A Christmas Surprise from Lastpass
Zelensky in Washington, Bankman-Fried in FBI custody
Merry Christmas, everybody! I’ve been meaning to get back to this newsletter earlier, but to be honest, it was just not possible. I was very busy in the last few days finishing up work that had to get done before the holiday break. This included two episodes of my podcast The Private Citizen, one on the Twitter Files and the suppression of the Hunter Biden laptop story and another one where I respond to listener feedback. I’ve also recorded a third episode, my customary end-of-year review, but that one is only coming out in few days. And I’ve published that blog post I had written about in the previous issue.
All this work together with an attempt at getting back into exercise after my severe cold (see the photo above for some impressions of my first run afterwards, in the snow) left me little time for anything else, including this newsletter. Accordingly, I’ve probably missed a few stories, but here’s a recap of some of the stuff that I’ve read, and found the most interesting.
The Lastpass Breach
Lastpass, one of the most popular password managers, got hacked again. And around Christmas time too, what a happy surprise for everyone involved! This latest hack seems to have been somewhat of a continuation of the security breach at the company that was disclosed earlier this year in August.
On August 25, 2022, LastPass published a blog post notifying customers that a third-party gained unauthorised access to portions of their development environment, source code, and technical information through a single compromised developer account. To address the situation, LastPass deployed containment and mitigation measures and implemented additional enhanced security measures. No personal information or user passwords were compromised. LastPass disclosed updates to the security breach in November 2022 and cited that some customer data were accessed by a third party. LastPass assured that passwords stored with the service were still secure, as encryption and decryption of passwords takes place on the user’s device.
On December 22, LastPass revealed that a threat actor obtained both a backup of customer data and a vault with the main password database, by using some of the information obtained in previous attacks. The customer data included customers' names, billing addresses and phone numbers, email addresses, IP addresses and partial credit card numbers. The main password vault contained, for each breached user, the user's unencrypted website URLs and site names, and the encrypted usernames, passwords and form data for those sites. The LastPass blog suggested that it would take millions of years to decrypt the passwords, providing a strong master password was used, and default number of rounds of encryption were applied.
A few notes here:
We do not know which, and how many, customers were affected.
Lastpass did not encrypt the website URLs that passwords are associated with. This is either a major, very embarrassing oversight, or something that was possibly done at the behest of US intelligence agencies to be able to survey what websites people use and possibly make it easier to attack specific encrypted passwords for high-value sites.
The “millions of years to decrypt the passwords” the company mentions have an important caveat: “providing a strong master password was used”. Experience tells us that, against all advice, a significant amount of users will not have complied with that. Also: Some IT security experts are of the opinion that it might be possible to crack even moderately secure master passwords with the help of rented cloud computing infrastructure.
Since the hackers have the account email addresses of Lastpass users and plaintext domains associated with passwords, Lastpass users now need to be extremely weary of phishing emails. These will look like they come from Lastpass or the website in question and prompt users to change compromised passwords for domain logins managed with Lastpass. DO NOT CLICK ON LINKS IN EMAIL. And if you must, always carefully check the URL of the site you’re being directed to.
Here’s an analysis of the whole thing from someone who, despite the name, knows what they are talking about:
LastPass attackers know your name and billing address and all websites you have saved passwords for, and if your master password isn't sufficiently strong may be possible to brute-force open everything on attacker's machines. The fact LastPass doesn't encrypt website URLs is a known flaw it appears they never fixed on purpose, going back almost 6 years. This eventual possible security breach was planned-for as part of LastPass' design for username and password protection. This doesn't break the core offering. But it has stripped away multiple layers of protection and will hasten my looking at Bitwarden.
It's impossible to be completely secure in a massive offering. However I have always disagreed with their decision to not 100% encrypt all metadata, and this event shows that was a foolish choice when seen against the inevitable of the entropy our complex electronic systems. In the end, a password manager is still right choice in comparison to alternative. And a cloud-native offering like LastPass strongly hedges against data loss by normal users trying to manage their own vault. That is an undersold primary risk, not hackers. Still, very disappointed.
What to do now:
If you use Lastpass and your master password isn’t up to snuff, to be safe, you will have to change all passwords of all sites managed with the service. And the master password, of course.
If you think your master password was secure enough, be on the lookout for phishing mails (as mentioned above).
Since Lastpass is getting hacked an awful lot (being so popular, they are simply a juicy target everyone knows about) and did not exactly inspire confidence by not encrypting all metadata, you might want to switch providers. I used to use Lastpass years ago and I value the convenience of a cloud service with integrations into browsers and mobile apps greatly. I switched to 1Password and can recommend it.1
Turn on two-factor authentication for everything you can. It’s the easiest and most convenient thing you can do that provides by far the most protection.
Any of this is not an argument to stop (or never start) using password managers. USE A PASSWORD MANAGER!
Ukraine Developments
While Ukrainian president Zelensky is in Washington, projecting resolve by being dressed in combat gear and drumming up war support by giving propaganda speeches, Russia is shelling the areas recently lost to the Ukrainian advance and, apparently, might be preparing for a renewed offensive.
Moscow has been setting conditions for a new course of action — a renewed invasion of northern Ukraine possibly aimed at Kyiv — since at least October 2022. This course could be a Russian information operation or could reflect Russian President Vladimir Putin’s actual intentions. Currently available indicators are ambivalent — some verified evidence of a Russian buildup in Belarus makes more sense as part of preparations for a renewed offensive than as part of ongoing exercises and training practices, but there remains no evidence that Moscow is actively preparing a strike force in Belarus. Concern about the possibility that Putin might pursue this course is certainly not merely a Ukrainian information operation intended to pressure the West into supplying Kyiv with more weapons, as some Western analysts have suggested. ISW continues to assess that a renewed large-scale Russian invasion from Belarus is unlikely this winter, but it is a possibility that must be taken seriously.
Some milbloggers have been speculating about the likelihood of a renewed Russian attack on northern Ukraine since at least October 2022. Prominent Russian Telegram channel Rybar, whose author is currently part of Putin’s mobilization working group, stated on October 20 that there were rumors of an “imminent” Russian offensive operation on Lviv, Volyn, Kyiv, Chernihiv, or Kharkiv. Another milblogger claimed on October 20 that joint forces in Belarus are too small to attack Kyiv but stated that he would not object if Russian forces attacked Chernihiv City.
Meanwhile, German public broadcaster Tagesschau published an interview with an “expert on security policy” in regard to Germany’s reluctance to supply war materiel to Ukraine. The story is titled “the Americans are doing things, while Germany talks”. I found this extremely telling, because in the German original, the title can be expanded to “the Americans are waging war, while Germany talks about it”2. As if waging war (killing people) actually was better than talking about it — or at least talking it through beforehand.
It is amazing to me how warmongering these headlines have become. Especially in a country with Germany’s history. As if Germany hasn’t waged enough war in its time already.
FTX Founder in FBI Custody, Inner Circle Admits Fraud
I’ve reported on the FTX disaster before. From the very beginning of that story, I suspected that fraud was involved with the catastrophic collapse of what was formerly the world's third-largest crypto currency exchange. This now seems to have been confirmed.
Two members of Samuel Bankman-Fried's inner circle have pleaded guilty to defrauding equity investors in the moribund FTX cryptocurrency trading platform. Yesterday the US Securities and Exchange Commission announced that it was charging Gary Wang, former CTO and co-founder of FTX, and Caroline Ellison, former CEO of sister company Alameda Research, with fraud. This was followed by a statement from US Attorney for the Southern District of New York Damian Williams that said Ellison and Wang had admitted to their roles in the frauds that contributed to the collapse of FTX. He added that they are "both cooperating" with the investigation.
Williams also said: "Samuel Bankman-Fried is now in FBI custody and is on his way back to the United States. He will be transported directly to the Southern District of New York and he will appear in court before a judge in this district as soon as possible." The co-founder and CEO of FTX had gone to ground at his luxury private apartment complex in the exclusive Albany community in the Bahamas as his world came crashing down around him. He was arrested by Bahamian police on Monday last week and a extradition request by Uncle Sam followed swiftly. "Many individuals in the Bahamas and in the United States contributed to the swiftness of the defendant's return and I want to thank the Bahamas for its outstanding assistance and excellent coordination with us," Williams added.
It sounds like the team at FTX was running a now very common kind of crypto currency scam: They issued their own crypto currency, inflated its price artificially, which in turn inflated the valuation of their company. Then, when people invested in this fantasy, they diverted a lot of the money to another company to get rich off it. A classic Ponzi scheme, adapted for the 21st century.
As for Wang and Ellison, the SEC contends that between 2019 and 2022, "Ellison, at the direction of Bankman-Fried, furthered the scheme by manipulating the price of FTT, an FTX-issued exchange crypto security token, by purchasing large quantities on the open market to prop up its price. FTT served as collateral for undisclosed loans by FTX of its customers' assets to Alameda, a crypto hedge fund owned by Wang and Bankman-Fried and run by Ellison. The complaint alleges that, by manipulating the price of FTT, Bankman-Fried and Ellison caused the valuation of Alameda's FTT holdings to be inflated, which in turn caused the value of collateral on Alameda's balance sheet to be overstated, and misled investors about FTX's risk exposure."
The complaint also alleges that "from at least May 2019 until November 2022, Bankman-Fried raised billions of dollars from investors by falsely touting FTX as a safe crypto asset trading platform with sophisticated risk mitigation measures to protect customer assets and by telling investors that Alameda was just another customer with no special privileges; meanwhile, Bankman-Fried and Wang improperly diverted FTX customer assets to Alameda. The complaint alleges that Ellison and Wang knew or should have known that such statements were false and misleading." The complaint alleges that Wang created FTX's software code that allowed Alameda to divert FTX customer funds, and Ellison used misappropriated FTX customer funds for Alameda's trading activity. The complaint further alleges that, even as it became clear that Alameda and FTX could not make customers whole, Bankman-Fried, with the knowledge of Ellison and Wang, directed hundreds of millions of dollars more in FTX customer funds to Alameda."
Sanjay Wadhwa, deputy director of the SEC's Division of Enforcement, added: "As alleged, Mr Bankman-Fried, Ms Ellison, and Mr Wang were active participants in a scheme to conceal material information from FTX investors, including through the efforts of Mr Bankman-Fried and Ms Ellison to artificially prop up the value of FTT, which served as collateral for undisclosed loans that Alameda took out from FTX pursuant to its undisclosed, and virtually unlimited, line of credit. By surreptitiously siphoning FTX's customer funds onto the books of Alameda, defendants hid the very real risks that FTX's investors and customers faced."
And like archetypal old-school Wall Street type bad guys, these people of course weren’t subtle about the whole thing.
The fluffy-haired 30-year-old former billionaire had a peculiar way of addressing the collapse of crypto's once most trusted exchange, participating in various Q&A sessions on Twitter. Just in April, the FTX-Alameda crew had hosted dignitaries such as Tony Blair and Bill Clinton at the Crypto Bahamas invitation-only conference. The execs' lifestyle was reportedly decadent.
In Other News
Microsoft says that gobbling up Activision is actually good for gamers. LOL. 🤣
Microsoft has put forward its argument against the US trade regulator's attempt to block its massive purchase of games dev Activision Blizzard from going through, claiming the deal would be good for consumers. "The acquisition of a single game (Call of Duty) by the third-place console manufacturer cannot upend a highly competitive industry," Microsoft claimed in its response to the antitrust lawsuit filed by the US Federal Trade Commission (FTC) a fortnight ago.
Sony earlier complained that Microsoft was essentially building itself a backdoor to making Call of Duty exclusive to Xbox and PC gamers. It also claimed Microsoft could use the game to unfairly promote its Xbox Game Pass streaming service. Microsoft worked hard to dispel this idea, and just weeks ago was battling to fend off FTC scrutiny, with President Brad Smith writing an op-ed in the Wall Street Journal saying gamers would get more options post-close. Days after, Smith reportedly traveled to the capital city to meet with FTC members to persuade them not to sue Microsoft over the deal.
Even though black track suits with three white stripes seem to have replaced normal street wear for large parts of the population in Europe, Adidas reportedly isn’t doing so well. And it seems to be mostly the fault of Yeezus.
When Adidas ended its lucrative partnership with Kanye West in October after a global outcry over his anti-Semitic remarks, former managers felt they had finally been vindicated. Top staff had warned internally for years that the German sportswear group was over-reliant on the Yeezy trainers franchise it ran with the US rapper and fashion designer also known as Ye. “Behind the scenes, things with Ye were bad already for a long time,” one former manager told the Financial Times. “He was constantly misbehaving — changing his mind, postponing projects, not respecting Adidas timelines.”
Founded in 1949 by Adolf “Adi” Dassler, whose brother Rudolf launched Puma the same year, Adidas has risen to become the world’s second-biggest sportswear company, behind Nike. But when longstanding Puma boss Björn Gulden steps up to the top job at Adidas next month, he will inherit from Kasper Rørsted a company in crisis whose shares have plunged 54 per cent in a year. Ye’s departure, a move set to erase half the group’s 2022 earnings that was announced alongside a third profit warning in four months, came on the back of two other shocks — a sales plunge in China and its withdrawal from Russia, another important Adidas market. “We have lost three profit pools in one year,” said one senior manager. Some Adidas alumni, meanwhile, claim the company’s problems have been exacerbated by poor decision-making and a toxic leadership culture. In interviews with 17 current and former executives, many of those who have left the company said Rørsted and his board had positioned Adidas poorly to weather the storm, firing key personnel and becoming over-reliant on the Yeezy cash cow. They also claimed the outgoing chief’s “management by fear” had traumatised staff and led to an exodus of talent.
Feedback on Reduced Productivity in the Current Workforce
In my previous newsletter, I reported on Salesforce CEO Marc Benioff suspecting that new employees were less productive due to being used to working from home. Several readers of The Sleepy Fox have responded to this with their own theories.
At least within companies that produce physical products, unlike Salesforce, supply line issues might be a factor.
To see this story, we can look at an ad hoc measure of productivity growth in the construction industry. This would imply roughly a 7.8 percent decline in productivity over this ten-quarter period. It doesn’t seem plausible that either construction technology or the quality of labor in the industry could have deteriorated so much in such a short period of time. The more obvious explanation for a decline in productivity in construction is that many workers were effectively wasting their time waiting for parts or materials that were needed for them to do their jobs.
Another reader shared some personal experiences in response:
I think this is multifaceted. There is for sure the aspect you mention of waiting on supplies, but we also have an employee issue where I am. Many of the older workers where I am, the ones that haven’t missed a day of work in 40 years, took early retirement when COVID hit, and effectively removed themselves, their dedication, and their skills from the workforce. Many of the young workers seem plagued with issues that limit them to shorter days, and in many cases, fewer days. And then there are the ones that have COVID every second month now, and this isn’t necessarily on them, because many people can’t go to work if they have cold or flu like symptoms anymore. So when you add all these things together, a 7.8% decline seems quite feasible.
If you have anything to add, feel free to respond to this newsletter with a comment or by email. I am quite interested in this topic and how it affects people working in different industries and countries around the world.
On My Desk Today
As you might have guessed, I will be busy with family matters in the coming days. There’s still an important story on the docket that I need to get to for this newsletter, however: The latest revelations in The Twitter Files about how the FBI influenced Twitter both in censorship of its user’s opinions and of the press. That is by far the most important thing that has come out of the Twitter Files reporting until now and, in my opinion, it’s probably the most important tech story of 2022. I am planning to publish another dedicated issue of The Sleepy Fox on this topic, but with Christmas at hand, I don’t know when exactly I will get around to it. Rest assured that I will, however. Until then, I hope you have some relaxing days “between the years”, as we say here in Germany. Hopefully, you don’t have to work (too much).
Disclaimer: I get a free version of their paid family offering as part of their 1Password for Journalism initiative.
The German verb “machen” (to make) in this context can be used both to say “the Americans are doing things” (die Amerikaner machen) and “the Americans are making war” (die Amerikaner machen Krieg).