Taking a great photo requires a lot of variables to fall into place. It’s amazing when this happens by happenstance, but what if you could stack the odds in your favor? That’s the question Photo Scout by Cascable answers.

Photo Scout, available for the iPhone and iPad, combines location data with weather conditions, date and time information, sunlight, and night sky variables to recommend when you should grab your camera or drone and head out for a photo shoot. The app can account for many variables, but what’s best about Photo Scout is that it makes managing them simple.

Something tells me Photo Scout won’t be able to help find Crisp Winter Days in North Carolina.

To help get you started, Photo Scout offers templates for common scenes like:

• Dramatic Sunsets
• Crisp Winter Days
• Calm, Clear Skies
• Rainy Streets at Night
• and more

In all, there are seven preset scenes, which are accessible from the ‘+’ button in the app’s top right corner. When you pick one, you’ll be prompted to use your current location or search for another, which is perfect for planning a trip in advance. That’s all there is to setting up a template-based scene unless you want to edit it further. When you return to the app’s main view, you’ll see that your scene has been added as a card that includes its name, when it will occur next, and location.

Setting up a scene from scratch.

Scenes can be built from scratch by choosing ‘New Empty Scene,’ too. Like using a template, you’ll be prompted to pick a location. However, you’ll also be able to set each of the app’s tracking variables individually. There are multiple options for day, date, and time options, plus weather, sunlight, and night sky conditions.

Using AR to plan shots based on the position of the sun or moon.

Photo Scout also includes augmented reality modes for the sun and moon positions that use the iPhone’s camera viewfinder to let you point at a spot in the sky, tap it, and see when the sun or moon will be in that position next. That position becomes the basis for its own scene so you know when to return to that spot to get the shot you want.

Photo Scout running on the iPad mini and synced via iCloud.

After your scenes have been created, Photo Scout will send you notifications in advance of whatever event you’re tracking, so you know when to head out with your camera. You can also track events from the app’s small and medium-sized widgets, of which there are three types. ‘Up Next for Scene’ will show you when one of your scenes will happen next, ‘Up Next Near Me’ will display your next scene opportunity based on where you are, and ‘Upcoming Near Me’ does the same but as a list of multiple upcoming scenes.

Instant Inspiration offers ideas for the next few days.

Photo Scout also includes a feature called Instant Inspiration that I love. It’s entirely automatic, offering suggestions based on the conditions over the next few days for a location you pick. Looking ahead to the weekend, it looks like Saturday will be a good day for drone photography with clear skies and low wind, and there will be a full moon that night. What’s great about Instant Inspiration is that it’s entirely frictionless.

Photo Scout’s alternative icons and notification sounds.

It’s worth noting that Photo Scout also features eight alternative icons and a long list of customizable notification sounds.

I’m slowly getting back into taking more pictures now that my life has settled down, and I’ve really enjoyed using Photo Scout as part of that. There’s still plenty of room to stumble upon an interesting shot as you move through your day, but with Photo Scout, you can increase the odds of capturing a great sunset and much more, which is fantastic.

Photo Scout is available on the App Store as a free download with a one-week free trial. After that, you must subscribe to either its Hobbyist subscription for $3.99/month or $24.99/year or its Professional subscription for $4.99/month or $39.99/year, which includes more features than the Hobbyist plan.

Support MacStories and Unlock Extras

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

UX designers who eliminated the filesystem from user consciousness in name of simplicity ruined the world and are morally culpable for shriveling minds of children who are unable to tackle the challenges of today thanks to a choice sold as advocacy for the user but was ultimately motivated by control of a disempowered customer.

Callsheet’s release has been a whirlwind. I’m completely overjoyed by the response. I am incredibly thankful to anyone who has tried Callsheet, purchased it, or told their friends about it. Y’all are the best. 💙

Yesterday I pushed a new version to the App Store, and it is rolling out slowly over the next week or so. I wanted to highlight some of the changes I think are pretty fun.

Short-short Version

• TV spoiler settings are now honored when viewing a person’s filmography
• When viewing a person, their age is shown on their filmography
• Mid- and post-credit scenes are now shown for movies
• Now shows what you’re actively playing in Channels and, experimentally, Plex

Honoring TV Spoiler Settings in Filmographies

Probably the most often requested feature right now is something that I’ve been planning to do for a while. However, it was — at least at first glance — far more complicated than you’d expect.

From the start, Callsheet would let you optionally hide spoilers for individual TV shows — things like character names, the number of episodes they’re in, episode titles, episode thumbnails, etc. In Callsheet 2023.3, I added the ability to set a global default for these same settings.

In Callsheet 2023.4, those settings are now honored when viewing a person’s filmography. There is also a button to toggle between hiding and showing the spoilers. Naturally, it defaults to hiding.

People’s Ages

When looking at an actor or crew’s filmography, I often want to know how old they were when they worked on a film or TV show. Before, this was some reasonably easy mental arithmetic: the person’s birth year is prominently displayed at the top of their screen on the app:

However, our devices are, at their core, arithmetic machines. Why not make them do this math, so I don’t have to? So, for people, you can see their ages in the year header:

I’m noodling on the best way to represent this information on cast/crew lists for movies and TV shows. 🤔

Mid- and Post-Credits Scenes

Something else I’ve been asked for a lot is the ability to know if a movie — particularly one currently in theatres — has a bonus scene during or after the credits. I didn’t think The Movie Database had this information, but I was wrong. As it turns out, there is a de facto standard for this!

Next, I turned to my friend Ben McCarthy, the author of the excellent Obscura — and the creative force behind a lot of the Callsheet UI. Ben and I went back-and-forth on some SF Symbols-style icons to represent mid-credits and post-credits scenes. You can see them both here. I’m quite pleased with what they came up with. 😎

Integrations

One of my tenets when designing Callsheet was to meet users where they are. This is not a particular revelation, but it is a nice “north star” to guide my decisions and priorities. This is evidenced in simple ways, like tapping on the runtime for a movie to see when it would end, if you start it right now:

The most obvious way to meet a user where they are is to offer to show them information about the thing they’re currently watching. Unfortunately, Apple doesn’t offer any sort of API for this on the Apple TV. There are allegedly ways to get that information anyway, but it’s extremely convoluted, and prone to break at any time.

Naturally, Callsheet is an app written by me… for me. And for me, the two primary ways I consume content are Plex and Channels. Callsheet 2023.4 includes Channels integration, as well as an experimental Plex integration.

Both of these integrations are opt-in. In order to enable them, you must go into the in-app settings, and turn on integrations. Both the Channels and Plex integrations work by polling, which means your device will ping away at the network asking “Is anyone here? Are you playing anything?” over and over again. That’s not a bad thing, but it’s not the sort of thing I want your average user to be opted into without their knowledge.

Channels

When everything is turned on, you should see something like this when Channels is playing on a local Apple TV:

Channels uses Bonjour under the hood, which is — naturally — extremely well-supported in the Apple ecosystem. In my experience, the integration with Channels is pretty robust and reliable.

However, Channels doesn’t always provide The Movie Database ID to me — in fact, generally speaking, it doesn’t. This means tapping on an item will usually perform a search, rather than jumping you directly to the show in question. When Channels does provide Callsheet the TMDB ID, you’ll jump directly to the media in question.

Plex

⚠️ The Plex integration should be considered experimental at this time. ⚠️

If you squint, Plex uses a similar scheme to Bonjour in order to discover players on the same network. However, Plex is old enough that it actually predates Bonjour. As such, the implementation is… rickety. Plex’s implementation works for Plex, but it was never really designed for use by other software. Like Callsheet.

That said, it… kinda works? When it does, like the Channels integration, it’s pretty damned magical:

Many thanks to my pals Alex and Hugo; without their combined efforts, there is literally zero chance this would have shipped.

Unfortunately, there’s not really any levers that I’m aware of that I can pull in order to improve Plex integration. It seems to depend on the “weather” in your local network. So, uh, no promises. 🫣

The waiting is over! Starter Villain, my latest novel, is out today in North America (Sept. 21 in the UK), and is available in print, ebook and audio. However you want it, you can get it! It’s available at your local bookstore, and I encourage you to get it there, but here are some additional sales links, just in case:

Amazon|Barnes & Noble|Bookshop|Powells|Apple Books|Google Play|Kobo

And for the audiobook, follow this link to Audible.

I’m happy to say Starter Villain is starting out with some great reviews, including two starred reviews from Booklist (“Scalzi’s latest will appeal to his legion of fans and draw in new ones”) and Library Journal (“Readers of humorous fantasy are sure to love Scalzi’s latest”), with raves from Entertainment Weekly (“Scalzi’s unique, hilarious, and oddly relatable story is the perfect fall read”), Publishers Weekly (“subverts classic supervillain tropes with equal measures of tongue-in-cheek humor and common sense”) and Polygon (“Following in the footsteps of sci-fi greats like Terry Pratchett and Douglas Adams… John Scalzi is truly a must-read”), among others. I hope you will dig it as well. I had a ball writing it.

Remember that I am on tour for Starter Villain, which actually began last night in Scottsdale, and now has stops in San Diego, San Francisco, Wichita, Dallas, Pittsburgh, Chapel Hill, Cincinnati and Nashville. Please come see me! I’ll also be at New York City Comic Con, the Wisconsin Book Festival and the Texas Book Festival and on October 6th I have an event with VE Schwab in Bexley, Ohio. Oh, and I’m the Guest of Honor at the Budapest International Book Festival, if you happen to be in Hungary the last week of September. Come see me at those as well!

And now, for something really cool. As many of you know, I occasionally commission theme songs for my books from musicians I like. Previous songs have come from Jonathan Coulton (Redshirts), Ted Leo (The Dispatcher series), William Beckett (the Lock In series) and Paul and Storm (Fuzzy Nation). For Starter Villain, I asked the fabulous Dessa to do a song for the book, and, oh boy, did she deliver:

If you like the song — and you should, because it’s amazing — you can get it from Dessa through her Bandcamp page. Dessa also has her own new album coming out on September 29, Bury the Lede, which you can also get at her Bandcamp page, or, you can get one of several deluxe LP/CD packages from her site. Support her, she’s awesome and she made an incredible song for my book.

There’s more to come with Starter Villain and other news to share when I can — but for now, it’s out, it’s in the world, and you can get it. The run-up to the release has been amazing, but honestly the best thing is to see it in the hands of readers, and to have them enjoy it. I hope you have as much fun reading Starter Villain as I had writing it. If you do, you’re going to love it.

— JS

defilerwyrm:

bijoumikhawal:

buttons-beads-lace:

headspace-hotel:

kaile-hultner:

kaile-hultner:

Just thinking about how republicans are going after normie sex shit like “internet porn” and “dildos” now

we fucking told y'all

to be clear: the right views any sex that isn’t purely procreative as deviant. it’s not just kink, or queer sex they find abhorrent. And they genuinely believe that the better educated you are about sex in general, including about gender shit, the more deviant you are. they’re legitimately trying to claw everyone down to hell with them.

Now? Before 2003 it was legit technically illegal in some states for even straight couples to have oral or anal sex, and there are still laws in some states restricting how many dildos you can own etc.

I don’t really know what the goal is with putting a numerical limit on dildos, but with republicans the answer is usually “There isn’t one. Die.”

This is your periodic reminder that it is currently right now illegal in the united states to own porn that the average person in your community would be offended by. That’s the legal definition of obscenity (a piece of media that 1. Exists to turn people on 2. has no other “redeeming” purpose and 3. would be offensive to most people in your jurisdiction) and you can theoretically be arrested and go to jail for owning “obscene” media or giving it to other people.

“But that’s ridiculous,” you say, “porn that the average taxpayer would think was ~offensive~ is absolutely fuckin’ everywhere, on the internet and in real life, and nobody gets in trouble for it.” And you’d be right about that. Realistically, this is a law that cannot be enforced: it is way too easy to break, way too hard to track, and way too many people are interested in breaking it.

Same with the pre-Lawrence v. Texas laws against “sodomy” that headspace-hotel is talking about. Yeah, it was illegal to give a blowjob in the privacy of your own home. But of course most people who like blowjobs never even thought twice about those laws, because it’s usually pretty easy to Not tell a cop what you do in the privacy of your bedroom with your spouse.

“So if laws like this don’t actually stop people from doing whatever sexual things they want to do, why are you concerned about it? You just said these laws don’t hurt anybody, right?” Here’s the thing. The purpose of laws like this is to create an atmosphere where you can get away with doing “"deviant”“ things… if you hide it from polite society, if you keep it secret, if you know your place.

What you can’t do is go out in public and say that actually gay people can have happy relationships, or that masturbating sometimes doesn’t make you a depraved sex addict, or that it’s okay to want to enjoy having sex and not just do it as your Duty To Your Husband.

You can get away with doing what you want in private if you never challenge the dominant cultural message that what you’re doing is gross and immoral and people who do it are disgusting freaks. If you dare to speak up and point out that your ”“shameful secret”“ is actually normal, off you go to jail.

That’s the purpose of laws like this. To make it impossible to challenge the rhetorical stranglehold of conservative christianity on society. To shift the Overton window once and for all to the right. And that’s why we need to fight laws like this with all our strength, every time the right tries to push them forward, even when the specifics are stuff like "you can’t own more than five dildoes” that might seem like a silly thing to go to war over. It’s not about the specifics. It’s about limiting everyone’s speech to things a conservative preacher would say from the pulpit.

The other thing laws like this are good for is giving the police excuses

Younger Americans NEED to understand why Lawrence vs Texas went to the Supreme Court.

In 2003, police raided the private home of two gay men and charged them with sodomy. I cannot emphasize enough that THEY WERE NOT CURRENTLY HAVING SEX AT ALL when the police raided them. But the cops had “probable cause” to believe that they had, at some point, had non-procreative sex, which was illegal under Texas’s sodomy law, so they were charged with a crime.

Ultimately, the SCOTUS ruled that sodomy laws are unconstitutional because US citizens have a right to privacy: what consenting adults do in their own homes is their own business.

What you need to know is that in four states, including Texas and. Missouri, sodomy laws are still on the books. That means that if SCOTUS strikes down Lawrence vs Texas, these laws immediately go back into effect, and more states can add their own.

What would that look like?

If you’re on Tinder and your profile says you’re gay or bi, the police can subpoena your profile and use it to arrest you.

If you’re on Scruff or Grindr, the police can subpoena your location data and messages and use them to track down and arrest you and all your hookups.

If you’re in a same-sex marriage, the police can subpoena a list of same-sex marriage certificates and arrest every single couple—even if they’re widowed or divorced.

If your school has an LGBTQ club, the police can subpoena a list of members and arrest kids & college students.

They could subpoena data from FetLife and Facebook and Twitter and, yes, if they thought to do so, Tumblr. Rainbow flag in your profile? They’re drawing up charges.

And all of these people getting arrested and charged with sodomy, when convicted, will not only have their lives ruined by jail time, but will also likely be labeled sex offenders for the rest of their lives.

This is not ancient history. This was not “back in the day.” I WAS IN COLLEGE WHEN THIS HAPPENED.

And the Republicans are frothing at the fucking mouth to bring these horrors back.

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto.

Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.

“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”

Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

MetaMask owner Taylor Monahan on Twitter. Image: twitter.com/tayvano_

Armed with your secret seed phrase, anyone can instantly access all of the cryptocurrency holdings tied to that cryptographic key, and move the funds to anywhere they like.

Which is why the best practice for many cybersecurity enthusiasts has long been to store their seed phrases either in some type of encrypted container — such as a password manager — or else inside an offline, special-purpose hardware encryption device, such as a Trezor or Ledger wallet.

“The seed phrase is literally the money,” said Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds.”

Bax said he closely reviewed the massive trove of cryptocurrency theft data that Taylor Monahan and others have collected and linked together.

“It’s one of the broadest and most complex cryptocurrency investigations I’ve ever seen,” Bax said. “I ran my own analysis on top of their data and reached the same conclusion that Taylor reported. The threat actor moved stolen funds from multiple victims to the same blockchain addresses, making it possible to strongly link those victims.”

Bax, Monahan and others interviewed for this story say they’ve identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022.

KrebsOnSecurity has reviewed this signature but is not publishing it at the request of Monahan and other researchers, who say doing so could cause the attackers to alter their operations in ways that make their criminal activity more difficult to track.

But the researchers have published findings about the dramatic similarities in the ways that victim funds were stolen and laundered through specific cryptocurrency exchanges. They also learned the attackers frequently grouped together victims by sending their cryptocurrencies to the same destination crypto wallet.

A graphic published by @tayvano on Twitter depicting the movement of stolen cryptocurrencies from victims who used LastPass to store their crypto seed phrases.

By identifying points of overlap in these destination addresses, the researchers were then able to track down and interview new victims. For example, the researchers said their methodology identified a recent multi-million dollar crypto heist victim as an employee at Chainalysis, a blockchain analysis firm that works closely with law enforcement agencies to help track down cybercriminals and money launderers.

Chainalysis confirmed that the employee had suffered a high-dollar cryptocurrency heist late last month, but otherwise declined to comment for this story.

Bax said the only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.

“On top of the overlapping indicators of compromise, there are more circumstantial behavioral patterns and tradecraft which are also consistent between different thefts and support the conclusion,” Bax told KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”

LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach.

“Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” LastPass said in a written statement provided to KrebsOnSecurity. “Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so.”

Their statement continues:

“We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com.”

THE LASTPASS BREACH(ES)

On August 25, 2022, LastPass CEO Karim Toubba wrote to users that the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

Dan Goodin at Ars Technica reported and then confirmed that the attackers exploited a known vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

As it happens, Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.

OFFLINE ATTACKS

A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.

LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.

But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.

“It does leave things vulnerable to brute force when the vaults are stolen en masse, especially if info about the vault HOLDER is available,” said Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis. “So you just crunch and crunch and crunch with GPUs, with a priority list of vaults you target.”

How hard would it be for well-resourced criminals to crack the master passwords securing LastPass user vaults? Perhaps the best answer to this question comes from Wladimir Palant, a security researcher and the original developer behind the Adblock Plus browser plugin.

In a December 2022 blog post, Palant explained that the crackability of a LastPass master password depends largely on two things: The complexity of the master password, and the default settings for LastPass users, which appear to have varied quite a bit based on when those users began patronizing the service.

LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”

But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.

“If you are a LastPass customer, chances are that you are completely unaware of this requirement,” Palant wrote. “That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.”

Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years. One important setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.

Palant noted last year that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000.

Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.

“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”

A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single GPU about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.

Image: palant.info

However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.

Weaver said a password or passphrase with average complexity — such as “Correct Horse Battery Staple” is only secure against online attacks, and that its roughly 40 bits of randomness or “entropy” means a graphics card can blow through it in no time.

“An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations, but that would go down to 8 thousand per second with 500,000 iterations, which is why iteration count matters so much,” Weaver said. “So a combination of ‘not THAT strong of a password’ and ‘old vault’ and ‘low iteration count’ would make it theoretically crackable but real work, but the work is worth it given the targets.”

Reached by KrebsOnSecurity, Palant said he never received a response from LastPass about why the company apparently failed to migrate some number of customers to more secure account settings.

“I know exactly as much as everyone else,” Palant wrote in reply. “LastPass published some additional information in March. This finally answered the questions about the timeline of their breach – meaning which users are affected. It also made obvious that business customers are very much at risk here, Federated Login Services being highly compromised in this breach (LastPass downplaying as usual of course).”

Palant said upon logging into his LastPass account a few days ago, he found his master password was still set at 5,000 iterations.

INTERVIEW WITH A VICTIM

KrebsOnSecurity interviewed one of the victims tracked down by Monahan, a software engineer and startup founder who recently was robbed of approximately $3.4 million worth of different cryptocurrencies. The victim agreed to tell his story in exchange for anonymity because he is still trying to claw back his losses. We’ll refer to him here as “Connor” (not his real name).

Connor said he began using LastPass roughly a decade ago, and that he also stored the seed phrase for his primary cryptocurrency wallet inside of LastPass. Connor chose to protect his LastPass password vault with an eight character master password that included numbers and symbols (~50 bits of entropy).

“I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,” Connor said. “I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.'”

Those seed phrases sat in his LastPass vault for years. Then, early on the morning of Sunday, Aug. 27, 2023, Connor was awoken by a service he’d set up to monitor his cryptocurrency addresses for any unusual activity: Someone was draining funds from his accounts, and fast.

Like other victims interviewed for this story, Connor didn’t suffer the usual indignities that typically presage a cryptocurrency robbery, such as account takeovers of his email inbox or mobile phone number.

Connor said he doesn’t know the number of iterations his master password was given originally, or what it was set at when the LastPass user vault data was stolen last year. But he said he recently logged into his LastPass account and the system forced him to upgrade to the new 600,000 iterations setting.

“Because I set up my LastPass account so early, I’m pretty sure I had whatever weak settings or iterations it originally had,” he said.

Connor said he’s kicking himself because he recently started the process of migrating his cryptocurrency to a new wallet protected by a new seed phrase. But he never finished that migration process. And then he got hacked.

“I’d set up a brand new wallet with new keys,” he said. “I had that ready to go two months ago, but have been procrastinating moving things to the new wallet.”

Connor has been exceedingly lucky in regaining access to some of his stolen millions in cryptocurrency. The Internet is swimming with con artists masquerading as legitimate cryptocurrency recovery experts. To make matters worse, because time is so critical in these crypto heists, many victims turn to the first quasi-believable expert who offers help.

Instead, several friends steered Connor to Flashbots.net, a cryptocurrency recovery firm that employs several custom techniques to help clients claw back stolen funds — particularly those on the Ethereum blockchain.

According to Connor, Flashbots helped rescue approximately $1.5 million worth of the $3.4 million in cryptocurrency value that was suddenly swept out of his account roughly a week ago. Lucky for him, Connor had some of his assets tied up in a type of digital loan that allowed him to borrow against his various cryptocurrency assets.

Without giving away too many details about how they clawed back the funds, here’s a high level summary: When the crooks who stole Connor’s seed phrase sought to extract value from these loans, they were borrowing the maximum amount of credit that he hadn’t already used. But Connor said that left open an avenue for some of that value to be recaptured, basically by repaying the loan in many small, rapid chunks.

WHAT SHOULD LASTPASS USERS DO?

According to MetaMask’s Monahan, users who stored any important passwords with LastPass — particularly those related to cryptocurrency accounts — should change those credentials immediately, and migrate any crypto holdings to new offline hardware wallets.

“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw [hardware] wallet. Migrate. Now.”

If you also had passwords tied to banking or retirement accounts, or even just important email accounts — now would be a good time to change those credentials as well.

I’ve never been comfortable recommending password managers, because I’ve never seriously used them myself. Something about putting all your eggs in one basket. Heck, I’m so old-fashioned that most of my important passwords are written down and tucked away in safe places.

But I recognize this antiquated approach to password management is not for everyone. Connor says he now uses 1Password, a competing password manager that recently earned the best overall marks from Wired and The New York Times.

1Password says that three things are needed to decrypt your information: The encrypted data itself, your account password, and your Secret Key. Only you know your account password, and your Secret Key is generated locally during setup.

“The two are combined on-device to encrypt your vault data and are never sent to 1Password,” explains a 1Password blog post ‘What If 1Password Gets Hacked?‘ “Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who somehow manages to guess or steal your account password would be able to access your vaults – or what’s inside them.

Weaver said that Secret Key adds an extra level of randomness to all user master passwords that LastPass didn’t have.

“With LastPass, the idea is the user’s password vault is encrypted with a cryptographic hash (H) of the user’s passphrase,” Weaver said. “The problem is a hash of the user’s passphrase is remarkably weak on older LastPass vaults with master passwords that do not have many iterations. 1Password uses H(random-key||password) to generate the password, and it is why you have the QR code business when adding a new device.”

Weaver said LastPass deserves blame for not having upgraded iteration counts for all users a long time ago, and called the latest forced upgrades “a stunning indictment of the negligence on the part of LastPass.”

“That they never even notified all those with iteration counts of less than 100,000 — who are really vulnerable to brute force even with 8-character random passwords or ‘correct horse battery staple’ type passphrases — is outright negligence,” Weaver said. “I would personally advocate that nobody ever uses LastPass again: Not because they were hacked. Not because they had an architecture (unlike 1Password) that makes such hacking a problem. But because of their consistent refusal to address how they screwed up and take proactive efforts to protect their customers.”

Bax and Monahan both acknowledged that their research alone can probably never conclusively tie dozens of high-dollar crypto heists over the past year to the LastPass breach. But Bax says at this point he doesn’t see any other possible explanation.

“Some might say it’s dangerous to assert a strong connection here, but I’d say it’s dangerous to assert there isn’t one,” he said. “I was arguing with my fiance about this last night. She’s waiting for LastPass to tell her to change everything. Meanwhile, I’m telling her to do it now.”