That still doesn't explain how the attacker knew that specific password should be tried at all.
We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?
-MarkM-
We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?
-MarkM-
What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?
Doesn't explain why the passwords were the same though. I guess laziness and hubris.
How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?
-MarkM-
That's right, you can't sync LastPass without the master password.
I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?
http://pastebin.com/htzdAJGF
Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123
How does one decrypt that file?
Some research is due.