I’ve written a couple of posts about LastPass recently, both with praise for the way they are handling a potential security event. One might think that I’m a satisfied customer or even an investor but, in fact, I’d never heard of them before I wrote the Doing It Right post. I just think that a company that has a clue and does its best to serve and protect its customers deserves some praise.
That’s why it’s so outrageous that a lazy and ignorant press lumped a potential security event and LastPass’s appropriate response to it with the obviously egregious actions of Sony. It’s not like the facts are hard to understand:
- Sony
Stored passwords, personal information, and some credit card information in plain text, used an outdated, unpatched version of Apache, and didn’t bother to install a firewall. When the inevitable attack came and was successful they delayed notifying their customers and were less than transparent when they did. - LastPass
Performed regular, scrupulous reviews of their logs accounting for every anomaly. When a change in the traffic pattern occurred that they couldn’t account for, they proactively warned their customers even though there was no direct evidence of a compromise. They immediately put precautionary procedures in place to ameliorate the damage in case a break in did occur. They kept their customers informed throughout the event with regular updates on their site and an interview with PC World.
How are these two companies’ actions even remotely similar? Yet much of the press treated them as if they were similar. Some even reported as a fact that LastPass had been “hacked.”
Patrick Mylund Nielsen has a nice post over at Throwing Fire that explores this issue a little more deeply but if you really want some red meat about the Tech Press, Michael Arrington over at TechCrunch has got it for you.