Companies Advise Tighter Security After Honan Hack

← Back to Stories (view on slashdot.org)

Companies Advise Tighter Security After Honan Hack

Posted by samzenpus on Monday August 13, 2012 @07:58AM from the add-another-security-question dept.

In the wake of the hacking of Mat Honan's accounts, Google, Facebook, Amazon, and Apple are just a few of the companies making their security policies tougher, and they are advising people to do the same. From the article: "Even as those companies’ teams moved to patch the holes, others moved to offer security tips. Matt Cutts, head of Google’s Webspam team, used his personal Website to urge Gmail users to embrace two-factor authentication. 'Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked,' he wrote in the August 6 posting."

80 of 99 comments (clear)

Min score:

Reason:

Sort:

Feels like post-911 by A+beautiful+mind · 2012-08-13 08:06 · Score: 5, Insightful

In the name of security Google has been pestering for my phone number for years, while their motives are much less about my security and more about their business reasons.

--
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
1. Re:Feels like post-911 by Anonymous Coward · 2012-08-13 08:14 · Score: 3, Funny
  
  God, this thing annoys the hell out of me.
  I need to write a userscript to auto-skip the page.
  I AM NEVER GIVING YOU MY CELLPHONE NUMBER, I DON'T AND NEVER WILL HAVE ONE, I DESPISE THEM.
  TAKE THE HINT GOOGLE.
  I swear if this leads to more messages about this, I am just switching e-mail services.
  My password is longer than the brain cells of most people who use Gmail, it ain't getting brute forced any time soon.
  And I'm not someone stupid who runs fart.exe for funny fart noises.
  They should just have an option in the settings where you can straight-up state "I am not a stupid person" so they won't treat you like a god damn 5 year old.
  Every year that passes websites seem to get more insultingly simple. When is it going to be over? When will the web die? Will it be soon? Please tell me it will be soon!
2. Re:Feels like post-911 by patchmaster · 2012-08-13 08:14 · Score: 5, Insightful
  
  Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.
  I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.
3. Re:Feels like post-911 by vlm · 2012-08-13 08:16 · Score: 1
  
  I know for a fact you can use a GOOG voice number for two-factor. That's what I used. They technically advise against it, but allow it.
  Its just a backup for my authenticator app anyway. If I lose my phone, my paper password printout, access to my regular email, and everything else, then finally also lose or screw up my goog voice, then yes I'll be screwed.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
4. Re:Feels like post-911 by Daas · 2012-08-13 08:16 · Score: 4, Informative
  
  You're OK with them storing every single one of your emails but not your phone number? I hope tinfoil hats are on sale these days.
  If you're too scared of using the phone number auth, just use the Android or iPhone authenticator app. Setup is quick, it's not too invasive and it just works.
5. Re:Feels like post-911 by ThunderBird89 · 2012-08-13 08:18 · Score: 4, Insightful
  
  Yet it seems you're very happy to use the internet, whose death you so crave, to voice your opinion and grief about the internet you use to give voice to your opinion.
  Seeing the contradiction?
  [First sentence is deliberately self-referential and obfuscated]
  
  --
  Hyperbole: I use it liberally!
6. Re:Feels like post-911 by citizenr · 2012-08-13 08:47 · Score: 1
  
  Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.
  I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.
  haha phone call from Google. You wont get one. You will receive one from 3 letter agency reminding you about that anonymous post you made 15 years ago on some obscure board.
  
  --
  Who logs in to gdm? Not I, said the duck.
7. Re:Feels like post-911 by Hatta · 2012-08-13 08:51 · Score: 1
  
  I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.
  The fact that a single "no" is not enough to get them to stop asking is evidence enough.
  
  --
  Give me Classic Slashdot or give me death!
8. Re:Feels like post-911 by rtfa-troll · 2012-08-13 09:02 · Score: 2
  
  I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.
  The key thing to know is that phone based password recovery on Gmail has been used to hack accounts and that that has been widely publicised. In other words, giving your phone number over is less secure than not giving it over. In this case, Google is either stupid for continuing something they should know doesn't work or is evil for lying about why they want your phone number.
  P.S. They have no intention on using the phone number to call you; Phone calls are much more expensive than the various other ways that Google has to contact you. What your phone number could potentially do is link together different accounts with different names and link you to friends who have that phone number in their uploaded phone directories.
  
  --
  =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
9. Re:Feels like post-911 by tlhIngan · 2012-08-13 09:38 · Score: 4, Insightful
  
  I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.
  The fact that a single "no" is not enough to get them to stop asking is evidence enough.
  Not to mention Google really tries to hide the "No" button. It just pops up as a box that says you need to enter your phone number. If you look down, the link to skip it is very tiny, enough to miss it. I'm willing ot bet most people don't even know there's an option to skip it.
  It also pops up randomly on you, and each time it seems the "No" link gets tinier and moved somewhere else.
  For Do No Evil, they certainly are applying all the usual marketing tricks to hide stuff like free downloads and such. If they really cared, it would be in normal font with text saying it's completely optional and you can bypass it by clicking the nice big link.
10. Re:Feels like post-911 by 6ULDV8 · 2012-08-13 09:48 · Score: 1
  
  If I'm spammed, opening another Gmail account is free. Changing my phone number costs $36.
  
  --
  Pull my finger for my public key.
11. Re:Feels like post-911 by Anonymous Coward · 2012-08-13 09:53 · Score: 2, Insightful
  
  Mat, the guy who was "hacked", also had a great password and didn't run attachments. The hackers didn't even need to know his password to gain access to his accounts. He was more a victim of using guessable e-mail addresses to log into Apple, Amazon, Gmail, and Twitter. He also bought stuff on Apple and Amazon. If you've done those things, then you too can be a victim. It was more a hack of the "forgot password" pages. some social engineering of the support staff, and intimate knowledge of the identification procedures of said companies.
12. Re:Feels like post-911 by metrometro · 2012-08-13 09:55 · Score: 2
  
  +1 to evidence based paranoia. Google IS my phone number, and whatever their faults, they don't call me and don't appear to share that number.
13. Re:Feels like post-911 by codegen · 2012-08-13 10:14 · Score: 1
  
  If you're too scared of using the phone number auth, just use the Android or iPhone authenticator app. Setup is quick, it's not too invasive and it just works.
  Myth #7 - The google authenticator app does not require your phone number and SMS messages.
  Fact - You cannot set up the authenticator app unless you ahve given your phone number to Google and first authenticated using SMS
  My cell phone number is known only to 10 of my friends and 2 companies (one of which is the provider). I have no intention of giving it to Google. Also, I only use gmail for personal non-financial/business mail. I have an email account that is protected by stronger privacy laws than exist in the US for my regular business.
  I have a close friend who is a retired reporter and does not own a cell phone. But she does own a 4th Gen iPod Touch. Surely she should be able to use google authenticator? The short answer is no she can't.
  
  --
  Atlas stands on the earth and carries the celestial sphere on his shoulders.
14. Re:Feels like post-911 by jhoegl · 2012-08-13 10:21 · Score: 1
  
  Ironically people also use public forums to dispute their government, the very same government that gives them the freedom to do so.
  So... this isnt a new thing.
15. Re:Feels like post-911 by filthpickle · 2012-08-13 10:54 · Score: 1
  
  forget it, he's rolling.
16. Re:Feels like post-911 by c++0xFF · 2012-08-13 11:27 · Score: 1
  
  What part of ...
  
  I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.
  didn't you understand?
17. Re:Feels like post-911 by c++0xFF · 2012-08-13 11:38 · Score: 4, Insightful
  
  It's in Google's and your own best interest to make your accounts as secure as possible. They get a black eye in the media every time there's a high-profile hacking of a Google account ... which in turn hits at their reputation for providing solid, secure services.
  Given that most users don't know what's best for them, I think it's completely reasonable for them to pester a little bit about a way to improve security.
  Now, that said ... there should be a way to turn the reminder off completely. Some people (me) simply can't use it.
18. Re:Feels like post-911 by Anonymous Coward · 2012-08-13 12:18 · Score: 1
  
  And how have you prevented your 10 friends from syncing their address books through any 3rd party software?
  On a more personal note, why do you have a cell phone to call only 10 people?
19. Re:Feels like post-911 by kqs · 2012-08-13 14:32 · Score: 1
  
  I AM NEVER GIVING YOU MY CELLPHONE NUMBER, I DON'T AND NEVER WILL HAVE ONE, I DESPISE THEM.
  TAKE THE HINT GOOGLE.
  I swear if this leads to more messages about this, I am just switching e-mail services.
  My password is longer than the brain cells of most people who use Gmail, it ain't getting brute forced any time soon.
  You despise Google but use their email? You seem to be a very confused person...
  Why do you think the length of your password matters? Do you seriously think people are brute-forcing gmail passwords?
  Google wants phone numbers for exactly one reason: so that when, against all odds, the gmail account of a self-proclaimed genius is hacked, google can restore the account to their control. Otherwise, after posting screeds about the Evil Google trying to steal their phone number, this theoretical mental midget posts rants about how Google let their account be hacked but somehow cannot determine who is the owner and who is the hacker when a password reset is requested. Google is screwed in the media whatever happens, but you should be glad they err on the side of giving people a reasonably secure channel to recover their account even if they determinedly avoid such sanity.
20. Re:Feels like post-911 by GumphMaster · 2012-08-13 19:12 · Score: 1
  
  No, the poster despises cellphones and will never have one. Google insistence on repeatedly asking for a cellphone number when none is forthcoming is the source of the rant. It annoyed me too but I haven't been prompted for a while now.
  
  --
  Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
21. Re:Feels like post-911 by Plumpaquatsch · 2012-08-13 19:43 · Score: 1
  
  Yet it seems you're very happy to use the internet, whose death you so crave, to voice your opinion and grief about the internet you use to give voice to your opinion. Seeing the contradiction?
  Should I be worried that you take a rant against Google as a rant against the Internet?
  
  --
  Of course news about a fake are Fake News.
22. Re:Feels like post-911 by ThunderBird89 · 2012-08-13 20:14 · Score: 1
  
  When will the web die? Will it be soon? Please tell me it will be soon!
  QED.
  
  --
  Hyperbole: I use it liberally!
23. Re:Feels like post-911 by Xest · 2012-08-13 20:35 · Score: 1
  
  This is the fundamental problem with anti-Google FUD, despite all the claims of "Google collects this", and "Google collects that", the claims that it's a privacy nightmare have yet to materialise. Google has a lot of information on me and has for over 10 years, but I've never ever seen it end up in the hands of other companies I'm not happy with or used in ways I was not expecting.
  Compare this to Facebook, Microsoft, Monster.com who have all also had data on me and have managed to pass it to companies I did not give them permissions to leak it to which is a breach of the Data Protection Act in the UK. I know for a fact it was these companies as only these companies held such data. For example, I had a friend who my only connection to was via MS Messenger and who none of my other friends knew. This friend was later recommended, to me as a contact on both LinkedIn and Facebook so it's pretty clear Microsoft sold/leaked my contact information to these companies. Similarly I've had spam to e-mail addresses uniquely used for each of these companies. Google? Never had any such thing.
  But it's all part of this sort of thing:
  http://falkvinge.net/2012/03/02/how-microsoft-pays-big-money-to-smear-google-audaciously/
  This is why Google is constantly being probed over privacy, which is no bad thing - companies should be held accountable to privacy laws - but there is a gross disparity between what Google gets investigated for and what Microsoft, Facebook et. al. do not. It doesn't take much to put two and two together and see why when Microsoft is pouring so much into trolling Google with lobbyists in various governments and parliaments across the globe.
  Personally I prefer to stick to the facts, maybe one day the fanboys will be proven right and Google will spread every single bit of data they hold on me far and wide across the internet and use my information to steal all my money and fit me up for a murder I did not commit or whatever the fanboys and trolls predict will happen to anyone that uses Google's services, but right now there's no sign of any such thing with Google and again, in contrast, there is with companies like Microsoft and Facebook. Hell, even Amazon managed to fuck up one of my orders once and ended up sending my book, the packing receipt with my name, address, e-mail and so forth on to some random person, whilst sending me someone elses details and their order in a box with my address on which is still worse than anything Google has done.
  I give my consent for some companies to hold some of my data, and whilst Slashdot has more than it's fair share of "off-the-grid" fantasists I'd wager none of them actually genuinely practice that ideology and that pretty much everyone here hands some private data over to private companies - possibly even against their will as government mandated data collection is passed to 3rd parties to store/process. The companies I respect are the ones who keep that data safe and do not abuse that data, Google is one of those who for over a decade now, has not let me down in this respect, which is more than can be said for 90% of other tech companies I've dealt with. There's a massive divide between what it's claimed Google could do with your data, and what it has ever actually done with it in practice. I'm under no illusion that it uses it to improve it's ad service and so forth, but that's the price I pay for using their services, what it doesn't do is sell or pass my data on to others, at which point it is much more out of my control as to what it's used for, and that's what matters to me.
24. Re:Feels like post-911 by Plumpaquatsch · 2012-08-13 21:19 · Score: 1
  
  Guessable emails? They're supposed to be public you know. It's not like you make your clients guess your email to contact you, do you?
  "guess my phone number if you want to go on a data!"
  Let me explain: the hacker wanted his (three letter) Twitter account, to get it he had to get into his Google account. He went to the Google account password recovery page, which obfuscates the alternative address he gave to send the recovery email to. And that happened to be the (despite obfuscation) easily guessable same.name@me.com. Mostly because a) he used the same name part for all email accounts and b) Google does a bad job at obfuscating the @me.com part - first three letters each of the name and domain part seems to be their standard, so for same.name@me.com they show sam******@me.***.
  
  --
  Of course news about a fake are Fake News.
25. Re:Feels like post-911 by Plumpaquatsch · 2012-08-13 21:38 · Score: 1
  
  And how have you prevented your 10 friends from syncing their address books through any 3rd party software?
  He can't - that's why he doesn't want to give Google his phone number, so Google can't link his identifying phone number with the same phone number in his friend's synced phone directory.
  
  --
  Of course news about a fake are Fake News.
26. Re:Feels like post-911 by Plumpaquatsch · 2012-08-13 22:47 · Score: 1
  
  When will the web die? Will it be soon? Please tell me it will be soon!
  QED.
  So you take the last couple of words from a long rant against Google, and claim the whole thing to be against the internet, for which you have to equate "the web" with "the internet"? QED indeed.
  
  --
  Of course news about a fake are Fake News.
27. Re:Feels like post-911 by ThunderBird89 · 2012-08-13 23:09 · Score: 1
  
  As he goes on, he goes from anti-Google to griping against "insultingly simple websites", which make up an increasing percentage of the internet in his opinion (reading between the lines). At least that's the impression I get from the rant, hence taking it to be against the internet in general.
  
  --
  Hyperbole: I use it liberally!
28. Re:Feels like post-911 by ThunderBird89 · 2012-08-13 23:12 · Score: 1
  
  Yes, but not disputing the forum itself. In your analogy, I'd equate the internet with the forum, not with the government (after all, the internet is the means for dispute, not the subject), with internet fora being subsets.
  
  --
  Hyperbole: I use it liberally!
29. Re:Feels like post-911 by HybridST · 2012-08-14 00:21 · Score: 1
  
  It annoys me every time i need to login, especially on my iDevice where i have to click no, reload, hit back and refuse again before it loads properly.
  I should set up a voip number similar to a certain luggage combo and enter that to click yes but i bet it would violate the TOS...
  
  --
  Ever notice that Cobra Commander sounds an awful lot like Star scream?
30. Re:Feels like post-911 by Nyder · 2012-08-14 01:47 · Score: 1
  
  Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.
  I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.
  What I find funny is I have a googe voice account, and I have a gmail account and oddly enough, they are both the same account, yet I still get Google asking for my phone number. Seriously google, you have all my phone numbers already. Not sure why you are so stupid about it though...
  
  --
  Be seeing you...
31. Re:Feels like post-911 by Teun · 2012-08-14 02:07 · Score: 1
  
  Duh, the government is me.
  Or at least a small part of it is till the next vote.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
32. Re:Feels like post-911 by Teun · 2012-08-14 02:14 · Score: 1
  
  Those that don't have a cell phone will find the button, those that prefer privacy don't use a google account.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
33. Re:Feels like post-911 by pnutjam · 2012-08-15 02:23 · Score: 1
  
  I think facebook and linkedin somehow scrape information if you have your email authenticated in a different browser tab. I don't know how to test this, but I am suspicious.
  
  --
  Cheap storage VM.
34. Re:Feels like post-911 by airdweller · 2012-08-15 08:36 · Score: 1
  
  Probably because of this - https://support.google.com/accounts/bin/answer.py?hl=en&answer=185834&topic=1099588&ctx=topic#gvoice
two-factor security by jellybear · 2012-08-13 08:13 · Score: 1

One major problem with Google's two-factor authentication is that it requires mobile phone reception. There are many settings where mobile reception is not available. It would make more sense to SMS or print a one-time pad with enough numbers to last until the user decides to generate a new pad.
1. Re:two-factor security by zrbyte · 2012-08-13 08:18 · Score: 1
  
  No it doesn't. You can use the Google authenticator app.
2. Re:two-factor security by ThunderBird89 · 2012-08-13 08:20 · Score: 1
  
  It has an OTP you're required to save before completing the process (ten keys), and the mobile app doesn't require a data connection to my knowledge, after the initial pairing.
  
  --
  Hyperbole: I use it liberally!
3. Re:two-factor security by cvtan · 2012-08-13 08:23 · Score: 1
  
  You need a smart phone for that. You can print out a bunch of verification codes and stick them in your wallet. Cell reception is not reliable.
  
  --
  Sorry, but gray text on gray background is making my eyes bleed.
4. Re:two-factor security by kaiser423 · 2012-08-13 08:33 · Score: 5, Informative
  
  Uh, they do have a one-time pad of pre-authenticated numbers, and an app that doesn't require an internet connection. I've authenticated form a 9200bps modem from the middle of the Pacific using my list of one-time security access codes.
  
  In other words, it's glorious. Google does security right, and everyone else needs to take notice. Including corporate IT departments. I've used it for years, and every now and then when I need a new account, I go and get an outlook.com account or similar, because all the regular names are taken in gmail, but I always feel so naked using them. No security at all.
5. Re:two-factor security by kaiser423 · 2012-08-13 08:36 · Score: 2
  
  But the app doesn't require cell phone service to be usable. You just need the smartphone or tablet. (in reference to your last sentence).
  
  I do have a printout of one-time codes, but I find that I never use them anymore because I always just use the phone app, because it works as long as the phone has juice. Which you should have some available if you're using a computer to check your gmail...
6. Re:two-factor security by robmv · 2012-08-13 09:01 · Score: 3, Informative
  
  Adding more info about the application, the client is OSS so anyone can port it to Windows/Linux/Mac/Browser extension/you name it, there is nothing in Google solution that requires an smartphone nor data connection
7. Re:two-factor security by jellybear · 2012-08-13 09:07 · Score: 1
  
  Oh, hey, you're right. Nice.
8. Re:two-factor security by robmv · 2012-08-13 09:09 · Score: 2
  
  As others has said, there is no need for data connection, the common problem user experience with Google application (that implements the OATH standard) is that it requires a little of time synchronization, if your phone date and time is too far from the real one, the generated code will not work. Google application request the Internet connection permission in order to query the time from Google servers and store the offset with your phone time, in case it your phone time is wrong. It connect sometimes to update that offset when connectivity is available. If you have correct date and time (and Timezone) data connectivity is not needed ever
Big brother by Anonymous Coward · 2012-08-13 08:14 · Score: 1

Strong long password is all I need for a free email service.
Why would I want to give my mobile number to google with their track record on privacy etc...
This smells the same as the 'iPhone is uncrackable' story.
Thank you Mat by wiedzmin · 2012-08-13 08:32 · Score: 1

You took one for the team.

--
Bow before me, for I am root.
And 2 factor will do what? by the_B0fh · 2012-08-13 08:37 · Score: 2

Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me? Any computer I use to check gmail is fully under my control.
1) no man-in-the-middle sniffing
2) no key logger sniffing
3) assuming no one steals the password file from Google
4) my gmail password is not used elsewhere.
1. Re:And 2 factor will do what? by kaiser423 · 2012-08-13 08:42 · Score: 3, Insightful
  
  Any computer I use to check gmail is fully under my control.
  Lucky you. That's not the case for most of us.
2. Re:And 2 factor will do what? by the_B0fh · 2012-08-13 08:55 · Score: 1
  
  I do realize that :) Not too many people can have a computer or phone that is fully under their control, especially if it's work provided. But all mine are installed from media (openbsd, debian, osx, and even windows).
  I would be screwed if something like On Trusting Trust happens, but then they could just man-in-the-middle the transactions anyway.
3. Re:And 2 factor will do what? by KhabaLox · 2012-08-13 08:58 · Score: 2
  
  Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me?
  
  You are perhaps not the best target for 2-factor as your secondary (or tertiary) security measures given the fact that you already use 3 different security practices when accessing email: SSL, own computer, un-shared password. You probably also have a robust password. A lot of, if not most, people use only one, weak level: a six to eight character password shared across multiple sites. Two-factor will help them. (Of course, they should also use a unique, harder to crack password, but turning on 2-factor auth is probably easier).
  Also, if you only access from trusted computers, 2-factor auth only needs to be set up once. Unless you are really paranoid about giving out a phone number, what's the bother?
  
  --
  Ceci n'est pas un sig.
4. Re:And 2 factor will do what? by Straker+Skunk · 2012-08-13 08:58 · Score: 1
  
  Assuming no one can hack SSL
  The bad guys don't have to hack SSL. They only have to hack a certificate authority.
  (IIRC, this is how the Chinese government broke into the Gmail accounts of various dissidents/activists.)
  
  --
  iSKUNK!
5. Re:And 2 factor will do what? by metrometro · 2012-08-13 09:58 · Score: 1
  
  "Any computer I use to check gmail is fully under my control."
  That's not really webmail then, is it? Most products are more secure when you don't use them.
6. Re:And 2 factor will do what? by the_B0fh · 2012-08-13 10:28 · Score: 1
  
  And I only use Chrome, which pins the certs, for gmail :)
  Well, I do use mail.app on the iphone... hmm... must go find out more about that.
7. Re:And 2 factor will do what? by the_B0fh · 2012-08-13 10:29 · Score: 1
  
  And how does 2 factor protect you from any of the scenarios you mentioned?
  You do realize anyone with the power to reset your password/unlock your account, has that power whether you have 2 factor or not?
8. Re:And 2 factor will do what? by the_B0fh · 2012-08-13 12:38 · Score: 1
  
  #1 - not willing to give out my phone number to google.
  #2 - if you only set it up once, that may not be the 2 factor you think you have...
9. Re:And 2 factor will do what? by the_B0fh · 2012-08-13 12:39 · Score: 1
  
  What in the world are you talking about? I understand the individual words, but there appears not to be any sense to the way you're putting them together.
10. Re:And 2 factor will do what? by KhabaLox · 2012-08-13 13:33 · Score: 1
  
  #2 true, but then that goes for your "trusted computer" scenario. If you assume your computer is under your full control (the assumption I make for my desktop and laptop) then you don't "need" 2-factor. What the 2-factor prevents is someone stealing your password and logging in from their computer. If they steal your laptop or desktop (i.e. you lose the physical security layer), then your in trouble anyway.
  
  --
  Ceci n'est pas un sig.
11. Re:And 2 factor will do what? by metrometro · 2012-08-13 13:43 · Score: 1
  
  My point is that the obvious advantages of "web-based" email isn't really being delivered if you have to limit it to specific hardware in order to securely use it. Two factor lets you use webmail to it's potential (ie hardware agnostic) with some of the security assurances that hardware-specific solutions (like yours) can achieve.
  In general, I think security systems that require users to act against the implied promises of the UI are crappy systems, so I'm glad to see two factor auth - a partial solutions to keyloggers and whatnot - being promoted.
12. Re:And 2 factor will do what? by the_B0fh · 2012-08-13 14:54 · Score: 1
  
  I'm referring to your previous comment that 2 factor authentication only needs to be set up once. If that's the case, it is *NOT* 2 factor authentication.
  Someone stealing my laptop won't get my info because I have full disk encryption, so unless they can break my password...
13. Re:And 2 factor will do what? by the_B0fh · 2012-08-13 14:57 · Score: 1
  
  I do not authenticate to any services on anything I don't control.
  If you do, more power to you, but the same malware that can keylog your session can also insert itself into your data stream, whether there's SSL or not. So I don't understand what are the advantages of logging in on any computer you do not control.
14. Re:And 2 factor will do what? by KhabaLox · 2012-08-13 16:26 · Score: 1
  
  I'm referring to your previous comment that 2 factor authentication only needs to be set up once. If that's the case, it is *NOT* 2 factor authentication.
  Well, you are semantically correct. When Google's 2-factor is turned on, anytime you log on to the account from an untrusted* computer, you must enter the 2nd factor authentication code. To be 100% 2 factor authentication you would want to force the entry of the second factor for *every* single login, but you also want to balance security and convenience based on your personal risk management algorithm. Just as it makes sense for you to not use 2-factor authentication because you always log in from a computer you control, it makes sense for a Google user to use 2-factor only when they log in from a computer that they don't control.
  
  Someone stealing my laptop won't get my info because I have full disk encryption, so unless they can break my password...
  Question on that: I'm guessing you run Linux, and thus your login password is probably harder to crack, but if you were running Windows, and thus had a relatively easy way to crack the login password, would full disk encryption still protect you.
  *I'm not sure, but it may ask for the 2nd factor every X logins from a trusted computer.
  
  --
  Ceci n'est pas un sig.
15. Re:And 2 factor will do what? by dkf · 2012-08-14 01:11 · Score: 1
  
  "Any computer I use to check gmail is fully under my control."
  That's not really webmail then, is it? Most products are more secure when you don't use them.
  You're claiming it's only webmail if you access it from a dodgy webcafe in Vietnam? That's... a strange position to take.
  OK, I've done a slight exaggeration of your position there, but really there's nothing about webmail that says you have to authenticate to it with a non-crypto identity (though particular services might not be so cautious) and from a device that you don't control utterly. Client devices are pretty cheap now, and common too, so you won't look strange for carrying yours around with you. You can even throw those who question it off by claiming that you're doing it because you only feel comfortable using a device with the right background wallpaper; they'll think you're a strange OCD type, but won't probe more deeply. Meanwhile, you get the benefit of knowing that you've not got physical keyloggers installed (and you know you've not installed malware on it, yes?)
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
Lost Mobile Phone by RajivSLK · 2012-08-13 08:44 · Score: 1

The only problem I have with two factor authentication for Gmail is if I lose my phone how to I access my email? I don't want to be locked out of my email, ever.
1. Re:Lost Mobile Phone by lpq · 2012-08-14 05:51 · Score: 1
  
  The only problem I have with this is -- what if you don't have a mobile phone?
No 2 factor please by Chemisor · 2012-08-13 09:05 · Score: 2

2 factor authentication is unacceptable for anything that's frequently used. If you log in to your online banking account once a month, it's ok to jump through a few extra hoops for security. But for something you do every day, or several times a day like email, any extra barriers are unacceptable. I don't even want to enter my password more than once a day, why would I go through the incredible hassle of 2 factor authentication?
1. Re:No 2 factor please by Ant2 · 2012-08-13 09:16 · Score: 1
  
  I am guessing you have not tried Google's 2-factor authentication?
  I enabled it last week. I had to create a few application-specific pass codes and add a couple machine as trusted. Done. Not bothered since.
2. Re:No 2 factor please by dgatwood · 2012-08-13 09:19 · Score: 1
  What you're really pointing out here is the need for diferent tiers of authorization. Without any unlock, I would like to be able to:
  
  Call numbers from my preferred phone number list (including hands-free use)
  
  Run the music player app
  
  Use the maps application
  
  Use the web browser.
  
  I would like to be prompted for my unlock password when:
  
  I try to access notes, my calendar, or my mail.
  
  I try to change any settings.
  
  I try to do anything that could potentially cost me money.
  
  I navigate to a web page for which a password or other autofill information exists.
  
  Similarly, for online banking, I would like an easy-to-remember password for:
  
  Checking account balances
  
  Viewing my transaction history
  
  I would like to be prompted or additional authentication when I:
  
  Send a message to the bank.
  
  Attempt to pay a bill to a new recipient or to a different account at an existing recipient.
  
  Transfer money into or out of my account.
  
  Amazon is a good example of this sort of distinction in action. With a single password, I can place orders and have them sent to me. However, if I add a new destination address, they make me type in the CVV code from my credit card.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:No 2 factor please by dgatwood · 2012-08-13 09:34 · Score: 1
  
  I am guessing you have not tried Google's 2-factor authentication? I enabled it last week. I had to create a few application-specific pass codes and add a couple machine as trusted. Done. Not bothered since.
  That's because most of the time, Google's two-factor authentication isn't real two-factor authentication. It requires something you know, plus something you know. A stored cookie in a browser is just a shared secret (something you know), as is a password. Therefore, it is not true two-factor authentication any more than asking for two passwords is two-factor authentication. True two-factor authentication requires two different factors, not two instances of the same factor.
  And even to the extent that it tries to require a second factor (requiring you to confirm using your cell phone when you add a new machine), it isn't a very good second factor. If your password got cracked, odds are pretty good that they stole your password by cracking into your mobile phone, at which point your second factor is no better than the first.
  When you experience real two-factor authentication, you'll know it. It is cumbersome. It has to be. Any factor that isn't cumbersome (read "not networked") is likely to be a terrible second factor, if it qualifies as a second factor at all.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
4. Re:No 2 factor please by alcourt · 2012-08-13 10:50 · Score: 1
  
  I've used real multi-factor auth in the form of SecurID. It isn't cumbersome. Doing it right doesn't have to be a PITA. If Google wanted to make it easy, they'd distribute a SecurID like local app to disgorge one time passwords when poked with your local passphrase.
  Currently, I use the mobile SecurID app because my work phone I can treat like my physical factor. The fact that I can't copy that to another phone and have it "just work" suggests that it was done right here. (I'm not on the SecurID support team).
  We aren't trying to protect national secrets here. Always keep in mind your threat model when designing your security. The real failure of Google's design is it presumes everyone has a mobile phone supporting SMS that they are willing to use regularly.
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
5. Re:No 2 factor please by dgatwood · 2012-08-13 14:00 · Score: 1
  
  Cumbersome is relative. Hardware tokens cumbersome so long as you only have one of them on your keychain. If every site used it, you'd need a chiropractor pretty quickly, not to mention stronger pants pockets. And if you switch to a model of central authentication, now you have one site that can be compromised and trivially turn hundreds or thousands of sites' security into a four-digit PIN, while simultaneously rendering hundreds of millions of dollars worth of hardware tokens useless until the users mailed in the tokens to get them rekeyed (or for devices that cannot be rekeyed, permanently useless).
  In other words, if it isn't cumbersome for the user, it probably isn't particularly secure. In theory, there are ways of doing something that isn't too cumbersome and is still secure, but they would require smarter CryptoCard-like devices that let you generate new site-specific keys on the fly that you can type in (over a secure channel) as part of setting up an account with a website.
  
  The fact that I can't copy that to another phone and have it "just work" suggests that it was done right here. (I'm not on the SecurID support team).
  AFAIK, you can prevent migration just by storing the data in the keychain and setting a couple of flags so that it won't get backed up or migrated. However, I'm pretty sure none of those protections will help you in the slightest if the device actually gets compromised. It's a bit like trying to hide your files from root.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
6. Re:No 2 factor please by dgatwood · 2012-08-13 14:01 · Score: 1
  
  Ouch. Somehow, I lost a word from that second sentence. I meant to say "Hardware tokens aren't cumbersome...".
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
7. Re:No 2 factor please by kqs · 2012-08-13 14:43 · Score: 1
  
  If Google wanted to make it easy, they'd distribute a SecurID like local app to disgorge one time passwords when poked with your local passphrase.
  Yeah, they could call it something like Google Authenticator. Like any local app or hardware token it's really something you know (the seed in the app), but it is hard enough to get the seed that it is effectively something you have.
8. Re:No 2 factor please by alcourt · 2012-08-13 14:57 · Score: 1
  
  Every factor could theoretically be reduced to something you "know", except it isn't something you know, because you can't key it in manually. Even a hardware token is really "something you know" in the strictest sense, the seed. But that's not what is generally meant by security folks when they speak of multi-factor.
  The Google authenticator app last I saw only worked on android devices. Not everyone has a fancy cell phone. Some of us make do with a regular computer or laptop.
  I think Google is trying to do mostly the right thing, but is falling down in implementation. Personally, I'm a fan of public key authentication of the client rather than just the server. Sometimes, older ideas really are good. We don't need brand new ones, just realizing how to reapply the old ones.
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
9. Re:No 2 factor please by alcourt · 2012-08-13 15:09 · Score: 1
  
  The point of such software is the software alone is worthless. You still need that second factor of the "something you know" to make any use of it. For example, you must compromise both the device and the PIN in the SecurID case. As I understand, the software somehow binds itself to some kind of machine identifier on installation, and that is used in device setup, making migration difficult if not impossible. Maybe it is using a hostID to modify the generated number. Not necessarily impossible to fake, but raising the difficulty level.
  We as security geeks are a bit two faced about authentication. We want good authentication services, we don't want a central authentication repository that can invade our privacy by knowing everywhere we authenticate. We want google to authenticate us with more than a simple password, we don't want to give google too much data about ourselves. We don't want to give a dedicated authentication service information about who we are authenticating to.
  The solution that most comes to mind is a kerberos style approach where you create a ticket that anyone can validate readily, but they don't need to talk to the central repository to do so. You do need to talk to the central repository to create said ticket though, which would make availability crucial. Of course there are problems with this approach, but one has to start somewhere with tossing ideas out.
  The old "security must be cumbersome" theory is one I'm constantly fighting in my job. My standard counterexamples are centralized security logs vs managing per system local logs, SSH keys vs local passwords. Even how we do SecurID is a lot simpler than local passwords for me.
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
10. Re:No 2 factor please by dgatwood · 2012-08-13 17:15 · Score: 1
  
  The point of such software is the software alone is worthless. You still need that second factor of the "something you know" to make any use of it. For example, you must compromise both the device and the PIN in the SecurID case.
  Not really. Typically, systems based on those sorts of devices use a four-digit PIN. Wanna guess how many seconds it takes to crack a four-digit PIN? Besides, chances are, the user will end up logging in to some of those systems from the phone, at which point you have the PIN, too. :-)
  
  As I understand, the software somehow binds itself to some kind of machine identifier on installation, and that is used in device setup, making migration difficult if not impossible.
  I'm guessing that's referring to using data protection APIs. That protects against someone physically messing with the device who doesn't know the passcode. As far as I know, it isn't useful against a remote attack (wherein the attacker is able to continue running code on the device over a period of time) because eventually the user is going to unlock the device, at which point those files become readable.
  
  The old "security must be cumbersome" theory is one I'm constantly fighting in my job. My standard counterexamples are centralized security logs vs managing per system local logs, SSH keys vs local passwords. Even how we do SecurID is a lot simpler than local passwords for me.
  Don't misunderstand me. I'm not saying that security has to be cumbersome, so much as that good security usually is, and that if it looks too easy to be robust, it usually is. More often than not, when someone makes security easier, they do it by adding shortcuts that weaken security. Being able to permanently authorize a particular computer so that it requires fewer (or no) credentials is a great example of such a shortcut. Being able to reset passwords by answering security questions is a shortcut. And so on. These make security less cumbersome at a significant cost to actual security.
  When security seems convenient, I immediately start looking for the flaws. Usually it doesn't take very long to find at least one.
  
  We want good authentication services, we don't want a central authentication repository that can invade our privacy by knowing everywhere we authenticate.
  Eh. That's a pretty low concern for me. I mean ostensibly yes, but in practice, I'm more concerned about it from the opposite perspective—that compromising a single site would give someone near unlimited ability to screw with my digital life. :-) There are no companies out there that I would trust with that kind of power—not even my employer or any of my former employers.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
11. Re:No 2 factor please by alcourt · 2012-08-14 00:25 · Score: 1
  
  Even RSA admits no one should use a 4 digit PIN. The reason the PIN is acceptable in length is the only way to test a PIN is valid or not is to use it with the code to enter a passcode on an authentication site. If you are allowing over a thousand bad guesses, you're doing something else wrong. The PIN is used to modify the 8 digit token displayed on the screen and then that result is what is entered. Hardware tokens still have you enter PIN and token manually in some cases (not all hardware tokens work this way), but the packet is in theory encrypted. You do make them authenticate over an encrypted channel, right?
  Yes, someone might compromise the device with the software token, but that in theory should be hard. That's why people tell you to keep that bit better protected than most. Is it perfect? Of course not. We're breaking all six (5+1) rules of computer security (first being, don't have a computer). The point of this stronger authentication is never perfect security. Of course, no matter what authentication you use, if you actively compromise their source device completely, you'll get through it. It is to complicate the attack significantly.
  In my job, whenever people say security must be cumbersome, I'm asked to go in and teach them that for the level of security appropriate to where I work, we can almost always find a clean solution. Good security, properly done, is done by professionals in a manner to hide most of it from the user so the user thinks it invisible.
  Always keep your threat model in mind. Are you trying to protect against selected 3-6 letter government agencies with datacenters full of true supercomputers? Or are you trying to protect against a lesser threat?
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
12. Re:No 2 factor please by dgatwood · 2012-08-14 05:37 · Score: 1
  
  Always keep your threat model in mind. Are you trying to protect against selected 3-6 letter government agencies with datacenters full of true supercomputers? Or are you trying to protect against a lesser threat?
  These days, the non-government attacker isn't a lesser threat. They have armies of captured Winzombies in a botnet at their disposal.
  
  You do make them authenticate over an encrypted channel, right? Yes, someone might compromise the device with the software token, but that in theory should be hard.
  You know the difference between theory and practice, right? Sites like JailbreakMe and all the Windows drive-by download attacks demonstrate with incredible clarity why putting complete trust in any internet-connected device is a dubious proposition. Sure, right now, attackers aren't attacking sites that generate one-time passwords, but that's because they aren't used for much other than corporate VPNs. Get even one major bank using them, and you'll have people exploiting them within a week.
  
  If you are allowing over a thousand bad guesses, you're doing something else wrong.
  Not really. The only alternative is to lock people out of their accounts if they happen to be unlucky enough to have a common account name that people regularly mistake for their own, and that is seriously cumbersome. You can limit it to a few requests per IP, but again, the attacker has armies of....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Strange how this is just now being sensationalized by ravenswood1000 · 2012-08-13 12:56 · Score: 1

Many more people have gone through what Mat Honan has or even worse, yet nothing was done before. I find that strange.
Finding accounts linked to recovery email by w00tz · 2012-08-13 23:59 · Score: 1

It seems that one can find out all google accounts associated to a recovery address by simply selecting "I don't know my username" in the google recovery menu. If the hacker would have known/used this, he could have had access to even more of Mr. Honan's stuff, provided he had more than one gmail accounts which used the same recovery address (and by the looks of it, I'm sure he would have daisy-chained that too). Google is happy to deliver the associated accounts to the recovery address, with no obfuscation. There's not much hassle to reset those accounts and compromise them as well afterwards. Although I understand its usefulness, using it for the wrong purpose can turn it against you. I'm beginning to think recovery emails are bad too..
1. Re:Finding accounts linked to recovery email by lpq · 2012-08-14 06:03 · Score: 1
  
  How would you suggest recovering an email registered account without sending an email with a new tmp password?
  You can't presume the user has anything other than the computer (or a computer) and email that they originally registered with...
  Isn't google's idea of two factor authentication sending SMS messages to a phone?
  AFAIK, landline phones don't have SMS and I certainly wouldn't want to pay extra for it -- HOWEVER, I know that gvoice will call your number and ask you to key in a number when you sign up, so offering that as an alternative 2nd factor for pw recovery (only) -- not login), would seem acceptable to me -- but there are others that may possess no phone and only a computer...
  You can't design 2-factor authentication unless you are certain it's something that every user has and that says nothing of the convenience
  issue.
  I almost always access my accounts from a few home computers -- (usually just 1), yet the bastards still forcedme to change my password because that same computer tried to login several times to my gmail account due to thunderbird's settings being reset to defaults (normally it doesn't poll my gmail account nor access it unless I manually pull it)....but after a bad attempt at a Tbird upgrade, I reverted -- but google still forced a password change on me -- and now won't EVER let me use the old password again.
  Apparently every password you ever use with google becomes part of it's statistical profile of you. This is especially useful if they force you to change it once in a while and are able to detect a pattern in your password usage. They could likely use it to preduct passwords to other sites some percentage of the time.
  So much for "do no evil"...storing people's old passwords and forcing them to change periodically... AND being a data mining company that could use such info ... definitely falls into the evil category!