LastPass now mostly free for personal use

In case you didn't notice, as of last week LastPass is essentially free for personal use. A password manager is great way to improve your online security, because it allows you to use a unique, long, random password for every account.

LastPass announced a change to their pricing plan last week that make the vast majority of their non-enterprise features available to the Free tier. If you're not currently using a password manager, or if you're mixing your personal account into your enterprise account (if you have one through your company), this should interest you.  More info on their tiers at the bottom of: https://www.lastpass.com/

Some cool features of LastPass:

• You can link your personal account to your enterprise account.  You can then access all your personal account logins/notes from your enterprise account, but your personal information stays inaccessible to enterprise admins.  More info: https://enterprise.lastpass.com/getting-started/link-personal-account/
• If your partner/spouse/best friend/etc. gets a free account, you can set up selective sharing of logins/notes, and folders of logins/notes, between you and your partner.
• You can set up Emergency Access between your account and your partner's account.  If something happens to you, your partner can request access to your account, and after a configurable delay of X days, they will get that access.  At any time during those X days you can reject the request.  More info: https://helpdesk.lastpass.com/emergency-access/

If you're wary of trusting your account credentials and other personal information to the cloud, know the LastPass is a "zero knowledge" service, meaning that all your secrets are encrypted on your computers/devices before they get sent to the LastPass servers, and the encryption keys used are never sent to the servers.  This applies to their sharing and Emergency Access features too.  More info: https://lastpass.com/enterprise/security/

A baseline set of software and services for a home or professional Windows computer

This is a first installment on a post I've been writing (on and off, with lots of distractions) for the last month or two.  I started walking a friend through a list of security concerns and recommendations for their Windows computer, but soon found the subject complex enough that I needed to write it all down.  Later, as I started to document it all, I realized that others would benefit from it too.  Then it ballooned into a much larger task than I could have imagined, so it's still not ready.

So here is the Coles Notes version.  I'll finish the full write-up as soon as I find the time.

Area	Setting, Software, or Service
Router	WPA2 Personal/PSK, AES
Computer	TPM, ideally
Windows OS	Windows 10 Pro or Windows 10 Home Regular updates
Full disk encryption	BitLocker -- ideally using TPM-and-PIN mode or Device Encryption
Firewall	Windows Defender
Antivirus	AVG Free or Avast Free
Antimalware	VoodooShield Free
Browser privacy - Chrome	HTTPS Everywhere uBlock Origin
Internet usage monitoring	GlassWire
VPN	TunnelBear
Password manager	LastPass Premium
Authenticator for 2FA	Authy
Container encryption	VeraCrypt -- needed if your computer drive isn't encrypted
Drive free space wiping	CCleaner -- needed if your computer drive isn't encrypted
Cloud sync/storage - zero knowledge	Sync.com or Boxcryptor 2.0
Cloud sync/storage - regular	Dropbox, OneDrive, Google Drive, Apple iCloud, etc.,
Cloud backup	CrashPlan BackBlaze (Added 2020-11-15) Sync.com (Added 2020-11-15)
Local backup	CrashPlan SyncBackSE --  to a drive encrypted with FDE (e.g., BitLocker To Go) N.B. SyncBackFree won't give you the critical Versioning feature; for that you need SyncBackSE (Added 2020-11-15) Apple Time Machine (Added 2020-11-15)
Image backup	Windows system image backup
Drive cleanup	CCleaner
Update monitoring	Secunia PSI
Credentials monitoring	haveibeenpwned.com
Mobile security	Device encryption Regular updates
Mobile local storage	Documents by Readdle

. o O o .

Automated Code Inspection Tools for C Code

I recently had to draw up a list of C code automated inspection tools for a client.  It took me several hours to find and distill good reviews on the web so I thought I'd share it here for what's worth.  If I wind up using (or trying to use) any of the tools on the client's code base, I'll report my experience here.

This is a list of tools that, based on seven reviews I found, look like good candidates to run.  Since C has been around forever, some of the reviews are from as far back as 2009 and 2010.

Tool	# Recom­mendations	Type	Web page / Notes
OPEN SOURCE
Flawfinder	5	Open source	http://www.dwheeler.com/flawfinder/ https://sourceforge.net/projects/flawfinder/ Last update: 2014
Cppcheck	4	Open source	http://cppcheck.sourceforge.net/ https://sourceforge.net/projects/cppcheck/ Last update: 2016
RATS	3	Open source	https://code.google.com/archive/p/rough-auditing-tool-for-security/downloads Last update: 2013
YASCA	3	Open source & Commercial	http://www.scovetta.com/yasca.html https://sourceforge.net/projects/yasca/ Last update: 2014
COMMERCIAL
Coverity (Synopsys)	3	Commercial	http://www.synopsys.com/software/coverity/
Klocwork	2	Commercial	http://www.klocwork.com/
Fortify Static Code Analyzer (SCA) (HP)	1	Commercial	http://www8.hp.com/ca/en/software-solutions/static-code-analysis-sast/

. o O o . 

The chicken and egg of password security

From Naked Security by Sophos:  And the worst passwords from the Last.fm hack are…

It's easy to argue that, because Last.fm isn't a sensitive service, it's OK for users to pick insecure passwords.  But I suspect that this is a slippery slope: as a user uses more and more insecure passwords without anything bad happening, they become desensitized to security concerns (if they were ever sensitized in the first place) and move on to using such passwords on more and more sensitive services.  Eventually reality will bite them. (N.1)

How can you blame uses for doing this?  They just want to use the services they like.  They aren't security experts and they don't understand the threat model or how dangerous the connected world is.

You can blame service providers that allow stupidly insecure passwords like "123456", "password", the name of the service, etc.  Microsoft disallows such passwords but the vast majority of service providers don't.

Now, a tougher question: can you blame service providers that allow passwords that are shorter than, say, 12 characters and not complex and random?  Anything less than that, as a bare minimum, is probably not secure enough against offline attacks.

But here's the chicken and egg:

1. Since the vast majority of users don't use password managers, a service provider that required secure-enough passwords would likely be out of business in short order.
2. If service providers don't require secure-enough passwords, why would users use them?  You can easily imagine the usability (and security issues) that such passwords would create for users that don't use a password manager.
3. If users aren't forced to use secure-enough passwords, and given that they don't understand the need for unique passwords across all their services, why would they go to the trouble (they imagine) of using a password manager?  (That "trouble", by the way, is well worth it.)

As someone fascinated by security architecture -- and especially by how much better it could be -- this is the kind of problem I love to ponder.  My post Open Kimono Security presented one way to address this chicken-and-egg situation, but we might need something a bit more mainstream.

---

If you want to get a feel for password cracking time as a function of password length and complexity, try this:

Kaspersky Lab Secure Password Check

Don't use a real password; instead compose a fake password that is similar to the password you want to test.  So if your password is "ChriSlove45" (don't laugh), use something like "CaseYbest92".  But then you probably already know that you shouldn't be using such passwords anyway: your passwords should all be long random (and unique) strings.

BTW, I suspect that the "MacBook Pro" times shown for that kind of password ("ChriSlove45", etc.) are wrong and should really be much shorter.

---

N.1: Update 2021-02-14: Given that most people reuse passwords like there's no tomorrow, their last.fm password was probably one that they had already used on a number of important services. Credential stuffing follows.

. o O o .

A good telescope for starting out in astronomy

Astronomy is an amazing hobby that can take you as far as you want to go, in all sorts of observing and scientific directions.  For people looking to get into astronomy, here is some great advice for buying a beginner telescope.  This is from Douglas George, Ottawa-based expert amateur astronomer and comet hunter, who was responding to a question from another friend of mine:

In the "few hundred dollar" range, telescopes vary from utter crap to quite decent.  Don't buy a telescope from anything but a specialty shop.  Don't buy anything that lists some huge magnification (800X !!!).  High magnification in a small aperture instrument is an attempt to violate the laws of physics.  Tip: physics win.  You'll only see a blur.

If you want a good telescope in that price range, it's going to be no-frills. That doesn't mean it won't be a very capable telescope; you just need to put your money into decent optics and a good solid mounting.  This means a "Dobsonian" style instrument.

Here is an example of a good beginner telescope:

Orion SkyQuest XT6 Classic Dobsonian Telescope | Orion Telescopes

This has a 6" diameter mirror, which means the telescope is actually quite capable.  At the same time, it is not too bulky.  The mount is a very stable design, being a simple up/down, left/right affair.  If you can't point the telescope at an object, you can't see it.  This is a far better design than a spindly tripod.

Another important factor is you need a good aiming device.  Telescopes have tunnel vision, so you need some help.  Many beginner telescopes are sold with really poor quality finder scopes, which are beyond difficult to use.  The telescope linked above has an "EZ Finder".  Another similar device is a "Telrad".  These devices don't magnify, they simply point - and are not just very easy to use, they are quite accurate.

If you can't afford a 6" telescope, go for a slightly smaller unit - say 4.5" diameter.  Don't go smaller than that.

. o O o .