[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ProgSoc] Hacked hotmail account?



On Saturday 03 June 2006 4:13 am, Andrew Halliday wrote:
 ] Captain Obvious you are hereby promoted to Major Obvious.

 You were expecting a serious, considered, response to your
 "when I do something stupid, bad things happen" whine?

 Getouttahere.

 As Nigel pointed out, right under the box that you type your password
 into on the gmail site, is a checkbox with the deceptive annotated
 with "Remember me on this computer".  Ensuring that box is turned
 off ... is a good start.

 Turning off password managers (I use kdewallet, and also the built-in
 forms manager of Firefox, and I gather there are similar utilities
 for Mac and Win32 platforms) is another good start, or at the least
 disabling those password managers for gmail.com.

 En passant ... I noticed that you avoided mentioning what platform,
 or indeed what browser you are experiencing these problems on.  Bit
 of an oversight when asking questions that come back to the feature
 set of particular browsers and operating systems.

 This issue is probably further complicated by the fact that notifiers
 for gmail have been breeding like rabbits -- and these tend to include
 passwords, and neat little features like "click on this systray icon
 to launch and, 'cos we've got your password already, log in to gmail".

 So, yet another good start would be to disable these things, or
 consider configuring them to ask for your password when the system
 starts up, and/or find one with advanced features (drop the password
 after a screen saver kicks in, after a certain period of time, etc).

 ] >  Other than not leaving an authenticated session running
 ] >  somewhere else, you mean?
 ] 
 ] Single sign-on enforcement. If you logon to MSN or AIM or ICQ and a
 ] few other webmail systems (SquirrelMail or OWA for example) and try to
 ] logon again it'll boot you off.

 You do realise that this isn't what single sign on refers to,
 don't you?  It might be handy to read up on SSO before going for
 any gigs that involve ... well, maybe not.

 Anyhoo, would most people want this limitation imposed on them?

 There's no good reason for a db-driven mail client to disallow
 concurrent logins (at least, none that I can think of) and the root
 of your problem(s) is not actually concurrency -- this is merely one
 inelegant and inappropriate solution to your misinterpretation of
 your actual problem.

 ] This isn't the case with GMail and due
 ] to the integration it looks like this isn't the case with google talk
 ] either which is interesting from a presence POV.

 How so?

 If I am logged in to my computer at home (say, as I am now) and then
 wander off to an office, and login there .. and happen to want to use
 gmail or gchat or gwhatever, should I care that I am still logged in
 somewhere else?  So long as the underlying db retains a clear record,
 or if you prefer, that the integrity of my data is maintained, then
 no -- I don't care.

 I'd probably be mildly irritated if, upon returning home, I had to
 re-authenticate to systems that I'd already authenticated to.  That
 is not how my computer should work.

 But back to your presence POV -- it isn't a compelling argument,
 because from the B-end of any conversation, they don't care *where*
 I am (which is what you're talking about) only *who* I am.  Anyone
 old enough to have not grown up with mobile phones will have noticed
 this trend away from a phone number referring to a place, and instead
 referring to a person (or in the business context, a role).

 ] If the browser is not configured to limit cookies to the current
 ] session, AND there is no auto-deletion of temp internet files (cache,
 ] history, cookies) I have found that logging out of my MacOSX 10.4 user
 ] account, resetting the machine and logging back in produces the same
 ] effect, as does doing the same on Windows Server 2003 R2.

 Aha .. some reference to specific browsers and OS's.

 So if Firefox is not configured to limit cookies (and presumably isn't
 configured to keep passwords for the gmail page?) then when you
 log out of your computer, and then log back in .. the machine attempts
 to replicate your previous desktop?  Nice.  That's what KDE does for
 me, and it's all protected by the login password.

 Now, when you logged back in, did you use a password?

 ] Get over yourself already. Some people need to use things like
 ] Internet Cafes occasionally which don't always let you do what you
 ] want to do to the system (clearing cache, etc)

 Which is why cafes tend to shutdown/reboot machines after someone
 has finished using them, and have all this stuff turned off.  If you
 are going to use a browser you aren't familiar with and/or aren't
 able to configure securely on a computer you don't own, can't
 confirm has no keyloggers (etc) installed and can't configure securely
 ... then you're misinterpreting your problem again.

 Consequently, solutions you try to formulate will be inappropriate.

 ] Well GoogleTalk is integrated into GMail. I would have thought that
 ] such a presence enable technology could be used to effect some kind of
 ] forced logoff.

 Again, you're presupposing that most people would want it this way,
 or indeed that there's a significant minority that want the option
 to work this way.

 Since you've set a precedent of promulgating generalisations, I'll
 pop in with one my own -- most people have desktop sessions that
 are password protected.  QED, for most people, this is a non-issue,
 indeed, it'd be a step backwards to have the current functionality
 removed from the system.

 ] If I logon to hotmail and then seperately logon to
 ] passort.net and change my password there, hotmail is forced to
 ] reauthenticate for further access the moment I click on something in
 ] the hotmail interface.

 Separately.

 I'm unconvinced, from my admittedly superficial understanding
 of how passort.net works, and hotmail integrates with same, that
 it's a laudable model for other programmers to adopt.

 Can you log into hotmail from two separate machines concurrently,
 and read & write emails from both?

 ] So in other words Jedd, you don't have any ideas. Why then did you
 ] bother opening your hole to spew forth garbage? I asked what I asked
 ] out of the interest of forming some vague level of a contingency plan
 ] for IF what I outlined ever happened to me whilst using this
 ] particular service. So far Major Obvious has just sprinkled his usual
 ] Jedd(tm) fairy shit over the topic and contributed nothing of note or
 ] value.

 Yes, quite.  q.v. first paragraph.

 I guess this means you don't have any thoughts on NULL-able
 columns as parts of PK's within MySQL?   Bugger.

 Jedd.

-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.