[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ProgSoc] Hacked hotmail account?
On 6/3/06, jedd <jedd@xxxxxxxxxxx> wrote:
On Saturday 03 June 2006 4:13 am, Andrew Halliday wrote:
] Captain Obvious you are hereby promoted to Major Obvious.
You were expecting a serious, considered, response to your
"when I do something stupid, bad things happen" whine?
Getouttahere.
No I was expecting a serious response addressing my concern. The
question was if anyone knew of a way to recover from the hypothetical
situation if it arose. Stupidity is as irrelevant to my query as is
your repetition.
As Nigel pointed out, right under the box that you type your password
into on the gmail site, is a checkbox with the deceptive annotated
with "Remember me on this computer". Ensuring that box is turned
off ... is a good start.
Yes Jedd, I've said so at least once before in this thread, this box
is not checked in any of my explorations of this 'feature'.
Turning off password managers (I use kdewallet, and also the built-in
forms manager of Firefox, and I gather there are similar utilities
for Mac and Win32 platforms) is another good start, or at the least
disabling those password managers for gmail.com.
I don't use any password managers on the browser level or the OS
level. I don't even trust keychain with app passwords in Mac OSX.
<snip>
This issue is probably further complicated by the fact that notifiers
for gmail have been breeding like rabbits -- and these tend to include
passwords, and neat little features like "click on this systray icon
to launch and, 'cos we've got your password already, log in to gmail".
I'm not using any, but yes, I agree with what you're saying.
So, yet another good start would be to disable these things, or
consider configuring them to ask for your password when the system
starts up, and/or find one with advanced features (drop the password
after a screen saver kicks in, after a certain period of time, etc).
] > Other than not leaving an authenticated session running
] > somewhere else, you mean?
]
] Single sign-on enforcement. If you logon to MSN or AIM or ICQ and a
] few other webmail systems (SquirrelMail or OWA for example) and try to
] logon again it'll boot you off.
You do realise that this isn't what single sign on refers to,
don't you? It might be handy to read up on SSO before going for
any gigs that involve ... well, maybe not.
Semantics. I understand what SSO is. I'll rephrase to satiate the
resident pedant then. They should have single login enforcement. In
that you should only be able to be logged in once from a single
terminal, and that if another login attempt is made it invalidates
both sessions even if it's from within the same terminal.
Anyhoo, would most people want this limitation imposed on them?
Yes. Most people already _do_ have it imposed on them.
We're talking about a single session based web service, unless of
course you want to blur the lines and have everything logged in all
the time.
There's no good reason for a db-driven mail client to disallow
concurrent logins (at least, none that I can think of) and the root
of your problem(s) is not actually concurrency -- this is merely one
inelegant and inappropriate solution to your misinterpretation of
your actual problem.
So you'd be OK with concurrent persistent login sessions to your
internet banking? Then you could leave it open on not one but all your
terminals.
How is single session enforcement inelegant? It's secure, it puts the
user in control because the user knows they have the only active
session. Which to me when I read my email or do net banking is kind of
a nice thing to know that when I'm logged in, someone else can't be.
Considering how common it is for web services to enforce a single
login session policy, I think your spiel of inappropriateness doesn't
apply.
] This isn't the case with GMail and due
] to the integration it looks like this isn't the case with google talk
] either which is interesting from a presence POV.
How so?
If I am logged in to my computer at home (say, as I am now) and then
wander off to an office, and login there .. and happen to want to use
gmail or gchat or gwhatever, should I care that I am still logged in
somewhere else? So long as the underlying db retains a clear record,
or if you prefer, that the integrity of my data is maintained, then
no -- I don't care.
I'd probably be mildly irritated if, upon returning home, I had to
re-authenticate to systems that I'd already authenticated to. That
is not how my computer should work.
I think I've already made my case above. It appears the difference is
that I care about personal security when it comes to sensitive
information site session management -and you don't.
But back to your presence POV -- it isn't a compelling argument,
because from the B-end of any conversation, they don't care *where*
I am (which is what you're talking about) only *who* I am. Anyone
old enough to have not grown up with mobile phones will have noticed
this trend away from a phone number referring to a place, and instead
referring to a person (or in the business context, a role).
My argument is that single login session = less exposure, with less
opportunity for people to gain unauthorised access to your personal
data, whether email or my fav new example net banking. (Yes I am
conveniently ignoring the fact that most net bank sites have timeouts
on their sessions of around 15mins for inactivity -but I think the
principle stands)
] If the browser is not configured to limit cookies to the current
] session, AND there is no auto-deletion of temp internet files (cache,
] history, cookies) I have found that logging out of my MacOSX 10.4 user
] account, resetting the machine and logging back in produces the same
] effect, as does doing the same on Windows Server 2003 R2.
Aha .. some reference to specific browsers and OS's.
So if Firefox is not configured to limit cookies (and presumably isn't
configured to keep passwords for the gmail page?) then when you
log out of your computer, and then log back in .. the machine attempts
to replicate your previous desktop? Nice. That's what KDE does for
me, and it's all protected by the login password.
Not quite. For my experiments Firefox is configured as described above
by you -not to limit cookies and not to remember passwords. I quit
Firefox, logoff, restart log back in, launch Firefox, navigate to
gmail.com and then automagically it logs me in.
Now, when you logged back in, did you use a password?
Yes I did, but this is outside the scope of my query and concern which
was to find out if there was a way to invalidate other authenticated
sessions in case I ever left one out in the wild.
] Get over yourself already. Some people need to use things like
] Internet Cafes occasionally which don't always let you do what you
] want to do to the system (clearing cache, etc)
Which is why cafes tend to shutdown/reboot machines after someone
has finished using them, and have all this stuff turned off.
Not always..
If you
are going to use a browser you aren't familiar with and/or aren't
able to configure securely on a computer you don't own, can't
confirm has no keyloggers (etc) installed and can't configure securely
... then you're misinterpreting your problem again.
No I'm not, you are. If I'm out somewhere and I *really* need to check
my email for whatever reason, I'll do that, and as soon as I get to a
trusted machine I'll reset my password and other auth. details for
that account. Back to my concern though, is that _that_ is not enough
to invalidate any sessions left out in the wild.
] Well GoogleTalk is integrated into GMail. I would have thought that
] such a presence enable technology could be used to effect some kind of
] forced logoff.
Again, you're presupposing that most people would want it this way,
or indeed that there's a significant minority that want the option
to work this way.
I think most people would want it that way, or we'd see the same model
adopted across all IM platforms.
Since you've set a precedent of promulgating generalisations,
pop in with one my own -- most people have desktop sessions that
are password protected. QED, for most people, this is a non-issue,
indeed, it'd be a step backwards to have the current functionality
removed from the system.
People might have password protected desktop sessions, but what's the
timeout when you walk away? Again, this is heading away from the
scenario I outlined.
So by deduction you're saying that GMail is a step forward in the
world of webmaiil by allowing multiple simultaneous sessions with no
way for the end user to deactivate them except manually at each
authenticated terminal. Stop smoking crack. That's a stupid idea.
] If I logon to hotmail and then seperately logon to
] passort.net and change my password there, hotmail is forced to
] reauthenticate for further access the moment I click on something in
] the hotmail interface.
Separately.
I'm unconvinced, from my admittedly superficial understanding
of how passort.net works, and hotmail integrates with same, that
it's a laudable model for other programmers to adopt.
Can you log into hotmail from two separate machines concurrently,
and read & write emails from both?
It does - BUT if you close the browser or navigate away from the page
and then navigate back to hotmail.com it prompts you for a password.
This is the sort of functionality I want.
I guess this means you don't have any thoughts on NULL-able
columns as parts of PK's within MySQL? Bugger.
No Jedd, I don't. I know why, like anyone who's done any kind of DB
design, but I couldn't really care less because it's not related to
this discussion. Please, by all means start a thread if you want to
know why.
-Andi.
-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.