lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 May 2012 11:43:49 -0700
From: Michael Gray <mgray@...tcode.com>
To: Mike Hearn <hearn@...gle.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google Accounts Security Vulnerability

I'm not interested in providing that information. You can reproduce it
without knowing my user name.
On May 17, 2012 8:45 AM, "Mike Hearn" <hearn@...gle.com> wrote:

> If you provide the name of the account you're logging in to, we can go
> take a look what's happening.
>
> On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgray@...tcode.com> wrote:
> > Regardless of how you say it works, I can bypass it every time it would
> > seem. Again, by using the method in my original post. It's likely you
> have a
> > bug if this isn't the functionality you're after.
> >
> > I appreciate the statistics but they mean little to me.
> >
> > Thank you for taking the time to respond. I hope my suggestions and
> findings
> > will assist you in correcting these issues
> >
> > On May 17, 2012 5:51 AM, "Mike Hearn" <hearn@...gle.com> wrote:
> >>
> >> I understand your concerns, however they are not valid. You can be
> >> assured of the following:
> >>
> >> 1) We do not see this system as a replacement for passwords. If we
> >> block a login the user is notified and asked if it was them, if it
> >> wasn't we ask them to pick a new password. In very high confidence
> >> cases we will immediately force the user to choose a new password,
> >> because passwords are still the first line of defense.
> >>
> >> 2) We do not see this system as a replacement for 2-factor
> >> authentication. However the reality is that the vast majority of our
> >> users do not use 2-factor authentication and this is unlikely to
> >> change any time soon. 2SV imposes a significant extra burden on the
> >> user such that despite heavy promotion many users refuse to sign up,
> >> and of those that do, many choose to unenroll shortly afterwards.
> >> Therefore we also provide this always-on best effort system as well.
> >>
> >> 3) In fact it is very effective at stopping the large, botnet driven
> >> types of attacks we see on a daily basis and so saying it doesn't add
> >> any security is wrong. Since going live the system has successfully
> >> defended tens of millions of users who have a compromised password. A
> >> single unrepresentative data point based on one account isn't enough
> >> for you to judge the utility of the system, whereas we can clearly see
> >> the stopped campaigns (and drop in number of attempts).
> >>
> >> That said, if you have friends and relatives who use Google and you'd
> >> like to to make them more secure, by all means encourage them to set
> >> up two-factor authentication.
>
>
>
> --
>
> Mike Hearn | Senior Software Engineer | hearn@...gle.com | Account
> security team
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ