Monthly Archives: June 2015

LastPass Security Notice


It looks like LastPass has detected some suspicious activity on their system.  At this time they are not calling it a breach:

From the looks of things, attackers were able to get some non-password-related data, such as account email addresses, password reminders and salt values.  They are saying that the encrypted vault data (where actual encrypted passwords are kept) was not taken.  While this is certainly not “nothing”, it doesn’t seem to be terribly bad either.

They have a list of suggestions in the notice that are really just a good idea to do from time to time in any case:

  • Change your master password.  They will be asking everyone to do it (unless you have 2-factor authentication enabled)
  • Enable two-factor authentication.  I’ve had this turned on now for a few months using the free Google Authenticator app.  It’s a little bit of a pain when you’re in a hurry, but really it’s a very easy solution and it significantly increases the security on your data.  If you’re really security conscious try using the Yubikey hardware token!
  • Change the password on any site where you might have re-used your master password.  This is a bad idea anyway, so go do it now (and don’t reuse your new master password).

I’ve seen a lot of posts about how stupid it is to store all your password data in a centralized location.  But really, I couldn’t disagree more.  LastPass (and several other password management sites) have been audited, investigated, and even had portions of their code released as open-source for review and no one has found any problems with them, including some very big names in security and encryption: (I know lifehacker is hardly a security authority, but they have a nice article covering this exact scenario)

In addition, storing passwords is what these guys do.  It makes more sense to rely on experts to do this for you then for you to roll your own solution.  They have the expertise to do it right (even when their is a breach, their layered defenses make it virtually a non-issue), they have the tools to detect breaches quickly and hence rapidly mitigate the damage, and they have the reputation and professionalism to let their customers know that something happened and what they are doing to fix it.  Trying to roll your own solution is like trying to write your own database engine because you can do it so much better then all those “other guys” out there.  You are deluding yourself.

Along these lines.  Bruce Schneier has some good suggestions on choosing your next secure [Master] password:

Don’t Hide the GitExtension VS Toolbar

Monday mornings are rough.  It’s always hard to drag yourself into work after a few days away.  But at least the sun was shining and the birds were singing.

Unfortunately my idealistic Monday morning was rudely interrupted by Visual Studio giving me this lovely dialog:


“Ok, no problem”, I thought to myself.  “I’ll just restart Visual Studio”.  A few hiccups once in a while is not unusual.  However after my 4th restart attempt including a reboot in the middle and still getting the error I was getting worried.  Was I looking at a long day of repairing/reinstalling Visual Studio?

I figured I’d do a quick search online, though I couldn’t imagine I would find anything useful under “Visual Studio Crash Startup”.  I was wrong.

The offending little scamp

I came across several mentions of GitExtensions causing problems.  Specifically the GitExtensions Toolbar within Visual Studio.  Apparently it REALLY doesn’t like being hidden.  Fortunately I had already had my coffee this Monday morning and the gears were turning in my head (had this happened just one hour earlier we may have had a very different outcome).  I remembered that on Friday I had done exactly this, I had hidden the GitExtensions Toolbar in Visual Studio.  I love Git and use it extensively for my personal and professional side projects.  But this VM I am running on is used only for my day job and we don’t use Git.  So I had figured I would clean up my environment a bit.  Little did I know the tripwire I had just hit.

Apparently this is a known issue in GitExtensions (has been fixed as of 2.48.04):

There are a couple of ways to fix this issue:

1. Start Visual Studio in safe mode and unhide the toolbar.  You can do this by starting Visual Studio from the command line with the appropriate command line arguments:

DevEnv.exe /safemode

2. Use Control/Panel – Programs and Features to change your Git Extensions installation and remove the Visual Studio plugin (this is what I did).


3. Update to the latest version of Git Extensions.  This issue has been resolved.

Selecting the Constructor in StructureMap

I recently updated the StructureMap NuGet package in one of my projects to the latest version (  When I did this I was surprised when my code stopped compiling.  The code in question was code that specified which constructor to call on one of my dependencies.  Here is the old code that used to work just fine:

x.SelectConstructor<SessionGeneratorDefault>(() => new SessionGeneratorDefault((SecurityValues)null, false));

After I updated the NuGet package I started getting a compile error:

StructureMap.ConfigurationExpression’ does not contain a definition for ‘SelectConstructor’ and no extension method ‘SelectConstructor’ accepting a first argument of type ‘StructureMap.ConfigurationExpression’ could be found (are you missing a using directive or an assembly reference?)

If you go an look at the StructureMap GitHub page for constructor selection it shows that the format has changed:

Which led me to the following code:

x.ForConcreteType<SessionGeneratorDefault>().Configure.SelectConstructor(() => new SessionGeneratorDefault((SecurityValues)null, false));

Imagine my surprise when the code doesn’t work!  Oh, it compiled just fine, but at runtime it uses the incorrect constructor.

After a bit of trial and error I stumbled upon the fact that the “SelectConstructor” method is still available, it has just been moved in the object model.  So now the final code I came up with that works just fine is as follows (notice that it is all in one statement now as well instead of two):

             .SelectConstructor(() => new SessionGeneratorDefault((SecurityValues)null, false))

*NOTE I removed the parameter names from the .Ctor methods (“secValues” and “forceLocalMode”) as they were not needed as the constructor did not have multiple parameters with the same Type.  But they could be added for clarity if desired.