[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ProgSoc] Hacked hotmail account?



On 6/3/06, jedd <jedd@xxxxxxxxxxx> wrote:
On Saturday 03 June 2006 4:13 am, Andrew Halliday wrote:
 ] Captain Obvious you are hereby promoted to Major Obvious.

 You were expecting a serious, considered, response to your
 "when I do something stupid, bad things happen" whine?

Getouttahere.

No I was expecting a serious response addressing my concern. The question was if anyone knew of a way to recover from the hypothetical situation if it arose. Stupidity is as irrelevant to my query as is your repetition.

 As Nigel pointed out, right under the box that you type your password
 into on the gmail site, is a checkbox with the deceptive annotated
 with "Remember me on this computer".  Ensuring that box is turned
 off ... is a good start.

Yes Jedd, I've said so at least once before in this thread, this box is not checked in any of my explorations of this 'feature'.

 Turning off password managers (I use kdewallet, and also the built-in
 forms manager of Firefox, and I gather there are similar utilities
 for Mac and Win32 platforms) is another good start, or at the least
 disabling those password managers for gmail.com.

I don't use any password managers on the browser level or the OS level. I don't even trust keychain with app passwords in Mac OSX.

<snip>

 This issue is probably further complicated by the fact that notifiers
 for gmail have been breeding like rabbits -- and these tend to include
 passwords, and neat little features like "click on this systray icon
 to launch and, 'cos we've got your password already, log in to gmail".

I'm not using any, but yes, I agree with what you're saying.

 So, yet another good start would be to disable these things, or
 consider configuring them to ask for your password when the system
 starts up, and/or find one with advanced features (drop the password
 after a screen saver kicks in, after a certain period of time, etc).

 ] >  Other than not leaving an authenticated session running
 ] >  somewhere else, you mean?
 ]
 ] Single sign-on enforcement. If you logon to MSN or AIM or ICQ and a
 ] few other webmail systems (SquirrelMail or OWA for example) and try to
 ] logon again it'll boot you off.

 You do realise that this isn't what single sign on refers to,
 don't you?  It might be handy to read up on SSO before going for
 any gigs that involve ... well, maybe not.

Semantics. I understand what SSO is. I'll rephrase to satiate the resident pedant then. They should have single login enforcement. In that you should only be able to be logged in once from a single terminal, and that if another login attempt is made it invalidates both sessions even if it's from within the same terminal.

Anyhoo, would most people want this limitation imposed on them?

Yes. Most people already _do_ have it imposed on them. We're talking about a single session based web service, unless of course you want to blur the lines and have everything logged in all the time.

 There's no good reason for a db-driven mail client to disallow
 concurrent logins (at least, none that I can think of) and the root
 of your problem(s) is not actually concurrency -- this is merely one
 inelegant and inappropriate solution to your misinterpretation of
 your actual problem.

So you'd be OK with concurrent persistent login sessions to your internet banking? Then you could leave it open on not one but all your terminals. How is single session enforcement inelegant? It's secure, it puts the user in control because the user knows they have the only active session. Which to me when I read my email or do net banking is kind of a nice thing to know that when I'm logged in, someone else can't be. Considering how common it is for web services to enforce a single login session policy, I think your spiel of inappropriateness doesn't apply.

 ] This isn't the case with GMail and due
 ] to the integration it looks like this isn't the case with google talk
 ] either which is interesting from a presence POV.

 How so?

 If I am logged in to my computer at home (say, as I am now) and then
 wander off to an office, and login there .. and happen to want to use
 gmail or gchat or gwhatever, should I care that I am still logged in
 somewhere else?  So long as the underlying db retains a clear record,
 or if you prefer, that the integrity of my data is maintained, then
 no -- I don't care.

 I'd probably be mildly irritated if, upon returning home, I had to
 re-authenticate to systems that I'd already authenticated to.  That
 is not how my computer should work.

I think I've already made my case above. It appears the difference is that I care about personal security when it comes to sensitive information site session management -and you don't.

 But back to your presence POV -- it isn't a compelling argument,
 because from the B-end of any conversation, they don't care *where*
 I am (which is what you're talking about) only *who* I am.  Anyone
 old enough to have not grown up with mobile phones will have noticed
 this trend away from a phone number referring to a place, and instead
 referring to a person (or in the business context, a role).

My argument is that single login session = less exposure, with less opportunity for people to gain unauthorised access to your personal data, whether email or my fav new example net banking. (Yes I am conveniently ignoring the fact that most net bank sites have timeouts on their sessions of around 15mins for inactivity -but I think the principle stands)

 ] If the browser is not configured to limit cookies to the current
 ] session, AND there is no auto-deletion of temp internet files (cache,
 ] history, cookies) I have found that logging out of my MacOSX 10.4 user
 ] account, resetting the machine and logging back in produces the same
 ] effect, as does doing the same on Windows Server 2003 R2.

 Aha .. some reference to specific browsers and OS's.

 So if Firefox is not configured to limit cookies (and presumably isn't
 configured to keep passwords for the gmail page?) then when you
 log out of your computer, and then log back in .. the machine attempts
 to replicate your previous desktop?  Nice.  That's what KDE does for
 me, and it's all protected by the login password.

Not quite. For my experiments Firefox is configured as described above by you -not to limit cookies and not to remember passwords. I quit Firefox, logoff, restart log back in, launch Firefox, navigate to gmail.com and then automagically it logs me in.

Now, when you logged back in, did you use a password?
Yes I did, but this is outside the scope of my query and concern which
was to find out if there was a way to invalidate other authenticated
sessions in case I ever left one out in the wild.


 ] Get over yourself already. Some people need to use things like
 ] Internet Cafes occasionally which don't always let you do what you
 ] want to do to the system (clearing cache, etc)

 Which is why cafes tend to shutdown/reboot machines after someone
 has finished using them, and have all this stuff turned off.

Not always..

If you
 are going to use a browser you aren't familiar with and/or aren't
 able to configure securely on a computer you don't own, can't
 confirm has no keyloggers (etc) installed and can't configure securely
 ... then you're misinterpreting your problem again.

No I'm not, you are. If I'm out somewhere and I *really* need to check my email for whatever reason, I'll do that, and as soon as I get to a trusted machine I'll reset my password and other auth. details for that account. Back to my concern though, is that _that_ is not enough to invalidate any sessions left out in the wild.

 ] Well GoogleTalk is integrated into GMail. I would have thought that
 ] such a presence enable technology could be used to effect some kind of
 ] forced logoff.

 Again, you're presupposing that most people would want it this way,
 or indeed that there's a significant minority that want the option
 to work this way.

I think most people would want it that way, or we'd see the same model adopted across all IM platforms.

 Since you've set a precedent of promulgating generalisations,
 pop in with one my own -- most people have desktop sessions that
 are password protected.  QED, for most people, this is a non-issue,
 indeed, it'd be a step backwards to have the current functionality
 removed from the system.

People might have password protected desktop sessions, but what's the timeout when you walk away? Again, this is heading away from the scenario I outlined.

So by deduction you're saying that GMail is a step forward in the
world of webmaiil by allowing multiple simultaneous sessions with no
way for the end user to deactivate them except manually at each
authenticated terminal. Stop smoking crack. That's a stupid idea.

 ] If I logon to hotmail and then seperately logon to
 ] passort.net and change my password there, hotmail is forced to
 ] reauthenticate for further access the moment I click on something in
 ] the hotmail interface.

 Separately.

 I'm unconvinced, from my admittedly superficial understanding
 of how passort.net works, and hotmail integrates with same, that
 it's a laudable model for other programmers to adopt.

 Can you log into hotmail from two separate machines concurrently,
 and read & write emails from both?

It does - BUT if you close the browser or navigate away from the page and then navigate back to hotmail.com it prompts you for a password. This is the sort of functionality I want.

 I guess this means you don't have any thoughts on NULL-able
 columns as parts of PK's within MySQL?   Bugger.

No Jedd, I don't. I know why, like anyone who's done any kind of DB design, but I couldn't really care less because it's not related to this discussion. Please, by all means start a thread if you want to know why.

-Andi.

-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.