Slog Comments

 

Comments (30) RSS

Oldest First Unregistered On Registered On Add a comment
Eli Sanders 1
Here's my question about the Google two-step: Isn't it a big bet on the idea that no one will ever be able to hack Google and then, if you're two-stepping, get your e-mail plus the bonus of the phone numbers you provided?

Though I guess at that point you're already pretty screwed...
Posted by Eli Sanders http://elisanders.net/ on August 7, 2012 at 9:33 AM · Report this
Anthony Hecht 2
@1 - Perhaps, but it's a reasonably bet that Google's services are pretty secure, but even allowing that nothing is completely secure, and they're a big target, it's just extra security for your account. If your account is compromised by some internal or system-wide hack of Google's data, it wouldn't be any worse than if you didn't have it turned on.
Posted by Anthony Hecht on August 7, 2012 at 9:38 AM · Report this
spamky 3
Windows has it's own backup utility, it's in the control panel and it's called "Backup and Restore"
Posted by spamky on August 7, 2012 at 9:42 AM · Report this
4
The chance of someone hacking Google's 2-step are so remote that it's best not to worry about it. First they need your user name and password. So they'd somehow have to hack Google to get that. Once they hack Google they'd have to deal with the encryption Google uses and the ways in which Google anonymizes the user/data relationship. Then they'd have to find some flaw in the authenticator algorithm. If they found a flaw they could conceivably generate the 2-step password. The chances of both of those things occurring though aren't very likely.

This is the one time where having bad customer service is a plus. It was the stellar customer service that both Apple and Amazon give that made it possible to social engineer an exploit. Just try contacting Google, speaking to a person, and getting them to reset a password in this way. It's unlikely to happen. I don't even know how to get a person at Google, and I use their services for almost everything. The lesson to learn is that the person is the weak link more often than the computer.
Posted by arbeck http://www.facebook.com/arbeck on August 7, 2012 at 9:43 AM · Report this
Anthony Hecht 5
@3 - Thanks, added to the post.
Posted by Anthony Hecht on August 7, 2012 at 9:44 AM · Report this
6
1Password is the bomb diggity. I don't have to know a single one of the kajillion-hexadecimajigger passwords I've had it generate for me, just the one secret word that unlocks everything, which nobody could ever guess unless they saw that one Afterschool Special that lingers so in my mind.
Posted by gloomy gus on August 7, 2012 at 9:45 AM · Report this
7
A password manager is a must. I use Keepass because it's multiplatform and sync's up well with dropbox.
Posted by arbeck http://www.facebook.com/arbeck on August 7, 2012 at 9:52 AM · Report this
Griffin 8
Analog decays gracefully, digital decays completely.
Posted by Griffin on August 7, 2012 at 10:05 AM · Report this
treacle 9
1. "If your data is not backed up, it is already gone." - B.

2. Xkcd on good password strength.

3. Never NEVER NEVER use the same passwords for: Email, Facebook, Banking, & Work. Also, write them down and keep that paper in a safe location at home.

I personally use Steganos 'LockNote' as my account/password keeper file.
Posted by treacle on August 7, 2012 at 10:35 AM · Report this
Posted by Matt the Engineer on August 7, 2012 at 10:36 AM · Report this
Matt the Engineer 11
@9 beat me by 1 minute.
Posted by Matt the Engineer on August 7, 2012 at 10:38 AM · Report this
Simone 12
I read the articles on Macrumors about the hacking.

I write down my passwords down on paper. That's my password manager.
Posted by Simone on August 7, 2012 at 10:48 AM · Report this
13
Truth! Thanks for the reminder.

What really worries me, what really keeps me up at night, is the thought of someone breaking into my Slog account. Forget my bank account and medical records. This is what really matters!
Posted by floater on August 7, 2012 at 10:56 AM · Report this
Will in Seattle 14
Never trust the Internets. The tubes are full of spambots that hate science.
Posted by Will in Seattle http://www.facebook.com/WillSeattle on August 7, 2012 at 10:57 AM · Report this
15
@10 the sucky password in that comic isn't random. Using a random generator would be more secure, no?
Posted by Dr. Henry Chillberg on August 7, 2012 at 11:27 AM · Report this
Will in Seattle 16
@15 for the I Am Spam and SLOG has not Cancelled me Yet win. Seems like when I post that the spam goes bye bye.
Posted by Will in Seattle http://www.facebook.com/WillSeattle on August 7, 2012 at 11:29 AM · Report this
Anthony Hecht 17
@9 & 10 - XKCD is right, of course, except that it still doesn't scale when you have to remember passwords for 300 different websites and services. I wish 1Password would generate those kinds of passwords, though, instead of only the gibberish kind.

Still this whole thing shows that the strength of your password is only 1 piece of the puzzle, and only protects against guessing and brute-force. There are other ways to be compromised.
Posted by Anthony Hecht on August 7, 2012 at 11:48 AM · Report this
Kinison 18
Dont back up to Apples Cloud storage, its apparently easy to call up Apple Tech Support and pretend to be, lets say a Wired staff member and say you need to reset the password. Next thing you know, iphone, ipad and everything on the cloud is wiped clean.

So it doesn't matter if you have complicated passwords, or even password managers, just have to keep calling Apple Support and find a gullible/new rep.
Posted by Kinison http://www.holgatehawks.com on August 7, 2012 at 12:02 PM · Report this
19
@16 ...I'm confused. Thank you?
Posted by Dr. Henry Chillberg on August 7, 2012 at 12:18 PM · Report this
brandon 20
I like LastPass because it integrates will all browsers, cross platform too. And it does random password generation. It also has a smartphone app, but the iPhone one does not integrate with Safari (the rules of the App Store prevent it) but you can still access your passes and copy/paste or use the built in browser in a pinch.

Only problem was they were compromised a year ago or so, but they have implemented 2 step authentication several different ways since then. I use the Google Authenticator app on my iPhone. You can also use a USB Key or a printed out grid of numbers (kinda old school WWII style but it works if you don't have a smartphone).
Posted by brandon on August 7, 2012 at 12:35 PM · Report this
Anthony Hecht 21
@20 - Yeah, LastPass sounds good. 1Password has all of those features too (and works with Safari), but no 2-step auth.
Posted by Anthony Hecht on August 7, 2012 at 12:43 PM · Report this
Anthony Hecht 22
@18 - Backing up to iCloud doesn't open you up to having your devices wiped remotely, that's a separate feature (Find My iPhone/Find My Mac) that you have to specifically enable.
Posted by Anthony Hecht on August 7, 2012 at 12:44 PM · Report this
23
good discussion of Google's two-factor auth: https://news.ycombinator.com/item?id=434…
Posted by Phil M http://twitter.com/pmocek on August 7, 2012 at 1:07 PM · Report this
24
Mozy by VMware has an awesome backup and share service. Very reliable, good customer service, good prices, long term stable company. http://mozy.com. 2GB free, 50GB for $6/month. I highly recommend it.
Posted by ellencherry on August 7, 2012 at 1:12 PM · Report this
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn 25
I just realized the crappiest website that has my shit is thestranger.com. Fuck.
Posted by Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn http://youtu.be/zu-akdyxpUc on August 7, 2012 at 2:52 PM · Report this
Matt the Engineer 26
@15 Yeah, I was lazy enough not to re-read a comic strip I posted. Sorry, I was up all night trying to download ph…

You're right - random passwords would be more secure than the first technique, though near impossible to remember.
Posted by Matt the Engineer on August 7, 2012 at 3:11 PM · Report this
Anthony Hecht 27
@15 & 26 - Random is better *at the same length*, yes, but few people make 30-40 character random passwords. Using several actual words tends to result in more characters, which is more secure.
Posted by Anthony Hecht on August 7, 2012 at 10:44 PM · Report this
28
You can minimize your chances of being hacked as well by choosing to use a website or service that has the proper Firewall or IPS rules. Articles like this always make people think they are solely alone in being hacked. It takes more than one to have party.
Posted by ntobjectives http://www.ntobjectives.com on August 8, 2012 at 12:18 PM · Report this
29
Forgot to add, you can learn all about ways to prevent hacking and secure your site at http://www.ntobjectives.com.
Posted by ntobjectives http://www.ntobjectives.com on August 8, 2012 at 12:24 PM · Report this
30
Anthony, your take on this is dead-on. If Mat had bothered to back up his stuff, this whole event would have been a simple PITA, instead of a major disaster. Good passwords are good, better passwords are better, but anyone who does not have at least one backup of their data is a fool. My own personal regimen is two backups using TimeMachine, one on site and a second sitting in my desk at work. These two disks trade places every six months or so, allowing for at worst a six month old backup if the house burns down...

Mat is not the only guy whose kids will have no baby pictures of themselves because of a catastrophic failure, coupled with a non-existent backup strategy. Most will be simple HD failures, and could have been easily recovered with a $100 USB drive and a very modest amount of effort.

Backups - Just Do It.
Posted by jimg on August 8, 2012 at 5:58 PM · Report this

Add a comment