[langsec-discuss] lastpass hax - I think this is langsec

David Fetter david at fetter.org
Wed Jul 27 19:41:36 UTC 2016


On Wed, Jul 27, 2016 at 09:57:14AM -0700, travis+ml-langsec at subspacefield.org wrote:
> https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
> 
> Something about FSRs and parsing.

This brings up something that isn't actually in the realm of langsec,
but since it came up here, I'll set out a few thoughts here.

Even given supremely competent coding, which is not in evidence in
lastpass, does the act of creating a target with that high a value
/ipso facto/ make it more likely to be attacked successfully?  There's
some game theory and non-equilibrium economics here that I'm really
not competent to address.

Are there any formal ways to address such questions?  Obviously,
they're not strictly langsec, but since I'm such a n00b at matters
security, I just don't know even what keywords to start my search
with.

Help!

Best,
David.
-- 
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david(dot)fetter(at)gmail(dot)com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate


More information about the langsec-discuss mailing list