lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH-PCH7q=d5ya=9s+HH9AOeTOoYX8AsviyFV-fELCd2+2SxVfA@mail.gmail.com> Date: Sun, 20 May 2012 11:23:25 +0200 From: Ferenc Kovacs <tyra3l@...il.com> To: "Thor (Hammer of God)" <thor@...merofgod.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, Michael Gray <mgray@...tcode.com> Subject: Re: Google Accounts Security Vulnerability is it me, or you aren't reading the mails that you are replying to? On Sat, May 19, 2012 at 7:28 PM, Thor (Hammer of God) <thor@...merofgod.com>wrote: > I tried, and it didn’t work (couldn’t repro).**** > > ** ** > > None of this matters – if you have username and password, you can check > mail via POP3 or IMAP. Last time I checked, that was “by design.” If > anyone is saying this is some sort of vulnerability because someone > “happens across your username and password” then they are in the wrong > business.**** > > ** ** > > Michael – for you to make these claims, get Google involved, and post > their replies here but refuse to give them your username (which will be on > every email you send out) so they can troubleshoot is really a waste of > time.**** > > ** ** > > Your initial point of “even the big companies with teams of security > experts have security vulnerabilities” seems to shrink a bit when they > illustrate concern with the issue yet you refuse to provide the simplest of > information. I not sure what other expectations one would have of an > organization. **** > > ** ** > > *[image: Description: Description: Description: Description: Description: > Description: Description: Description: Description: TimSig]*** > > * * > > *Timothy “Thor” Mullen* > > *www.hammerofgod.com* > > *Thor’s Microsoft Security Bible<http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727> > * > > ** ** > > ** ** > > *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto: > full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Dan Kaminsky > *Sent:* Friday, May 18, 2012 1:03 PM > *To:* Michael Gray > *Cc:* full-disclosure@...ts.grok.org.uk > > *Subject:* Re: [Full-disclosure] Google Accounts Security Vulnerability*** > * > > ** ** > > Surely you can create a sock puppet for debugging purposes.**** > > On Thu, May 17, 2012 at 11:43 AM, Michael Gray <mgray@...tcode.com> wrote: > **** > > I'm not interested in providing that information. You can reproduce it > without knowing my user name.**** > > On May 17, 2012 8:45 AM, "Mike Hearn" <hearn@...gle.com> wrote:**** > > If you provide the name of the account you're logging in to, we can go > take a look what's happening. > > On Thu, May 17, 2012 at 5:29 PM, Michael Gray <mgray@...tcode.com> wrote: > > Regardless of how you say it works, I can bypass it every time it would > > seem. Again, by using the method in my original post. It's likely you > have a > > bug if this isn't the functionality you're after. > > > > I appreciate the statistics but they mean little to me. > > > > Thank you for taking the time to respond. I hope my suggestions and > findings > > will assist you in correcting these issues > > > > On May 17, 2012 5:51 AM, "Mike Hearn" <hearn@...gle.com> wrote: > >> > >> I understand your concerns, however they are not valid. You can be > >> assured of the following: > >> > >> 1) We do not see this system as a replacement for passwords. If we > >> block a login the user is notified and asked if it was them, if it > >> wasn't we ask them to pick a new password. In very high confidence > >> cases we will immediately force the user to choose a new password, > >> because passwords are still the first line of defense. > >> > >> 2) We do not see this system as a replacement for 2-factor > >> authentication. However the reality is that the vast majority of our > >> users do not use 2-factor authentication and this is unlikely to > >> change any time soon. 2SV imposes a significant extra burden on the > >> user such that despite heavy promotion many users refuse to sign up, > >> and of those that do, many choose to unenroll shortly afterwards. > >> Therefore we also provide this always-on best effort system as well. > >> > >> 3) In fact it is very effective at stopping the large, botnet driven > >> types of attacks we see on a daily basis and so saying it doesn't add > >> any security is wrong. Since going live the system has successfully > >> defended tens of millions of users who have a compromised password. A > >> single unrepresentative data point based on one account isn't enough > >> for you to judge the utility of the system, whereas we can clearly see > >> the stopped campaigns (and drop in number of attempts). > >> > >> That said, if you have friends and relatives who use Google and you'd > >> like to to make them more secure, by all means encourage them to set > >> up two-factor authentication. > > > > -- > > Mike Hearn | Senior Software Engineer | hearn@...gle.com | Account > security team**** > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/**** > > ** ** > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Ferenc Kovács @Tyr43l - http://tyrael.hu Content of type "text/html" skipped Download attachment "image001.png" of type "image/png" (1049 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists