All of those have been non issues and I have been daily driving linux for several years now.
The only few things I do from terminal is updates, because I do not want to load application icons from the update manager. My bandwidth is metered most of the time due to travel. Doing it from terminal is text based.
I cannot remember the last time I had to compile anything that wasn't related to something I was tinkering with out of curiosity. I wanted to compile those things.
Package and dependencies are issues on windows as well. The builtin application manager takes care of those? So I am not understanding that complaint.
Aside from a handful of multiplayer games that do run, you just cant play due to anticheat software not working. Every game in my steam library, and GOG has worked without issue through wine/proton. Native games also work great.
The problems I have with windows 10/11 even after running those is all the data it is constantly sending. Again I am on a metered network so MBs count. You cannot disable telemetry, you can only reduce how much is sent.
Pretty much, limiting mfa options to otp only. Then the attacker getting access to customer shared secrets means they basically just have to guess the master password.
>Backup of LastPass MFA/Federation Database – contained copies of LastPass
Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as
well as a split knowledge component (the K2 “key”) used for LastPass federation (if
enabled). This database was encrypted, but the separately-stored decryption key was
included in the secrets stolen by the threat actor during the second incident.
Unless I am misunderstanding this, they mention to business users the need to reset shared secrets from OTP providers.
>For users of Duo Security, Symantec VIP, RSA SecurID, or SecureAuth, regenerate the shared secret for each respective MFA solution and paste the new shared secret into the respective MFA app configuration in the Admin Console.
It did, AWS alerted them on the traffic. It reads like they ignored it and when investigators later started going over that data it jumped up and slapped them.
Seems like a lot of their talk of zero knowledge was bs.
>In December, we notified a subset of customers whose SCIM, Enterprise API, and SAML keys were stored in unencrypted form. This only affected customers who joined LastPass and used these services in 2019 or before.
This part just blew my mind.
>Important: Since resetting MFA shared secrets destroys all LastPass sessions and trusted devices for these users, these users will need to log back in, go through location verification, and re-enable their respective MFA apps to continue using the service.
I feel sorry for everyones internal helpdesk. This is going to be brutal.
From what I can tell, all of lastpass mfa options are based around some form of otp not webauthn.
We tested the above in our own environment, since we had control of the devices we did not need urls to do it. We just grabbed the data locally to confirm if it was true. At the time lastpass told us webauthn was in the pipeline so we stayed.
I am confused as to why there is a hard requirement tied to apple,google,ms accounts. I get that its so they can sync to other devices but what if I do not want them syncing?
At some point, the platforms may open their APIs and allow for 3rd party providers to hook in and do the syncing. It can be expected that most current password managers will do that asap.
