Hacker News new | ask | show | jobs
by tuwtuwtuwtuw 1637 days ago
Several people have reported that if you tried to log on from a new IP with incorrect master password, then you got an email saying that someone tried to log on using your master password even though that was not the case.
1 comments
ohyeshedid 1637 days ago
I was referring to the IP's being shown to users.[1]

So then; Is the bug also responsible for pushing bad data to the users dashboards? If this is really a bug, it's a complicated one. I'd be curious if those IP's are still being shown on the users end.

[1]: https://news.ycombinator.com/item?id=29705957

link
tuwtuwtuwtuw 1637 days ago
What "dashboards" are you referring to? I have not seen any dashboards in LastPass.

Why would it need to be a complicated bug? It could be as simple as:

If UnkownIP OR InvalidMasterPassword Then LogAndSendNotication

Instead of:

If UnkownIP AND InvalidMasterPassword Then LogAndSendNotication

Please tell me why it needs to be a complicated bug.

link
ohyeshedid 1637 days ago
I don't have a link handy, nor currently familiar with LP's site or extensions:

The part of the site that shows the recent connections to your account, with IP's. People were sharing those IP's and thoughts in the linked thread.

That data came from somewhere; if it's related to this bug then this bug is also pushing incorrect data into other parts of the service. It's also entirely possible that it wasn't a bug, and instead a security issue, and that data is correct, and they're bending words to play it off as just a bug.

I can understand a bug triggering a warning system, but when it's also presenting related data in the account security logs; it's either a complicated bug or there's more to the story.

link
tuwtuwtuwtuw 1637 days ago
> it's either a complicated bug or there's more to the story.

I showed you pseudo-code which could trigger this issue. It was trivial code which could cause it in practice. Yet you claim it must be complicated or more to the story. I have no idea why you feel that classifying a request in a certain way must be caused by a complicated bug - very strange.

I think you're into FUD-mode now because even after being shown wrong, you continue to spread misinformation.

Also, you are referring to LP functionality which to my knowledge doesn't even exist, and when asked you say you don't know the software being discussed.

Very strange behavior by you.

link
ohyeshedid 1637 days ago
Your example would've caused a much larger response, no? By most accounts, it didn't trigger for most users, so a simple flub like that should've triggered on more accounts.

I'm viewing this through the lens of multiple days of differing social groups poking at this, and the crowdsourced information that's yielded.

> ...shown wrong, you continue to spread misinformation.

You haven't shown anything wrong: neither of us know what actually happened. nor am I spreading misinformation, nor making statements as to what happened; I'm questioning it. Is there some reason you're so accusatory?

> Also, you are referring to LP functionality which to my knowledge doesn't even exist, and when asked you say you don't know the software being discussed.

[1]. I haven't touched LP in, ehhh, 10ish years, and it was a feature even back then.

[1]: https://support.logmeininc.com/lastpass/help/lastpass-accoun...

link
tuwtuwtuwtuw 1635 days ago
> Is there some reason you're so accusatory?

I thought that was obvious given the context. You are spreading BS that this must be caused by some complex bug yet having nothing to back it up except for anecdotes. You have already said you don't know the feature set and you haven't used it in 10 years, yet you are making such a claim.

Why wouldn't I accuse you of spreading misinformation if you make claims without knowing what you're talking about?

link