| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 May 2012 13:03:24 -0700
From: Dan Kaminsky <dan@...para.com>
To: Michael Gray <mgray@...tcode.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google Accounts Security Vulnerability
Surely you can create a sock puppet for debugging purposes.
On Thu, May 17, 2012 at 11:43 AM, Michael Gray <mgray@...tcode.com> wrote:
> I'm not interested in providing that information. You can reproduce it
> without knowing my user name.
> On May 17, 2012 8:45 AM, "Mike Hearn" <hearn@...gle.com> wrote:
>
>> If you provide the name of the account you're logging in to, we can go
>> take a look what's happening.
>>
>> On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgray@...tcode.com> wrote:
>> > Regardless of how you say it works, I can bypass it every time it would
>> > seem. Again, by using the method in my original post. It's likely you
>> have a
>> > bug if this isn't the functionality you're after.
>> >
>> > I appreciate the statistics but they mean little to me.
>> >
>> > Thank you for taking the time to respond. I hope my suggestions and
>> findings
>> > will assist you in correcting these issues
>> >
>> > On May 17, 2012 5:51 AM, "Mike Hearn" <hearn@...gle.com> wrote:
>> >>
>> >> I understand your concerns, however they are not valid. You can be
>> >> assured of the following:
>> >>
>> >> 1) We do not see this system as a replacement for passwords. If we
>> >> block a login the user is notified and asked if it was them, if it
>> >> wasn't we ask them to pick a new password. In very high confidence
>> >> cases we will immediately force the user to choose a new password,
>> >> because passwords are still the first line of defense.
>> >>
>> >> 2) We do not see this system as a replacement for 2-factor
>> >> authentication. However the reality is that the vast majority of our
>> >> users do not use 2-factor authentication and this is unlikely to
>> >> change any time soon. 2SV imposes a significant extra burden on the
>> >> user such that despite heavy promotion many users refuse to sign up,
>> >> and of those that do, many choose to unenroll shortly afterwards.
>> >> Therefore we also provide this always-on best effort system as well.
>> >>
>> >> 3) In fact it is very effective at stopping the large, botnet driven
>> >> types of attacks we see on a daily basis and so saying it doesn't add
>> >> any security is wrong. Since going live the system has successfully
>> >> defended tens of millions of users who have a compromised password. A
>> >> single unrepresentative data point based on one account isn't enough
>> >> for you to judge the utility of the system, whereas we can clearly see
>> >> the stopped campaigns (and drop in number of attempts).
>> >>
>> >> That said, if you have friends and relatives who use Google and you'd
>> >> like to to make them more secure, by all means encourage them to set
>> >> up two-factor authentication.
>>
>>
>>
>> --
>>
>> Mike Hearn | Senior Software Engineer | hearn@...gle.com | Account
>> security team
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists