The Dulin Report

Browsable archive from the WordPress export.

Results (89)

Strategic activity mapping for software architects May 25, 2025 On the role of Distinguished Engineer and CTO Mindset Apr 27, 2025 The future is bright Mar 30, 2025 2024 Reflections Dec 31, 2024 My giant follows me wherever I go Sep 20, 2024 The day I became an architect Sep 11, 2024 Are developer jobs truly in decline? Jun 29, 2024 Leadership is About "We," Not "I" Jun 9, 2024 Form follows fiasco Mar 31, 2024 Software Engineering is here to stay Mar 3, 2024 Some thoughts on recent RTO announcements Jun 22, 2023 On Amazon Prime Video’s move to a monolith May 14, 2023 One size does not fit all: neither cloud nor on-prem Apr 10, 2023 Some thoughts on the latest LastPass fiasco Mar 5, 2023 Comparing AWS SQS, SNS, and Kinesis: A Technical Breakdown for Enterprise Developers Feb 11, 2023 Working from home works as well as any distributed team Nov 25, 2022 Why you should question the “database per service” pattern Oct 5, 2022 Book review: Clojure for the Brave and True Oct 2, 2022 Stop Shakespearizing Sep 16, 2022 Why don’t they tell you that in the instructions? Aug 31, 2022 Monolithic repository vs a monolith Aug 23, 2022 Automation and coding tools for pet projects on the Apple hardware May 28, 2022 There is no such thing as one grand unified full-stack programming language May 27, 2022 Most terrifying professional artifact May 14, 2022 If you haven’t done it already, get yourself a Raspberry Pi and install Linux on it May 9, 2022 Good idea fairy strikes when you least expect it May 2, 2022 Kitchen table conversations Nov 7, 2021 Application developers like to think their app is the only one Apr 5, 2021 A year of COVID taught us all how to work remotely Feb 10, 2021 What programming language to use for a brand new project? Feb 18, 2020 The religion of JavaScript Nov 26, 2018 Teleportation can corrupt your data Sep 29, 2018 Let’s talk cloud neutrality Sep 17, 2018 What does a Chief Software Architect do? Jun 23, 2018 Nobody wants your app Aug 2, 2017 TypeScript starts where JavaScript leaves off Aug 2, 2017 Singletons in TypeScript Jul 16, 2017 Emails, politics, and common sense Jan 14, 2017 Online grocers have an additional burden to be reliable Jan 5, 2017 Collaborative work in the cloud: what I learned teaching my daughter how to code Dec 10, 2016 Apple’s recent announcements have been underwhelming Oct 29, 2016 What I learned from using Amazon Alexa for a month Sep 7, 2016 Why I switched to Android and Google Project Fi and why should you Aug 28, 2016 Amazon Alexa is eating the retailers alive Jun 22, 2016 In search for the mythical neutrality among top-tier public cloud providers Jun 18, 2016 In Support Of Gary Johnson Jun 13, 2016 Files and folders: apps vs documents May 26, 2016 What can we learn from the last week's salesforce.com outage ? May 15, 2016 Why it makes perfect sense for Dropbox to leave AWS May 7, 2016 JEE in the cloud era: building application servers Apr 22, 2016 Let's stop letting tools get in the way of results Apr 10, 2016 JavaScript as the language of the cloud Feb 20, 2016 LinkedIn needs a reset Feb 13, 2016 In memory of Ed Yourdon Jan 23, 2016 Our civilization has a single point of failure Dec 16, 2015 IT departments must transform in the face of the cloud revolution Nov 9, 2015 I Stand With Ahmed Sep 19, 2015 Setting Up Cross-Region Replication of AWS RDS for PostgreSQL Sep 12, 2015 Top Ten Differences Between ActiveMQ and Amazon SQS Sep 5, 2015 We Live in a Mobile Device Notification Hell Aug 22, 2015 What Every College Computer Science Freshman Should Know Aug 14, 2015 On Maintaining Personal Brand as a Software Engineer Aug 2, 2015 The Three Myths About JavaScript Simplicity Jul 10, 2015 Book Review: "Shop Class As Soulcraft" By Matthew B. Crawford Jul 5, 2015 Attracting STEM Graduates to Traditional Enterprise IT Jul 4, 2015 Your IT Department's Kodak Moment Jun 17, 2015 The longer the chain of responsibility the less likely there is anyone in the hierarchy who can actually accept it Jun 7, 2015 Big Data is not all about Hadoop May 30, 2015 Smart IT Departments Own Their Business API and Take Ownership of Data Governance May 13, 2015 The Clarkson School Class of 2015 Commencement speech May 5, 2015 Why I am not Getting an Apple Watch For Now: Or Ever Apr 26, 2015 My Brief Affair With Android Apr 25, 2015 Exploration of the Software Engineering as a Profession Apr 8, 2015 What can Evernote Teach Us About Enterprise App Architecture Apr 2, 2015 Microsoft and Apple Have Everything to Lose if Chromebooks Succeed Mar 31, 2015 Do not apply data science methods without understanding them Mar 25, 2015 On apprenticeship Feb 13, 2015 On Managing Stress, Multitasking and Other New Year's Resolutions Jan 1, 2015 Why I am Tempted to Replace Cassandra With DynamoDB Nov 13, 2014 Software Engineering and Domain Area Expertise Nov 7, 2014 Docker can fundamentally change how you think of server deployments Aug 26, 2014 Wall St. wakes up to underinvestment in OMS Aug 21, 2014 Software Engineers Are Not Doctors Aug 3, 2014 Thanking MIT Scratch Sep 14, 2013 Have computers become too complicated for teaching ? Jan 1, 2013 Thoughts on Wall Street Technology Aug 11, 2012 Scripting News: After X years programming Jun 5, 2012 Java, Linux and UNIX: How much things have progressed Dec 7, 2010 Eminence Grise: A trusted advisor May 13, 2009

Some thoughts on the latest LastPass fiasco

March 5, 2023

There are a few engaging lessons we can learn from the latest LastPass fiasco:

Apparently, the bad actors involved in those incidents also infiltrated a company DevOps engineer's home computer by exploiting a third-party media software package. They implanted a keylogger into the software, which they then used to capture the engineer's master password for an account with access to the LastPass corporate vault. After they got in, they exported the vault's entries and shared folders that contained decryption keys needed to unlock cloud-based Amazon S3 buckets with customer vault backups.

First, let's dispense with the notion that password vaults like 1Password or LastPass are problematic. For as long as some applications and services rely on passwords, there is no better alternative for securing your online accounts.

Let's also dispense with the notion that using a personal computer for work is inherently problematic. BYOD policies are pretty standard and effective. The fact that the attackers infiltrated an engineer's home computer is irrelevant, and there is little evidence that employer-issued computers are any more secure.

An employer-issued computer cannot be trusted to be more secure than a personal one. Employers install software meant to monitor employees in the name of security. That software may include key loggers.

Your work computer may be configured to route all network traffic via a corporate proxy or a SaaS security service. Your SSL traffic may be intercepted and, at the very least, logged. Like LastPass exposed vulnerabilities, who is to say that a SaaS security service is immune?

One may inevitably use their work computer for personal tasks. At the very least, you'll have to use your work computer to set up your benefits and 401k and upload copies of your government IDs. You may need to log on to check your pay stubs or download your tax documents. All of these personal activities are reasonable on a work computer. It may be far more likely that your personal passwords will leak out via your work computer than your employer's corporate secrets via your home computer!

It would be best if you were very paranoid. There are bad actors and incompetent people who will one day leak your private data, and it will happen. There are things you can do, though.

Configure MFA on your password vault. Do not use a software-based token generator or SMS for this. Use a phishing-proof security key. I setup a YubiKey for my family 1Password account.

When using your 1Password vault on a work computer, be aware that the second factor is only verified on a new device once. It is not used to decrypt your vault. Only install your vault on truly trusted devices. (Hint: your work computer isn't one of those devices, see my notes above).

Use MFA with all of your accounts. A YubiKey can be used as an OTP generator, but it can only manage ~32 secrets on one key. You also need to keep a backup. I configured YubiKey as a second factor for my most sensitive accounts, including those used as SSO: Apple and Google — the rest I allow to be managed by 1Password.

Always check the lock icon in the browser. This article from Opera explains how to use it better than I can.

It's good to be paranoid about your online security.

Employers are rightfully paranoid about corporate secrets being compromised by bad actors. Some of the worst data breaches were caused by employees.

Employees, however, should be equally paranoid about their personal secrets being compromised for the same reasons. If corporate secrets can be leaked due to a colleague's mistake or malfeasance, so can your personal data entrusted to your employer.

Act accordingly and trust no one.