lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF194DDCA5B@EX2010.hammerofgod.com>
Date: Sun, 20 May 2012 23:23:05 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Ferenc Kovacs <tyra3l@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	Michael Gray <mgray@...tcode.com>
Subject: Re: Google Accounts Security Vulnerability

It’s you.

[Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig]

Timothy “Thor”  Mullen
www.hammerofgod.com
Thor’s Microsoft Security Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>


From: Ferenc Kovacs [mailto:tyra3l@...il.com]
Sent: Sunday, May 20, 2012 2:23 AM
To: Thor (Hammer of God)
Cc: Dan Kaminsky; Michael Gray; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability

is it me, or you aren't reading the mails that you are replying to?
On Sat, May 19, 2012 at 7:28 PM, Thor (Hammer of God) <thor@...merofgod.com<mailto:thor@...merofgod.com>> wrote:
I tried, and it didn’t work (couldn’t repro).

None of this matters – if you have username and password, you can check mail via POP3 or IMAP.   Last time I checked, that was “by design.”   If anyone is saying this is some sort of vulnerability because someone “happens across your username and password” then they are in the wrong business.

Michael – for you to make these claims, get Google involved, and post their replies here but refuse to give them your username (which will be on every email you send out) so they can troubleshoot is really a waste of time.

Your initial point of “even the big companies with teams of security experts have security vulnerabilities” seems to shrink a bit when they illustrate concern with the issue yet you refuse to provide the simplest of information.   I not sure what other expectations one would have of an organization.

[Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig]

Timothy “Thor”  Mullen
www.hammerofgod.com<http://www.hammerofgod.com>
Thor’s Microsoft Security Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>


From: full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk> [mailto:full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk>] On Behalf Of Dan Kaminsky
Sent: Friday, May 18, 2012 1:03 PM
To: Michael Gray
Cc: full-disclosure@...ts.grok.org.uk<mailto:full-disclosure@...ts.grok.org.uk>

Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability

Surely you can create a sock puppet for debugging purposes.
On Thu, May 17, 2012 at 11:43 AM, Michael Gray <mgray@...tcode.com<mailto:mgray@...tcode.com>> wrote:

I'm not interested in providing that information. You can reproduce it without knowing my user name.
On May 17, 2012 8:45 AM, "Mike Hearn" <hearn@...gle.com<mailto:hearn@...gle.com>> wrote:
If you provide the name of the account you're logging in to, we can go
take a look what's happening.

On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgray@...tcode.com<mailto:mgray@...tcode.com>> wrote:
> Regardless of how you say it works, I can bypass it every time it would
> seem. Again, by using the method in my original post. It's likely you have a
> bug if this isn't the functionality you're after.
>
> I appreciate the statistics but they mean little to me.
>
> Thank you for taking the time to respond. I hope my suggestions and findings
> will assist you in correcting these issues
>
> On May 17, 2012 5:51 AM, "Mike Hearn" <hearn@...gle.com<mailto:hearn@...gle.com>> wrote:
>>
>> I understand your concerns, however they are not valid. You can be
>> assured of the following:
>>
>> 1) We do not see this system as a replacement for passwords. If we
>> block a login the user is notified and asked if it was them, if it
>> wasn't we ask them to pick a new password. In very high confidence
>> cases we will immediately force the user to choose a new password,
>> because passwords are still the first line of defense.
>>
>> 2) We do not see this system as a replacement for 2-factor
>> authentication. However the reality is that the vast majority of our
>> users do not use 2-factor authentication and this is unlikely to
>> change any time soon. 2SV imposes a significant extra burden on the
>> user such that despite heavy promotion many users refuse to sign up,
>> and of those that do, many choose to unenroll shortly afterwards.
>> Therefore we also provide this always-on best effort system as well.
>>
>> 3) In fact it is very effective at stopping the large, botnet driven
>> types of attacks we see on a daily basis and so saying it doesn't add
>> any security is wrong. Since going live the system has successfully
>> defended tens of millions of users who have a compromised password. A
>> single unrepresentative data point based on one account isn't enough
>> for you to judge the utility of the system, whereas we can clearly see
>> the stopped campaigns (and drop in number of attempts).
>>
>> That said, if you have friends and relatives who use Google and you'd
>> like to to make them more secure, by all means encourage them to set
>> up two-factor authentication.



--

Mike Hearn | Senior Software Engineer | hearn@...gle.com<mailto:hearn@...gle.com> | Account security team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Content of type "text/html" skipped

Download attachment "image001.png" of type "image/png" (1049 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ