Archive for December 23, 2022

Friday, December 23, 2022

Belkin iPhone Mount With MagSafe for Mac Desktops and Displays

Jason Snell:

Now there’s the Belkin iPhone Mount with MagSafe for Mac Desktops and Displays, a $40 adapter for other displays.


I have very few reservations of this new adapter. It works well on my Apple Studio Display but would work just as well on an iMac, a third-party display, or even a television.


Update (2023-02-14): Felix Schwarz:

Just received the “Belkin iPhone Mount for Mac Desktops” and have mixed first impressions:

🔴 it doesn’t hold my iPhone 12 mini reliably while it is in a relatively thin case

🟢 without case, it adds a stable iPhone mount to my 27" monitor

I was really looking forward to it, but now am not sure whether I’ll keep or return it… will see…

LastPass Breach

Dan Goodin:

LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.

The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager’s development environment and “took portions of source code and some proprietary LastPass technical information.” The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren’t affected.


The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

Update (2022-12-26): evan j:

I worked at LastPass as an engineer a long time ago. 7+ years ago. My 2 cents on the situation.

This is the worst breach LastPass has had. By a lot.

The key difference is that customer vaults were accessed this time, which are kept in a completely separate database.


URLs aren’t encrypted. This has been a well reported criticism of the product.

But it allows an attacker to see what vault entries are associated with which sites.

Overall. I think OG users of LP are at greater risk for targeted attacks than newer. I don’t think we’ll see widespread vaults being cracked, but targeted attacks are very possible with a user’s entire vault

Cryptopathic (via Hacker News):

I think the situation at @LastPass may be worse than they are letting on.

On Sunday the 18th, four of my wallets were compromised. The losses are not significant.

Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

Naz Markuta (via Hacker News):

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault with a weak password.

Tavis Ormandy (via Dare Obasanjo):

Things start to go wrong when you want integration with other applications, or when you want data synchronized by an untrusted intermediary. There are safe ways to achieve this, but the allure of recurring subscription fees has attracted businesses to this space with varying degrees of competence. I’m generally skeptical of these online subscription password managers, and that’s going to be the focus of the rest of this article.


I often say that “use a password manager” is bad advice. That’s because it’s difficult to tell the difference between a competent implementation and a naive one. The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference? For that reason, I think “use a password manager” is so vague that it’s dangerous.


My primary area of interest is how remote attackers can interact with your password manager.


An attacker (or malicious insider) in control of the vendor’s network can change the code that is served to your browser, and that code can obviously access your passwords. This isn’t farfetched, altering the content of websites (i.e. defacement) is so common that it’s practically a sport.

Bruce Schneier:

But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

Update (2022-12-29): Jeremi M Gosney:

But things change, and in recent years I found myself unable to defend LastPass. I can’t recall if there was a particular straw that broke the camel’s back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass[…]


So, why do I recommend Bitwarden and 1Password? It’s quite simple[…]?

Jeffrey Goldberg:

LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage. Their notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading. In this article, I’ll explore the LastPass claim and unique 1Password features that protect you — now and in the event of a similar breach.


One of the things that sets 1Password apart is the Secret Key. A year ago I explained how your Secret Key protects you in the event the data we hold is captured by an attacker.

I like the idea of the Secret Key, however it only protects against a breach where the stored encrypted data is stolen. If the server is compromised, all bets are off because the Web client could be secretly modified to steal the Secret Key stored in your browser:

One thing I find annoying is that you can’t manage your account purely in the application, but have to touch the web interface with its “code directly downloaded from 1Password’s server” model.

Update (2023-01-25): Anyjohndoe1 (via Hacker News):

For those that may not have seen it, since instead of a new post they “updated” the one from November…Looks like it’s even worse than they first let on—now not just LastPass, but a bunch of their other products. Oh, and encrypted backups from some of those services—and an encryption key for some of said backups.

Update (2023-03-01): Filipe Espósito (Hacker News):

Now LastPass has revealed that the incident was caused by credentials stolen from a DevOps engineer.

As shared in a blog post (via ArsTechnica), there was a coordinated attack in August 2022 in which hackers were able to access and steal data from Amazon AWS cloud servers. More specifically, the credentials for the servers were stolen from a DevOps engineer who had access to cloud storage at the company. This made it more difficult for LastPass to detect the suspicious activity.

Interestingly, ArsTechnica heard from sources that the engineer’s computer was hacked through a vulnerability found in the Plex media platform. Twelve days after the LastPass attack, Plex confirmed that it had also suffered an attack that resulted in 15 million users’ passwords being stolen.

Activating Automatic Backtrack in watchOS 9

David Smith:

The trick was knowing that you have to press that bottom right button in order to discover if an automatic route is being tracked.

I imagine this ambiguity is coming from Apple being very circumspect about protecting user privacy. I wouldn’t be surprised if the system for automatically and surreptitiously recording the user’s locations is entirely walled off from the rest of the Compass app to make sure this very sensitive data can’t inadvertently be leaked without the user’s explicit approval. Hence the need to specifically request and approve it every time you want to see it. That’s just a guess but it seems a reasonable one.

We could quibble about the discoverability of this interface design but I suspect it is motivated by a user privacy.


30 Years of PCalc

James Thomson (Mastodon):

At around the same time, we’d started coding using THINK Pascal, and I had begun to explore the Macintosh programming APIs in my own time.


The Pascal core mathematics code was hand-translated into C, and a new user interface was written around it in C++.


In 2005, I rewrote PCalc once again. This time, it was to learn the new Carbon HIToolbox APIs - this was a different way of writing an application, somewhat similar to PowerPlant, but provided by Apple.


I took the code I’d written for the Dashboard Widget version of PCalc, and got that running within a day or two on the iPhone. From there, I wrote a completely new interface around it, this time in Cocoa.


Well before the days of Mac Catalyst, this new version was actually based on the iOS source code[…]