lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH-PCH7q=d5ya=9s+HH9AOeTOoYX8AsviyFV-fELCd2+2SxVfA@mail.gmail.com>
Date: Sun, 20 May 2012 11:23:25 +0200
From: Ferenc Kovacs <tyra3l@...il.com>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	Michael Gray <mgray@...tcode.com>
Subject: Re: Google Accounts Security Vulnerability

is it me, or you aren't reading the mails that you are replying to?

On Sat, May 19, 2012 at 7:28 PM, Thor (Hammer of God)
<thor@...merofgod.com>wrote:

>  I tried, and it didn’t work (couldn’t repro).****
>
> ** **
>
> None of this matters – if you have username and password, you can check
> mail via POP3 or IMAP.   Last time I checked, that was “by design.”   If
> anyone is saying this is some sort of vulnerability because someone
> “happens across your username and password” then they are in the wrong
> business.****
>
> ** **
>
> Michael – for you to make these claims, get Google involved, and post
> their replies here but refuse to give them your username (which will be on
> every email you send out) so they can troubleshoot is really a waste of
> time.****
>
> ** **
>
> Your initial point of “even the big companies with teams of security
> experts have security vulnerabilities” seems to shrink a bit when they
> illustrate concern with the issue yet you refuse to provide the simplest of
> information.   I not sure what other expectations one would have of an
> organization.  ****
>
> ** **
>
> *[image: Description: Description: Description: Description: Description:
> Description: Description: Description: Description: TimSig]***
>
> * *
>
> *Timothy “Thor”  Mullen*
>
> *www.hammerofgod.com*
>
> *Thor’s Microsoft Security Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727>
> *
>
> ** **
>
> ** **
>
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Dan Kaminsky
> *Sent:* Friday, May 18, 2012 1:03 PM
> *To:* Michael Gray
> *Cc:* full-disclosure@...ts.grok.org.uk
>
> *Subject:* Re: [Full-disclosure] Google Accounts Security Vulnerability***
> *
>
> ** **
>
> Surely you can create a sock puppet for debugging purposes.****
>
> On Thu, May 17, 2012 at 11:43 AM, Michael Gray <mgray@...tcode.com> wrote:
> ****
>
> I'm not interested in providing that information. You can reproduce it
> without knowing my user name.****
>
> On May 17, 2012 8:45 AM, "Mike Hearn" <hearn@...gle.com> wrote:****
>
> If you provide the name of the account you're logging in to, we can go
> take a look what's happening.
>
> On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgray@...tcode.com> wrote:
> > Regardless of how you say it works, I can bypass it every time it would
> > seem. Again, by using the method in my original post. It's likely you
> have a
> > bug if this isn't the functionality you're after.
> >
> > I appreciate the statistics but they mean little to me.
> >
> > Thank you for taking the time to respond. I hope my suggestions and
> findings
> > will assist you in correcting these issues
> >
> > On May 17, 2012 5:51 AM, "Mike Hearn" <hearn@...gle.com> wrote:
> >>
> >> I understand your concerns, however they are not valid. You can be
> >> assured of the following:
> >>
> >> 1) We do not see this system as a replacement for passwords. If we
> >> block a login the user is notified and asked if it was them, if it
> >> wasn't we ask them to pick a new password. In very high confidence
> >> cases we will immediately force the user to choose a new password,
> >> because passwords are still the first line of defense.
> >>
> >> 2) We do not see this system as a replacement for 2-factor
> >> authentication. However the reality is that the vast majority of our
> >> users do not use 2-factor authentication and this is unlikely to
> >> change any time soon. 2SV imposes a significant extra burden on the
> >> user such that despite heavy promotion many users refuse to sign up,
> >> and of those that do, many choose to unenroll shortly afterwards.
> >> Therefore we also provide this always-on best effort system as well.
> >>
> >> 3) In fact it is very effective at stopping the large, botnet driven
> >> types of attacks we see on a daily basis and so saying it doesn't add
> >> any security is wrong. Since going live the system has successfully
> >> defended tens of millions of users who have a compromised password. A
> >> single unrepresentative data point based on one account isn't enough
> >> for you to judge the utility of the system, whereas we can clearly see
> >> the stopped campaigns (and drop in number of attempts).
> >>
> >> That said, if you have friends and relatives who use Google and you'd
> >> like to to make them more secure, by all means encourage them to set
> >> up two-factor authentication.
>
>
>
> --
>
> Mike Hearn | Senior Software Engineer | hearn@...gle.com | Account
> security team****
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/****
>
> ** **
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Content of type "text/html" skipped

Download attachment "image001.png" of type "image/png" (1049 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ