And because we know the best way ...
The road to Hell is paved with good intentions and Google "engineers" who wouldn't know what Chartered means if it kicked them in the nadgers.
Fuck wits.
Google is going to automatically enroll 150 million users and two million YouTube creators into using two-factor authentication for their accounts by the end of the year, it announced on Tuesday. Passwords aren’t good enough on their own, Google’s AbdelKarim Mardini, group product manager working on Chrome, and Guemmy Kim, …
I feel like talking to myself.
When a Civil Engineer fucks up, a bridge collapses or a dam bursts ... err this is starting to look bad.
When a FAART or FFUNGI, FUUNG? whatever, employee fucks up then Facebook vanishes for six hours. Did anyone die as a result? Probably, sadly. I bet that somewhere a doctor or lots use FB to run clinics. Somewhere as a result of the lack of FB, someone may have died. On the other hand someone may have survived being knobbled by a well meaning but deranged doctor who could no longer communicate due to the outage.
So a real Engineer kills people when they screw up and generally ends up having to face up to that. FAANG/FLOOP etc programmers and other staff, when they fuck up, there are less cat memes in the world - that's how they seem to be seen at times of breakage. There are a lot of other businesses that have gone all in on FB and Co. Will they be compensated in some way?
No.
The BBC made a big "think of the children"-style deal over WhatsApp being down.
People around the world lost contact with their families on Monday, patients were cut off from doctors, and governments were unable to communicate with citizens when Facebook's social media and messaging tools went down for almost six hours.
Jesus H. Jumping Christ. What a bunch of moaners. FB being down is NOT the end of the world, people.
People need to stop basing their business and essential communication around a resource they DON'T EVEN PAY FOR! If I see a restaurant or other business on Google Maps or whatever, and their website is Facebook... I don't even bother to look further. I know they're too lazy to make decent food.
Google threw a shitfit over people using their well-known nicknames instead of their real names, and started locking people out of their accounts. That's when I bought an email address where I actually pay for the damn thing and I'm the customer, and shifted all my communications to that.
https://www.bbc.com/news/technology-58801814
" If I see a restaurant or other business on Google Maps or whatever, and their website is Facebook... I don't even bother to look further. I know they're too lazy to make decent food."
Conversely, one could argue that they are so focused on their food (or whatever the core business is) that they don't have time to faff around with creating their own website. The best discovery tool for restaurants is still personal recommendation.
If you're looking for something technical, a nice website is a good sign.
If you're looking for something non-technical, the website is largely irrelevant.
My favourite chinese takeaway doesn't have a website (the only reference online is someone has posted photos of their menu somewhere). My mechanic doesn't have a website (or even email). The best painter & decorator in the area doesn't have a website. None of those places have any interest in computing, but they're good at what they do.
McDonalds has a comprehensive website.
"The BBC made a big "think of the children"-style deal over WhatsApp being down."
Just read that article and noticed this bit:
'A dentist in the UK, Chris Donnell, said that parts of his job often relied on communication via WhatsApp.
"Seriously feel for medical and dental friends who use WhatsApp for their hospital handovers, out-of-hours queries, chatting to senior colleagues for advice etc," he said.'
Using WhatsApp for "hospital handovers"? That's potentially a breach of GDPR. This has been brought up before in the NHS, see https://www.nhsx.nhs.uk/information-governance/guidance/use-mobile-messaging-software-health-and-care-settings/
Specifically the bit about "the transfer of special category data across unregulated servers outside the UK". Isn't WhatsApp data stored in USA?
I don't use WhatsApp but realise that its "apparently" end-to-end encrypted but that still doesn't mean personal data sent via it is safe, potentially WhatsApp/FB as the app developer could siphon off data before its encrypted (and the recent row over WhatsApp T&Cs changes, certainly for non EU & UK users, seems to imply they do/will do so).
Plus I assume these dentists are using their personal handsets for this which likely aren't appropriately secured (no MDM in place to enforce encryption, strong screenlock codes, etc)...
That's potentially a breach of GDPR
Err, what's with the "potentially". Try as I can, I cannot think of a practical way in which anyone could be using WA for that without breaching GDPR - badly. Just the fact that "Joe Bloggs" (note, made up name, any similarity to any real/living Joe Blogs in purely coincidental) is in Anytown Infirmary would be sensitive personal information and there's no way the T&C for WA (we can hoover up whatever we want, when we want it) would make this GDPR compliant.
What's more, it's hard to see how anyone with any contacts in their address book could use WA now without breaking the law - unless they are conscientious enough to ask every single contact for their informed and freely given consent.
I know a lot of technophiles, nerds, dweebs. They are not necessarily good cooks.
I'm looking for a place to serve good food. chances are pretty good they don't have time to screw around with constantly-changing, poorly documented tech requirements.
A good website for a restaurant is kind of like a slick marketing campaign - tells me they need to spend more money on advertising because their repeat business isn't good enough to keep them going!
<blockquote>FAANG/FLOOP etc programmers and other staff, when they fuck up, there are less cat memes in the world</blockquote>
The G and the A's in FAANG stand for Google, Amazon and Apple. Those are major cloud service providers. When all of Amazon and Google goes down, so does a large percentage of the web and web services. When Apple goes down, good luck with text messages... they'll try (and fail) to use iMessage even when its down and SMS/MMS would would just fine. Not quite the flippant, silly insignificant concern.
File uploads? Sorry, that's using some Google javascript, please try sending that MRI to us tomorrow...
Out of money in your checking account? Afraid you can't login to your bank because their front-end servers are on S3.
Hope you don't have "smart locks" on anything important, because they won't be opening for you until those service providers come back up.
Indeed. Google have done something absolutely right - 2FA is great and everyone should use it.
And yet, because its Google doing it, its now really creepy. You know people won't be getting dedicated 2FA keys, they will use their phones, most likely with Google's authentication app.
So now Google has your phone linked to their applications on an ongoing basis, even if you're using an iphone.
1. why does everyone assume I and the rest of the world have a smartphone?
There are workarounds.
So my bank sent me a letter saying that in order to improve online banking security, it was moving to 2FA. In order to continue buying stuff online, I'd need to download and install their phone banking app.
So there was me thinking "Huh, install banking thing in the gizmo most likely to get lost or stolen?". But lo, they went and did it anyway. I didn't, and discovered that the bank's contact details form doesn't insist on a mobile number. So if you have a DDI you can divert*, and a DDI provider with an SMS-speech gateway, it'll just call you and text to speech will read you the passphrase**.
Ok, so perhaps slightly more faffing around that doing a spot of copypasta, but I guess if that's your thing, perhaps try piping the call to a speech-text. Then cursing 2FA provider when you discover you can't crtl-v ctrl-v from or to their form. Not that 'smart' phones have ctrl keys anyway. But no need to install cra.. I mean an app on your phone.
*Officially or unofficially
**BT's gateway has a fun habit of reading 296563 as "Two hundred and ninety six thousand five hundred and sixty three" rather than just the digits.
<blockquote>1. why does everyone assume I and the rest of the world have a smartphone?</blockquote>
Because "80.76% of the world’s population [own] a smartphone". You are in an extremely small minority if you do not. Why would you assume companies would cater their offerings to such a tiny minority?
<blockquote>2. why does anyone assume I care at all about 2FA for a poxy email address that I use when I don't want to use my real one?</blockquote>
Why do you assume anyone cares at all about you and your specific used-cases?
...because its Google doing it, its now really creepy.
It's not Google is using it that makes it creepy, it's how they will use it that does it. They already have a lot of information about their users. I am sure Google will be able to leverage this to embed themselves even more into their lives.
From the article: ...this code could be generated by an app on your phone or emailed to you...
So to get into my Google account, I could have them send the passcode to my Gmail address that I now have to use 2FA to get into? Also, how is this going to work for those of us who are not allowed to use our cell phones at work (yes, this is a thing) but are allowed some reasonable access to personal email and other web resources?
or don't have. Quite an about-face from being 'safe' to being 'f**ked' on a bad day.
I've accidently left the house without my cellphone once in maybe 2 years, but I regretted it only because of the wonderful pictures I missed taking.
The base for my passwords is 14 characters long, in a European language I don't know, and was a friend's made up nickname for himself. And he's dead now and not talking. If that is insecure - as a practicality - then turn off passwords completely, Google and world.
I made sure my passphrase was as strong as I could make it, mostly by taking it from the Necronomicron & transcribing it into Elder God runes so that anyone reading it ends up summoning Cthulhu. I'm not worried, he just sticks his head out his bedroom door & asks me WTF I want _this_ time. I love having a flatmate! =-D
Damn you! You have just encouraged me to look for a runic keyboard, the bad thing is they exist.
That's another rabbit hole I'll get lost in, on the brightside though, my passwords will be beyond the majority of monkeys on typewriters having much chance of brute forcing.
I used to work with a woman whose password was literally her eldest son's name. When I introduced a password reset policy she added a 1 to the end. Eventually for some reason that I forget she changed it... to her other son's name. The worst part is this was less than 10 years ago.
No! The worst part is that we are forced into entering any password, let alone bloody stupid ones that must have a lower case letter, an upper case letter, a number and a special character and can only be 10 characters long WHEN NO PASSWORD IS REALLY NEEDED AT ALL!
Not sure why this is getting the down votes
I agree with strong passwords and MFA when the information is important enough to protect
Having to login to your "free" account to see sports scores is just stupid.
I have no problems with sites using ads to generate revenue to provide me with information. I do have a problem with sites that have decided to generate their income by participating in commercial surveillance.
What better tracker that an id that has been authenticated. I bet tracking companies will pay a premium for that information.
They buy a lot of lotto tickets? Voted for Trump 2 or 3 times? Lost homes & relatives in flood plains? Lost relatives right after they shouted, "Hey, everybody, watch this!"? Sent a lot of money to African scammers? Etc. Etc. Fools & anything they have are soon parted...
"The base for my passwords is 14 characters long, in a European language I don't know, and was a friend's made up nickname for himself. And he's dead now and not talking."
If Facebook gets hacked and the bad guys find out your password is "SvenSøønstrømFacebook", it doesn't take a genius to figure out your Wells Fargo password is "SvenSøønstrømWellsFargo". (Source and victim sites could be any other site including banks, travel, porn, media, whatever)
Google has been trying really, really hard for a number of years now to get my mobile number. Always denied. Now they've come up with a novel way to force the issue: 3 options for 2SV, 2 of which involve giving them my number and the 3rd of which is unduly onerous. That'll be it for me; I can browse YouTube anonymously (until they disallow that too) and there are alternative throwaway email and other services out there.
I gave them my date of birth several years ago. So long ago that I'm not sure that I can remember what fake details I gave them.
I made sure that I was over 18 at the time, and almost certainly under 100, so that's fewer than 30000 possibilities (and I can exclude my actual DoB from that).
I have one of these. Worst user interface I’ve ever seen, which is saying something: a otary dial, six hard buttons and a touch screen, and in order to cook anything you need a particular sequence of all three. Yet it still wants for an RTC to keep the time when the power cuts. The odds of me letting this horror into my network are a hard zero.
@A/C
Can't upvote you enough. Why do people buy internet connected stuff and then go all surprised when they see the downside. Always assuming there is an upside.
I don't count being able to control heating, lighting, seeing who is at my door without getting off my fat arse an upside. And if I am on holiday and someone breaks in, I sure as hell don't want to know until I get back home. At least that way my holiday isn't wrecked.
"Google has been trying really, really hard for a number of years now to get my mobile number."
Yup, they tried this the other day with me on teh tubes. Dropped in username, then password, then a prompt to enter a mobile number appeared for "security purposes".
Hit back on the browser, started the login process again, no further prompt. I suspect they would expect some pushback from this so have probably scripted this to accommodate for this behaviour, with a log recorded somewhere saying "try again in 3 months" or some such.
"3 options for 2SV, 2 of which involve giving them my number and the 3rd of which is unduly onerous"
Are you sure? The three options I see mentioned in the article are SMS, an authenticator app, or a hardware key. Only the first of those involves your phone number. OATH-based authenticator apps don't need your phone number or any other personal information, and there are a variety available from non-Google sources.
I really wouldn't consider a hardware key particularly onerous either. Sure, it's an extra thing to carry around and/or lose, but if you just stick it on a keyring or in a wallet it can actually save a fair bit of time since you don't need to faff around reading and typing in authentication codes.
Well yes. Something you know, something you have, something you are. Those are generally the three main categories that can be used for MFA. The thing about the "something you have" part is that it requires you to have something. It's truly baffling how many people here seem to think that adding additional layers of security somehow makes things less secure.
"OATH-based authenticator apps don't need your phone number or any other personal information, and there are a variety available from non-Google sources."
But the vast majority of people will assume that if Google wants you to use an authenticator app, then only the Google one will work. No doubt the Google page telling you to install an authenticator app will strongly encourage this belief too. I wonder which permissions the Google authenticator app will ask for "for your security"?
"That'll be it for me; I can browse YouTube anonymously (until they disallow that too) and there are alternative throwaway email and other services out there."
The only problem there is that Google won't let you watch YouTube videos they deign to be of "adult" nature unless you log in. By "adult", you have think like a USAian. All the blood, gore and violence you could ever want is open to anyone who wants to watch, but if there's a hint of the "wrong" bit of skin, then you must be signed in and prove you are over 18. I could quite easily imagine that the bar for non-adult videos can and will be adjusted to make it more convenient to be signed in rather than not.
As I mentioned a while back, a video I wanted to look at was rated 18+ because it was reporting on an incident with graphic violence. They wanted my credit card details!
There is a world full of media out there, both entertaining and informative that doesn't a bloody signature, so google can fuck off!
Google et al have their own best interests at heart several orders of magnitude higher than the interests of their users, unless it is going to impinge on profits, in which case refer to 'own best interests'.
“The answer is usability,” he said. “It’s about how many people would we drive out if we force them to use additional security.”
I've already started dropping sites that demand too many hoops to jump through. And I honestly suspect that is much more about theater than real security.
I'm a big boy. I can read. I can decide how much, or how little, security is needed on a given site. 99% of the time I'm comfortable with a giant kickass password that should be unguessible.
At least until the site manages to have their user database appear on HaveYouBeenPowned?
A telephone number is a mapping in a database accessible to hundreds of thousands of minimum-wage telco tech support and retail employees around the globe, many of whom will happily change that mapping for a few hundred bucks -- and have, in numerous well-publicised incidents. Control of a number provides absolutely zero proof of identity, and was never intended to do so. Hardware keys are in principle a little better but they are invariably riddled with firmware bugs and far too easily lost, and remain a niche product of interest mainly to engineers and security researchers. More fundamentally, passwords align responsibility for account security (by choosing and managing passwords wisely or foolishly) with ownership of the account's data, while typical 2FA mechanisms delegate that responsibility to unaccountable third parties with no incentive to maintain security. Worst of all, the "secondary" authn method is usually allowed to trigger a password reset, making it effectively the sole authn method.
It has become an article of faith that "passwords provide poor security". In one sense that's true: it has been amply proven that many people do not use them effectively, are highly resistant to education, and under those circumstances get very little security from them. In another sense, however, it's false: for account owners who do follow sound password management practices, guessing the password or obtaining it from the account owner -- whether directly or by use of a key logger or similar malware -- become significantly more difficult and costly than other attacks against that account. Since the purpose of any security measure is to render some classes of attacks not worthwhile to or beyond the capabilities of some threat actors, passwords are in fact an effective security measure for those account owners. They may or may not be sufficient, but account owners who know they are high-value targets will almost certainly prefer passwords to the weak "2FA" alternatives that are widely used, which create ready opportunities for cost-effective attacks via third parties unaccountable to the owner. The reason passwords are attacked so frequently is that for attackers looking merely for targets of opportunity, they are the lowest-cost attack vector. Targets of opportunity are almost always of low value, so passwords are actually a reasonably effective mechanism when considered in the context of the assets to be protected and the threat landscape. Assets too valuable to be protected by passwords are likely also too valuable to be protected by a Google account, regardless of the authn methods used to access that account.
There are more secure systems, but all require specialised hardware, software, training, and/or physical security measures to use effectively, and are less convenient. Most members of the general public -- the target market for Google's services -- are not willing to accept a system with those attributes. That's probably rational: again, if you need more security than good passwords can provide, you probably also need more security than you would trust Google to provide. Moreover, it is highly unlikely that the same people who have proven incapable of good password hygiene would prove any more adept at using a more complex security system. Depending upon the choices made by the designers of that system, they will quickly be locked out permanently, stop using the protected system altogether, or bypass the security measures. One can argue that all of these are merely engineering challenges that have yet to be solved, but whether they are unsolved or insoluble makes little difference. Passwords in fact remain the best available solution for this type of service and target market. Account owners must choose their passwords and password management practices in accordance with the value of their assets and anticipated threat model. Taking that choice out of their hands reduces security for high-value targets while focusing protective measures on the lowest-value assets.
So for most of us, is YouTube really so important and so linked into the intricacies of our lives that our accounts there need to be considered "high security"? I mean, wow, the list of Youtube videos I've watched for the past 10+ years is mostly a sad reflection on my life, not something I'd worry about in the least if world+dog were to find it out. ShopdogSam, TubalCain, AvE, Abom76. Boring machining videos. And lately some of that Davy guy who plays bass. So what? That knowledge really, REALLY needs to be kept secret? I could see this being an issue for content-creators/providers who are making $ off the videos they post and possibly have bank accounts tied to their Youtube account, but those of us on the consumer-side, who really gives a damn?
And my Google account? who gives a shit? Take it, play with it, send spam from it. I don't care, it's disposable if need be. It needs about as much security as the water hose in my front lawn.
This seems more like Google is trying to remind everyone that Google is "important" to their lives, so their grubby little accounts need to be more highly secured. That, and Google REALLY wants to harvest those last 5 million mobile numbers they don't yet have.
My Google account exists purely because I have an Android device where it is a pre-requisite but the only usage for the account is to fire up that device (and presumably track any activity etc etc..paranoid? Moi?)
Almost all of my real internet activity is done on a Linux box through either Firefox or Opera with the usual Ghostery/No-Script style blockers and if that means I cannot use YouTube then I consider that a bonus.
Sorry goog, you can't have my phone number, since I don't have one of my own (carry a work phone). You can have the Email back and youtube is as much commercials as it is anything - heck I remember watching things on YT to avoid commercials, back in the day lol.
All good things come to an end.
Thanks for the heads up Reg, I'm backing up my address book today to avoid loosing contacts :)
I had an email (allegedly) from Google that stated that they wanted either my credit card details or a photo of my drivers licence/passport to establish that it was me, in order to "validate" a couple of my various gmail accounts.. I immediately assumed it was a scam, but it wouldn't surprise me if Google was actually trying to harvest that information. Anyone else had this?
Ignored it, either way.
" ... The idea being that if someone learns of or guesses your password, they also need to get something else off you, like your unlocked phone or hardware key. "
I'm not so sure it needs to be unlocked - "7 Methods to Hack/Bypass Android lock screen Pin/Pattern/Password" [ drphone dot wondershare dot com ]
If a stolen pin-locked phone can be unlocked then having 2FA as Authenticator on the same phone is worse than useless. Also if the mail account used on that phone can be used for SMS authentification, ouch.
I do use Authenticator but on an older offline phone (no sim, bt and wifi turned off always) used for nothing else. Also, my regular Android phone has a dedicated google email account that isn't used for any other purpose.
Which all means a lot of inconvenience, e.g., no bank balance checks and transfers on the road. Possible for me because I grew up when that wasn't possible anyway.
Flood after flood, folks still build their homes on the shores & islands of flood/storm plains. Year after year, they get killed & lose all of their property. Then, survivors, on TV, boldly declare they will stupidly rebuild. Fools soon lose everything. Google has been fleecing a lot of fools for a long time now. You can't protect someone willing to live in a trailer on the beach on the southern tip of Florida below high tide. Like strong PWs, 2FA only works for those who create strong ones. And each of their accounts has a unique one. Who gives the dark net more access than anyone to security & personal data of the common folk? Corps like Google. Governments. Hacks constantly gaining millions of folks data several times a year. 2FA will not protect you once they have the data needed to become you.
I only use 2FA for sites that force me to. I have one email service I actually use & 3 others as backup when each one locks me out due to their security errors. And 2FA. I WILL NOT give any of them my phone numbers or home address. NOT my birthday. Hackers & spammers don't need it. THAT is who gain the most from players like Google & Facebook.
What is 2SV? Google trying to rewrite & own 2FA? Read the other day about rich criminals & large Tech companies buying up huge chunks of the privacy market companies. They have their own PR companies. They have their own "comment" armies. Example. They buy 4 or 5 VPN providers. They continue to promote the protections provided. Their PR firm(s) & commenters back up the claims. They use their own audit firm to confirm the lies. What does an honest person looking for a VPN do? The crooks & spammers (U know who I mean), are backdooring & harvesting all of the data before it gets encrypted & passed on. And you don't have a clue because of the hype. It has already happened. Facebook & Google & all the others only care about more money & power.
Good read: https://blog.windscribe.com/consolidation-of-the-vpn-industry-spells-trouble-for-the-consumer-57e638634cf0/
Stay safe & God bless... John_III_XVI
The major reasons for lack of uptake on 2FA systems by the mug punters are:
1. Lack of recovery when access is lost. Most people using something like Google Authenticator only have access on one phone. Loose the device, loose access. My wife and are back-ups for each other but how many people have that luxury.
2. Synchronization when changing devices. Have you tried recovering moving Google Authenticator to a new handset. Ouch.
3. Cost of hardware specific devices. I'm looking at YubiKey, and you still need to have a back-up device.
Until people can share keys (as in a family, as that how most families work), and the above issues are addressed the resistance to any 2FA system will continue.