LastPass has ties to China?!?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

pete.warner

New member
Dec 2, 2020
1
2
Sorry for the length, this is going to require some explanation but the end result is the question -- is Lastpass tied to China? Coming here due to Steve's love of LastPass.

I searched but did not see any discussion on Section 889 Rule B. For those that don't know, the US Government has implemented this Rule, commonly known as "Rule B", that forbids the federal government from spending money on goods or services from "covered telecommunications products or services" - meaning Dahua Technology Company, Hangzhou Hikvision Digital Technology Company, Huawei Technologies Company, Hytera Communications Corporation, and ZTE Corporation. How this Rule has been implemented is to have those selling goods or providing services to the government attest that they do not use these goods or services in what they provide to the federal government.

So jumping ahead ... in looking into LastPass, I am told that the response from LogMeIn indicates that they DO use goods / services from covered telecommunications products or services ... and thus you can't use LastPass as a government contractor.

Does anyone else know anything about this? Has anyone received a better response from LogMeIn attesting that they are not impacted by this Rule?
 
LP has traveled a long road since Joe Siegrist (with a company of 30 people) responded directly to Steve about the development and security of LP. Since then LP was bought out for big bucks by LogMeIn in 2015, and then for much bigger bucks ($4.3b) by Elliot Mgt private equity.

Perhaps Steve could provide security update here in the forum - Discussion of LP on Security Now may be a bit dicey since they are a show and network sponsor, but Steve is typically candid in his analyses regardless (like with Fauci, stating the facts transparently as best you know them 100% of the time by a subject matter expert yields incredible respect and trust).

I do know the product has proven effective in protecting passwords when DOJ got access to people's computers, even with the full cooperation by LP under warrant (i.e. the master password is needed to unencrypt the passwords stored on LP servers and the local PC could not forced to reveal that password either). I still trust LP and have recommended it to thousand of users, and even sat in the front row right in front of Leo and Steve at the Boston LP event last year where I was able to get a photo with Steve!
 
Whether LP can be trusted or not I leave to those who know more than me, but when I saw how it became a commodity at companies that cares about a product as much as a mother care's about her baby (irony), I dropped LP immediately.

I'm now a very happy BitWarden user since a year or so. Never thought I could live without LP, but life is good, Life is even better!;-)

// Rolf
 
I used LP because Steve had done a deep dive and trusted it, and I trust him. BitWarden and others were not trhroghly vetted by Steve, although I may take a look at it myself I prefer to use something that is well understood to see if there are any vulnerabilities.
 
This all sounds worthy of discussion on Security Now. I value content that impacts what I do on a daily basis.
Again, this is not going to happen until LastPass, TWIT's premier sponsor, drops sponsorship. I doubt @Steve will weigh in on this at all, at least for some time.

I'm more troubled by LogMeIn's bad reputation and the negatives that come with a giant company's priorities. I've had generally poor support from LastPass with problems I've encountered, but have no reason to believe their tech has been fundamentally degraded. Still I've played with Bitwarden and keep looking at 1Password.
 
  • Like
Reactions: george.lazarides
Porque no los dos?

Why not both? We could use LastPass for some things, and BitWarden for others? Split the eggs into two baskets?

Do we have a third option? 1Password? Maybe three baskets!

I do trust Last Pass because I trust Steve. I do hope the trust is not misplaced.
 
I too trust Steve. But he has not dug into LP in many years. And, as we know, it has changed hands since. There is nothing to have prevented the new owners from adding another allowed credential to unlock our master. I have enabled the emergency access for my wife after 3 days JIC I die suddenly. For all we know, there is another key to our vaults out there somewhere. I don't keep State secrets but I would sleep better knowing only me or [my wife when I die] can get to my stuff.
 
I will say, the extensions for the browser are open source because they are Javascript, HTML, and CSS. This article says basically the only way they could attack is a local file system or RAM attack: https://delaat.net/rp/2018-2019/p59/report.pdf

While the backend company may be...less than trustworthy, the frontend technology is still the same thankfully. Now when you open your vault on the LP site, I don' tknow if they insert a backdoor there, or if the encryption and viewing is done locally still. I'm sure someone could easily find that, but I'm guessing no. I can't think of a way LP would insert some backdoor here.

The only problem I have is more a UI problem: Android autofill isn't consistent. I will be switching to Bitwarden to try that.
 
deleting their LastPass account
Since you said a reset worked, why not simply change your email on the account to a throw away one (try dispostable, say) then change the password to something complete random a few dozen times and then "forget" those passwords. That should presumably stop anyone from recovering anything meaningful from what remains.
 
Does anyone else know anything about this? Has anyone received a better response from LogMeIn attesting that they are not impacted by this Rule?

I tried asking your question on the LastPass Community forum and the question and the link to this forum was deleted. I'll take that as a "yes, have ties with China but we aren't allowed to say that".
 
  • Like
Reactions: jmward22
WRT the sponsorship, at least as far as SN goes, I don't recall hearing a sponsor spot from LastPass since they rejigged their free and paid versions. It's all been BitWarden, which was nice to see since they are who I migrated to after the changes LastPass made.

WRT sponsorship of twit itself, I don't use the site or listen to any other shows, so I couldn't comment on what the relationship is there.