Slashdot Mirror
Dropbox Adds Two-Factor Authentication
angry tapir writes "File-sharing service Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person's account. Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts."
Precisely five minutes ago, while reading a few Slashdot comments, I expelled flatulence out of my very own anus. I didn't expel flatulence out of someone else's anus; I expelled it out of my own. That's what makes it truly astonishing!
A snappy kinda man.
It's cloud storage. Calling it file-sharing will get it confiscated by the Feds.
Now I can has more security!
Chief Thinker www.devotedskeptic.com
I put my Dropbox Emergency key in Google Drive, and my Google Emergency Key in Dropbox. This should work out perfectly.
Dropbox ...said last month
What, a month long NDA, because release date is today, or what is the story on the delay?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Someone will hack them and will export the shared secret used for RFC 6238 TOTP: Time-Based One-Time Password Algorithm. Two factor authentication job is to protect the user, It doesn't make Dropbox security practices better, and they already demostrated are bad
$ apt-cache search google authenticator
libpam-google-authenticator - Two-step verification
It's in Debian repositories (And probably Ubuntu.) You can download it yourself and integrate it into anything that supports PAM.
I have my code on both my phone and iPod touch so I always have something on me that can generate the code. The 'backup codes' are in a safety deposit box with other documents. Not sure if it actually is secure but it feels a bit more secure knowing that to get into my home server you have to have both my password and one of my devices. (And if I lose one I can easily generate a new key).
It makes a QR-code in the bash terminal that you can take a picture of with your devices.
I know the capability is there, but it's still mainly just online storage.
Great, but is it still the case you can just copy %APPDATA%\Dropbox\config.db to any computer and have instant access with no visibility that the credential is being double-used and no way to revoke or invalidate it?
http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
Why would someone implement a keystroke logger if they can just steal this file and have unlimited future access with complete stealth? Sounds like this just makes it harder to remotely brute force against DB servers to login.
Back when OpenID was popular the argument was that you can outsource your authentication to a service that actually has a clue about security. Back then, though, none of the popular identity providers actually did anything better than username/password. (With the exception of MyOpenID, but they were always kinda niche.)
Now that I've embraced Google's two-factor auth -- accepting a little inconvenience for a little more security -- I find it useful that when I log into Google properties I only need to do the two-factor stuff once in a while, rather than for every single service. Two-factor auth *is* less convenient, but if you have single sign-on then you can make it less so.
If the latest trend is for every service to implement its *own* two-factor auth then this is going to get much less convenient. I'd sooner see services like DropBox just integrate with Google's auth (and with anyone else who has a decent auth system) and let users benefit.
I'm the only one that looses his phone?
Dropbox adds a much better user identification method, for the sake of privacy.
As the second factor is an SMS, and because in all countries the law requires the mobile operator to be able to identify at any time who's the person using a certain SIM.
Identification of a user based on her/his email address is trivially uneffective.
Better security is a tiny side effect. Any techie of the VAS team at the mobile operator would be able to circumvent that method. As well as law enforcement men in black.
Really better security would be a cryptographic certificate locally protected by a password, a-la SSH.
Ah!
P.S.
Google is already willing to know your mobile phone number since long now.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
http://privatesky.me/
These guys have already figured this out the 2 factor authentication outlook add in and email account with secure pin pad access.
Its cool use it!
Great. Now how about some encryption? I notice that the one useful feature most of these services (purposely?) omit is client side [de|en]cryption with the client holding the keys. Why is that?
/tinfoil
Do these online storage services actually data mine their customers' files?
I'm a little wary of using Google for authenticating myself for other services. They know too much about you, they want to tie that to your real identity, giving them full control over your internet life sounds like a bad idea without some serious privacy protection and separation in place. I was championing Google ten years ago, but now I try to keep away from everything I do online as much as possible.
Memorable quotes for
Looker (1981)
http://www.imdb.com/title/tt0082677/quotes
"John Reston: Television can control public opinion more effectively than armies of secret police, because television is entirely voluntary. The American government forces our children to attend school, but nobody forces them to watch T.V. Americans of all ages *submit* to television. Television is the American ideal. Persuasion without coercion. Nobody makes us watch. Who could have predicted that a *free* people would voluntarily spend one fifth of their lives sitting in front of a *box* with pictures? Fifteen years sitting in prison is punishment. But 15 years sitting in front of a television set is entertainment. And the average American now spends more than one and a half years of his life just watching television commercials. Fifty minutes, every day of his life, watching commercials. Now, that's power."
##
"The United States has it's own propaganda, but it's very effective because people don't realize that it's propaganda. And it's subtle, but it's actually a much stronger propaganda machine than the Nazis had but it's funded in a different way. With the Nazis it was funded by the government, but in the United States, it's funded by corporations and corporations they only want things to happen that will make people want to buy stuff. So whatever that is, then that is considered okay and good, but that doesn't necessarily mean it really serves people's thinking - it can stupify and make not very good things happen."
- Crispin Glover: http://www.imdb.com/name/nm0000417/bio
##
"It's only logical to assume that conspiracies are everywhere, because that's what people do. They conspire. If you can't get the message, get the man." - Mel Gibson (from an interview)
##
"We'll know our disinformation program is complete when everything the American public believes is false." - William Casey, CIA Director
##
George Carlin:
"The real owners are the big wealthy business interests that control things and make all the important decisions. Forget the politicians, they're an irrelevancy. The politicians are put there to give you the idea that you have freedom of choice. You don't. You have no choice. You have owners. They own you. They own everything. They own all the important land. They own and control the corporations. They've long since bought and paid for the Senate, the Congress, the statehouses, the city halls. They've got the judges in their back pockets. And they own all the big media companies, so that they control just about all of the news and information you hear. They've got you by the balls. They spend billions of dollars every year lobbying lobbying to get what they want. Well, we know what they want; they want more for themselves and less for everybody else.
But I'll tell you what they don't want. They don't want a population of citizens capable of critical thinking. They don't want well-informed, well-educated people capable of critical thinking. They're not interested in that. That doesn't help them. That's against their interests. They don't want people who are smart enough to sit around the kitchen table and figure out how badly they're getting fucked by a system that threw them overboard 30 fucking years ago.
You know what they want? Obedient workers people who are just smart enough to run the machines and do the paperwork but just dumb enough to passively accept all these increasingly shittier jobs with the lower pay, the longer hours, reduced benefits, the end of overtime and the vanishing pension that disappears the minute you go to collect it. And, now, they're coming for your Social Security. They want your fucking retirement money. They want it back, so they can give it to their criminal friends on Wall Street. And you know something? They'll get it. They'll get it all, sooner or later, because they own this fucking place. It's a big clu
Um, in almost no countries is it law that the mobile operator has to know who the customer is. Here, we can just buy a prepay SIM for $10 at the supermarket, put it in the phone, and start calling. No ID needed. Your post is a huge crock of shit.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".