This comes immediately after 1P's forced transition away from local app with local storage to Web app with cloud storage, and assurances that their security stance and practices would make a breach unlikely. If they had stuck with the old model, a breach would have no chance of impacting users, but now, we're left scratching our heads and speculating about the true extent of the damage.
Well, since 1P clients are not open sourced, you always have to trust that they implement their white paper correctly, this is regardless before or after the transition.
Now, if you do trust them, then you should believe when they say that "IdP is only used for authenticate downloads of _encrypted_ secrets and the decryption only happens on device with a local credential", in which case a breach of IdP still would have no chance of impacting users.
I have a lot of rants about this transition, but the storage location of encrypted data is never something I worry about. In the past it was my personal iCloud/Dropbox accounts, now it's my 1Passowrd.com account. Am I missing something?
Getting access to this data is the holy grail for attackers - it is preposterous not to have a local-only or "saved on iCloud only" model. Clearly the only reason they removed this ability was the juicy, juicy subscription revenue, which requires them to hold the data.
They may have avoided a breach this time but have they previously been breached? Will they be breached in future? The possibility of each is non-zero.
Needless to say, I'm still using the older version and am planning how to transition once it stops working after an OS update.
People have long lost the difference in meaning between "security" and "convenience". They now believe the two are interchangeable.
Not sure they're wrong. There are so many IT departments and websites that force dumb practices which are detrimental to both: frequent password changes, required low-entropy recovery question options, etc. And then on the other side, some really convenient flows with reasonable security, e.g. streaming apps that show you a short temporary credential you can copy from your Roku's screen to your signed-in computer/phone rather than requiring you downgrade your permanent password to something easier to enter on the Roku keyboard. So while fundamentally you're right that "security" and "convenience" are in tension, in practice I think the bigger factor is competence and care of the dev and admin teams.
Securing a large organization populated by regular human beings is extremely difficult, and is an exercise in balancing theoretical security with convenience.
Okta and 1Pass are incredibly well designed and the companies do all of the right things when it comes to security and audit processes.
I know that troubleshooting for pwms is hard, but leaving unencrypted files to access accounts on a server that’s not governed by the same threat-model seems very negligent to me.
I then have a BTC node that will send me an SMS if those coins ever move.
That's one expensive alert.
then just alert yourself when the native asset is moved to that address, because then someone is trying to sweep. your node can also send some some of the same asset faster at a higher transaction fee and move all of your tokens somewhere safe
people already do this
mostly as a scam to take the tiny amount of funds that thieves send to try to move the more lucrative bounty
you can take this one step further and have many assets worth sweeping, including assets that merely look like lucrative tokens. one of those is backdoored so that the transfer() function is nonstandard and transfers all the assets out of the attackers address when they try to move yours. or you can at least get just your own assets back if you want to be morally superior, moved to a safe address. this wont work if they dont take your backdoored token though. but all other parts about intercepting your assets before accepted into a block still would.
Why not fill the vault with canary accounts and tokens instead? There’s services that do it for you.
Sorry man, I dunno if this is a weird flex or what, but it's kind of ridiculous to leave $15K of bitcoin as a canary for your password manager. Gotta call a spade a spade.
i don't think that is a bad idea . It can be a cheaper one or a replica. The idea is it's a small price to pay when being deceived costs far more
I'm curious whether companies have faced this hard reality and decided that buying liability insurance + doing things inhouse is more economical & better for business.
Now, sure, technically there may be circumstances when you can technically/legally shift liability. But your customers don't care - they have the relationship with you. So the third parties problems, are your problems.
IF that were true. No way would it be cost effective at my company to try to internally reimplement 1Password's functionality though. I also would not trust it to be more reliable or more secure than 1Password.
For large companies, however, it seems like a liability, but I would hope an IdP would still be more competent, on average, then internal IT staff (obviously there are tech companies that have needed to deal with this for a long time with success). If a large business’s competency is not tech, there is some likelihood they can’t evaluate the robustness of their IT infrastructure.
That’s not a reason. Haven’t you read any terms of service and user agreements? The vendor never accepts responsibility.
So the culprit seems to have been the session information in the har. It made me wonder a few questions. What were they troubleshooting with Okta that required sending a har over, of their own interaction with Okta. And why are the session lengths so long, wouldn't Okta dogfood and use their own JWTs with limited lifetime?
Someday it will be much, much worse. Someday someone will manage to breach and take control of a bigger one in a bigger way, and will instantly gain root on a large subset of the entire computing ecosystem. There's a trend of even delegating things like ssh to systems under OIDC control, so I'm not using root metaphorically.
But hey, OIDC is convenient and that's all that matters in computing.
It’d be based on keys you control so there’s no way someone could hack some master database or key authority and own the entire universe. That’s a distinct possibility today.
Plausible scenario: high sophisticated nation state sponsored break at Google with cooperation from inside, used to launch a sudden mass malware infection attack against hundreds of millions of systems.
It's odd that they wrote that right out there on an incident report publicly shared and related to such a high profile potential breach though, for something like this it really has to be more of a 1st step triage than a definitive nope nothing wierd here...
Or is something like 1Password truly secure at its core, even if an attacker penetrates some layers of access?
With that said, there is a lot of rebuttals to this that begin with "but, that assumes..." that I'm sure some of our fellow HN peeps will point out here :)
Any other takes?
1. because people want to know if their for-money proprietary password storage company got hacked 1. because if in the future they actually get owned, "oh yeah, it sorta happened another time also but we didn't say anything" is a terrible look
Does not mean it didn’t happen
Also, don't use 1Password or LastPass. KeePassXC, PasswordSafe, Dashlane, or properly-configured Bitwarden.
Doesn’t seem like a particularly strong counter-argument, unless the point is that sometimes we humans like to err on the side of recklessness in the name of progress.
or the harmful effects were missed, and the drug is dangerous
It just simply isn't worth the investment for CIO/CTO/CISO types because it isn't sexy. To say it's impossible is just factually inaccurate.
I know more than a few places doing 40gbps and 100gbps full packet capture for 30+ days. And relatively speaking, the investment isn't that large (for tens of petabytes it isn't as expensive as you might think).
Complacency will result in more leaks and less knowledge of them maybe?
I reckon “passwords on a notepad in pen and ink” is safer plus passkeys like yubi.
If someone breaks into your home you got other concerns..
simultaneously, Okta seems rather bad at their job of not getting hacked and having proper fucking audit logs
Anyone else?
Wow.
In general I would regard anyone using a password manager that uses a cloud service and/or phones home to be unreasonable. But even if you believe that this is a good idea, at this point everyone should drop 1Password as they clearly do not have the competence to run such a service.
