs SQL Apr 8, 2015 Microsoft and Apple Have Everything to Lose if Chromebooks Succeed Mar 31, 2015 On apprenticeship Feb 13, 2015 Configuring Master-Slave Replication With PostgreSQL Jan 31, 2015 Cassandra: Lessons Learned Jun 6, 2014 Thoughts on Wall Street Technology Aug 11, 2012 Scripting News: After X years programming Jun 5, 2012

Some thoughts on the latest LastPass fiasco

March 5, 2023

There are a few engaging lessons we can learn from the latest LastPass fiasco:




Apparently, the bad actors involved in those incidents also infiltrated a company DevOps engineer's home computer by exploiting a third-party media software package. They implanted a keylogger into the software, which they then used to capture the engineer's master password for an account with access to the LastPass corporate vault. After they got in, they exported the vault's entries and shared folders that contained decryption keys needed to unlock cloud-based Amazon S3 buckets with customer vault backups.




First, let's dispense with the notion that password vaults like 1Password or LastPass are problematic. For as long as some applications and services rely on passwords, there is no better alternative for securing your online accounts.



Let's also dispense with the notion that using a personal computer for work is inherently problematic. BYOD policies are pretty standard and effective. The fact that the attackers infiltrated an engineer's home computer is irrelevant, and there is little evidence that employer-issued computers are any more secure.



An employer-issued computer cannot be trusted to be more secure than a personal one. Employers install software meant to monitor employees in the name of security. That software may include key loggers. 



Your work computer may be configured to route all network traffic via a corporate proxy or a SaaS security service. Your SSL traffic may be intercepted and, at the very least, logged. Like LastPass exposed vulnerabilities, who is to say that a SaaS security service is immune?



One may inevitably use their work computer for personal tasks. At the very least, you'll have to use your work computer to set up your benefits and 401k and upload copies of your government IDs. You may need to log on to check your pay stubs or download your tax documents. All of these personal activities are reasonable on a work computer. It may be far more likely that your personal passwords will leak out via your work computer than your employer's corporate secrets via your home computer!



It would be best if you were very paranoid. There are bad actors and incompetent people who will one day leak your private data, and it will happen. There are things you can do, though.





  1. Configure MFA on your password vault. Do not use a software-based token generator or SMS for this. Use a phishing-proof security key. I setup a YubiKey for my family 1Password account.




  2. When using your 1Password vault on a work computer, be aware that the second factor is only verified on a new device once. It is not used to decrypt your vault. Only install your vault on truly trusted devices. (Hint: your work computer isn't one of those devices, see my notes above).




  3. Use MFA with all of your accounts. A YubiKey can be used as an OTP generator, but it can only manage ~32 secrets on one key. You also need to keep a backup. I configured YubiKey as a second factor for my most sensitive accounts, including those used as SSO: Apple and Google — the rest I allow to be managed by 1Password.




  4. Always check the lock icon in the browser. This article from Opera explains how to use it better than I can.




It's good to be paranoid about your online security. 



Employers are rightfully paranoid about corporate secrets being compromised by bad actors. Some of the worst data breaches were caused by employees. 



Employees, however, should be equally paranoid about their personal secrets being compromised for the same reasons. If corporate secrets can be leaked due to a colleague's mistake or malfeasance, so can your personal data entrusted to your employer.



Act accordingly and trust no one.

Last updated January 20, 2026. Return to home.