hngopher.com

       [HN Gopher] Backdoored password manager stole data from as many ...
       ___________________________________________________________________
        
       Backdoored password manager stole data from as many as 29K
       enterprises
        
       Author : vanburen
       Score  : 35 points
       Date   : 2021-04-24 20:33 UTC (2 hours ago)
        
 (HTM) web link (arstechnica.com)
 (TXT) w3m dump (arstechnica.com)
        
       | schlotzisk wrote:
       | The post is linking to the comment section of the article. Can
       | you strip the URL of the query string?
        
         | 1cvmask wrote:
         | I think Dang is the only one who can do that once a story is
         | published. You can edit the title but not the url after
         | publishing it.
        
       | 627467 wrote:
       | Why would any "enterprise" customers trust closed sourced AND
       | small-time password manager?
        
       | shravan20 wrote:
       | a trend, ain't it?
        
       | 1cvmask wrote:
       | Just to clarify the title. It was not a deliberate backdoor on
       | the part of Passwordstate. It was a supply chain attack. There is
       | some history to their security holes (most of the known ones
       | being patched).
       | 
       | https://twitter.com/juanandres_gs/status/1385689464329187329
       | 
       | https://github.com/NorthwaveSecurity/passwordstate-decryptor...
       | 
       | A potential issue in the password management space is that
       | Francisco Partners (owner of NSO Group) owns Lastpass (and
       | LogMeIn).
       | 
       | https://en.wikipedia.org/wiki/NSO_Group
       | 
       | https://www.globenewswire.com/news-release/2020/08/31/208621...
       | 
       | Note: I work in the IAM and PAM space and designed dashboards for
       | saas pass.
        
         | miohtama wrote:
         | Password managers seem to be the most critical software where
         | open source and reproducible builds are needed. Are there any
         | good FOSS password managers that can do remote sync and team
         | permissions?
        
           | lisper wrote:
           | FOSS won't help you very much unless you're willing to build
           | your entire tool chain from vetted source.
           | 
           | http://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thom.
           | ..
        
             | vkou wrote:
             | That's like saying that seatbelts don't help very much,
             | unless you're willing to wear a motorcycling helmet, and
             | install a roll cage in your car.
             | 
             | In the worst-case scenario, no, your seatbelt won't help.
             | I'm still going to wear one.
        
           | g_p wrote:
           | Bitwarden seems to tick the boxes you need - FOSS license,
           | syncs via an (open source) server which you can host
           | yourself, or use their hosted version, and there's team
           | versions available.
           | 
           | It's pretty good. There's also bitwarden_rs (a rust-based
           | server component) if you fancy a simpler self-hosting stack
           | that doesn't require SQL server.
           | 
           | The solution has been audited, I believe, but audits are only
           | valid at individual points in time. The only downside for me
           | is the use of electron and web technologies in many of the
           | clients - that for me is a huge attack surface of complexity
           | that few people can fully understand and manage.
        
       ___________________________________________________________________
       (page generated 2021-04-24 23:01 UTC)