Video

Bs. My name, address, email address password, phone number, and ss number were exposed. And i didn't receive any letter from AT&T. I found out when Chase sent me a message stating that my information was found on the dark web.

Software Engineer here. The system was poorly engineered. In fact the statement "The system was poorly engineered" is an excellent summary of many disasters and mishaps, including Titanic, Chernobyl and 737Max. Cutting corners are an excellent way of saving money up until the point that they cost money. Skimping on maintenance saves money in a similar fashion. Making foundations with less material ditto. I blame lazy negligent voters who elect greedy negligent rulers who employ their greedy lazy negligent mates in positions of regulator. But there is surely more to it. When things were built better in the "olden days" it cannot be down purely to smarter voters. Voters were pretty stupid back then too. You hear stories of a tough man forcing his apprentice to tear out all his shoddy work and re-do it. What drove that tough man back then? Lawyers get a bad rap for ruining our country, but there is a use for them in holding bad actors accountable. Why have lawyers been unable to rein-in the bad engineering and enshitification that is going on everywhere? I'm still a student of the whole process and welcome the thoughts of others.

Thanks Matt for this insight

tl;dr new "templates" NOT included in QA testing.

You can only fail if you tried. There was no QA, so nothing failed. Also Goerge Kurtz just can out to lie. He just came out to say "We fixed it already " which was a half truth and irrelevant lie. It's like saying "we fixed our blueprints" after buildings had collapsed. He pretended the cleanup and rescue operations were a non issue. Also their so called "Report" was meaningless and pointless. The question wasn't about some logic flaw. The question was always "How the hell did this get deployed everywhere with being caught in testing and QA ".

The more I hear opinions about what happened, more I am tempted to think that instead of incompetents they are heroes instead, and that the culprit is the success once more time.

Great event to raise awareness about the importance of secure and scalable solutions for a solid and secure future in the coming years. Thanks Matthew to raise this matter!

Shame on their security team

Matt, your “thoughts on the matter” would make a excellent subject. (Hopefully a video here) Also well done on the explanation! 🎉

i get we will sometimes have some weird but sneak through but this flaw really should have been caught with some basic testing. Did Crowdstrike even test the update first? was this structural or was it a stupid employee ignoring the rules?

I really don't understand why they don't have a staging setup. Had they, they would have caught this and be spared the embarrasment on what might be a firm-ending event.

why the fuck are they logging our texts on a cloud server

The idea that Saudi Arabia who tried to blackmail Jeff Bezos and released information that destroyed his marriage when he didn't yield is not among countries who is an aggressive nation state seems strange.

Do you detect how effective the disinformation on Putin's Russia is accepted as fact without substance ? The persistent attempts to invalidate Vladimir Putin who has out maneuvered and out smarted every shallow minded State Dept. Official who has slapped sanctions on the cousins and nephews of the future relatives of the babies not yet born---that should work . " What is taking so long to break Russia down ? "We blew up the goddamned pipeline with those Norwegian Divers that Jens Stoltenberg loaned to us . " Our depravity is reduced to stealing their money just sitting there in a bank . Here's a better idea . Our people have failed us , the taxpayers, with no one getting rich except George Soros . Dump Austin, Sullivan , Blinken & Biden and replace them all by hliring JUST one Putin , an experienced , skilled consultant who gets the job done at one twentieth the cost. The bigger threat is our own CIA who can now murder for the president as long as the paperwork is stamped "official business' of the president's office. We are so screwed .

It’s so awesome Naomi got absolutely thrashed by a ‘famous CZcamsr’. All that education only to get dismantled by someone with a fraction of her education. 😆😭

It's already scary.. the groups are many and the more sophisticated is that they disappear and appear new and new groups after.. But I have one interesting observation. Such threat groups are announcing usually that many sites are hacked, many airports are down for example, Dutch, German and else disabled or crippled and so on but many of these lists are bragging because when you go some of the sites are working. Yes, they may temporary disrupt but this is not hacked overall and hacked forever or for a long time. I seen this several times. But it's important also not to underestimate them because these attacks with access and persistent, espionage - yes. they are dangerous. One group terrified me more btw - it's called Жокер ДНР .. and the reason is that they are able to track real physical persons and militants. This is serious and really terrifying because is a level above from cyber security. There we are already talking for people's lives. If depended on me I prefer at least this not to exist in 21 century.

So we in america should over look the trillions america spent by the 17 america security services 😂😂😂😂

awesome podcast. Thank you. I truly enjoyed on 11:45 minute :D - "the other one, just throw some gas in the fire" :D

Nice video 📹

Why don’t you include the cyber attacks the US does?

Matthew is cute! Just sayin'...

Thank you for sharing 🙏

Excellent insight. Thank you. I wish more so called IT Sec Pro's would first consider the basics to be understood.

Well done! I am leaning towards Ed's points

I hope you are well. Visiting your channel I have seen your all videos and content are very good but your video SEO optimization is not professional. Perhaps you are busy for managing the channel.

The videos on your CZcams channel are very nice. I am already subscribed to your channel. Your channel's content is good. I watch your videos regularly. I like your videos very much. I want to tell you something friend

Very well articulated, pointing out the "truthful narrative" about what this case is all about. Very well done. I agree with your analysis, conclusions and recommendations to others - read the case (I learned that scienter is a real term). I learned, you don't ever want to be accused of scienter - that's a bad day. Great job, Matthew.

Great talking with you today. Looking forward to our Podcast episode.

Great interview. Laid out what the problem is, how to solve it and who needs to be involved

💯 'promosm'

The CISO should start to apply Eistein's motto: If you can't explain somethin clearly to a 8 years boy, you spray nonsense.

Thank you for the insightful conversation. In most organizations, the main sources of vulnerabilities are: Commercial software (e.g., Windows, Linux, etc.) Outdated open source components Software misconfigurations In my experience, measuring the mean time to remediate (MTTR) or survivability rate of vulnerabilities at each risk level (critical, high, medium, low) can help organizations have conversations about which software consumption model is best for them. For example, I have seen teams move from on-premises servers to platform or software as a service (SaaS) because they were unable to meet both their cybersecurity remediation service-level agreements (SLAs) and business requirements. Additionally, I have seen teams re-architect their products and improve their software testing and deployment practices to meet cyber hygiene requirements. Working with the business to identify the risk appetite the organization will have for each risk severity level is paramount to managing cybersecurity risk.

Is it a bad idea? Yes. Should customers be worried? Not really. Don't update your firmware, don't pay them any money.

Any recommendations for a trusted cold wallet?

First.

Awesome video i watched it a second time.

Get you LLC ready!

I think that is accurate to say...private military's already have been in play for a long time, and these groups dealing with cyber will definitely be taking off. It is also important to remember in all of this that we are losing military staff at an alarming rate, and we are having a huge issue recruiting. It is not going well for us...this opens private companies up to fill the need even more. We should probably brace ourselves...

You make a great point about the optimal level of security changing relatively quickly. I can put good locks on my doors and windows and be reasonably sure I'm safe from break-ins for the foreseeable future. It doesn't work that way in information security--what's a good lock today could easily be worthless next week. It seems that surprisingly few people seem to understand that difference and still have a set-it-and-forget-it mindset in protecting their data (see: LastPass, GoDaddy, et al).

💯

I don't think your video is 100% accurate. My understanding of the technology is that you would still need the master password to perform the decryption which could take hundreds of years to brute force. Open to be corrected here but you need to explain more about why you think the lstest attack would allow this?

Very glad I left them a couple of years ago for the superb (and open source) Bitwarden 👍

When LastPass changed their policy for free users so that you could no longer use the same vault on different devices without a paid plan I downloaded my whole vault, purged it from LastPass and went with another provider. I'm sure my current vault provider will do the same eventually so you know what? I wrote my own. My encrypted vault now only exists on my devices, I can be sure it has no backdoors and is bespoke enough that no one else is going to know how to use it, where it is or even what it is. Good luck finding my passwords CIA.

Last pass gas

by the way, Matthew, if you examine the page source html markup of those disclosure webpages put up by LastPass, they are all set to <meta name="robots" content="noindex">

Anyone question why bitcoin has done what it has done in the last few days?

Amazing work! Get the best social marketing with 'promosm'.

I would really like to know what other data, other than the URLs, was not encrypted. LastPass seems to be very short on specifics in this regard.

4. Stop using LastPass. Personally, I was shocked that LastPass never bothered to encrypt my URLs and other metadata, which is now in the hands of hackers. Enough. I switched to 1password which seems a lot more secure.