Yesterday, after a nice walk in the autumn woods, I came home and found several emails and Twitter notices from friends that my blogs were gone. I checked the addresses and this is what I received:
"This blog is no longer accessible. The name is unavailable for new accounts."WTF?!?!
After following the breadcrumb trail left for me by Blogger, I got to a page that informed me:
"There has been
suspicious activity related to this account. To confirm you are the account holder, Google must send you either a text message or a voice message with a code you must enter..."
After I entered a phone number and got the Confirm Code, my blogs were immediately accessible again.
66:75:63:6b:20:47:6f:6f:67:6c:65
Google pretends to be helpfulFor the past two weeks, every time I logged in to post on my blogs I've had an interrupt page from Google, stating that "for my convenience should I lose my passwords" it would be
handy to have a phone number to use as another confirmation. There's also been a link in that page that said
"skip this step" so of course I did; my password is very strong, nonverbal and would be pretty hard to break unless under a sustained and targeted attack. No robo-sniffer or password dictionary cracker is going to get it.
With Google
suggesting it would be a good idea and also offering me a link to skip this step, it's implied that this is not a required condition of using Google products (in this case my blogs on Blogger, unfortunately snapped up by Google recently).
The real dealThis morning's research session was dedicated to what Google calls "Two-step Verification Process" which was launched in mid-February and is just getting around to all your Google accounts.
"
Over the next few days you should see a link on your Google Account Settings page that allows you to enabled 2-step verification. This new feature adds an extra layer of security to your Google account by requiring a special passcode in addition to your normal password."
Google Adds 2-Factor Security to Gmail, Apps [Krebs]
Here's a big blah-blah page from Google about "two-step verification""2-step verification helps protect a user’s account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can’t sign in without access to the user’s verification codes, which only the user can obtain via their own mobile phone. Requirements: a mobile phone that can receive the verification code via text message or phone call, or an Android, BlackBerry, or iPhone. These devices use the Google Authenticator mobile app to generate the verification code. "
"You enable 2-step verification for your domain in your Google Apps control panel. The user
enrolls in 2-step verification...
Note: You can’t force your users to use 2-step verification, they must opt-in themselves."
66:75:63:6b:20:47:6f:6f:67:6c:65
Real securityI've talked before about secure passwords: 16-character non-word, alphanumeric+special characters passwords kept on a single password-protected file on your computer/usb key and using copy/paste for logins, or using something like
Passkey to hold your passwords.
I've also spoken about the "security measure" of "secret questions" - giving an associated (in your mind) answer to such questions as "What was your childhood pet's name?" in light of social networking and the fact that once something is posted to the net, it's out there forever (using tools like the
Wayback Machine). So I recommend choosing your question (if this alternative is offered) or using an answer that is completely unrelated to the questions but
associated in your mind with the question:
Q. What was your childhood pet's name? A. Squanomish
Q. Where were you born? A. inmymotherswomb
Q. What was your favorite sport? A. escapingbullies
Combine those with the ASCII and spelling variants: Squ@nomiish, inmeyem0therzw0mb, ezkapeingbullieyes and you have a second layer of security, not easily guessed.
And the final simple rule:
never use the same password for more than one service.
So the password:
6D9F1$%&3[invisible space/ascii character Alt + 255]15~>#b+
is going to be pretty hard to crack by an automated dictionary-cracker. Combined with the type of answer to the above typical "security questions" and the best-practice of never using the same password for more than one service, your account is going to be much more secure than someone using the password "Fluffy" for all their accounts.
The fact is that, like a house,
you can never be completely secure, but you can make it very difficult for a burglar to break in. Given that option most burglars, especially the random, doorknob-turning kind, will go elsewhere to much easier targets. Like a house, if you are the specific target of a dedicated cracker, nothing is going to stop them, but such cases are a lot rarer than you think. I mean, unless you're a multi-billion-dollar CEO, an attorney in a messy divorce case or a bank, who is going to specifically target you?
66:75:63:6b:20:47:6f:6f:67:6c:65
The Google Two-StepIt's obvious by now that all this blah-blah about "enrolling" and "allowing" and "opt-in" is
plain bullshit. So is the supposed "security" offered.
The
30-day browser cookie set by users that click the "Remember verification for this computer" checkbox means that if your computer is stolen,
the thief can still access your account without having to provide the second step of verification, and likely not even the password if your computer was just sleeping and browser already open.
You'll have to repeat this process every 30 days, meaning Google's going to require a constant correlation between your username and your phone number. Change numbers? You're going to have to go through hoops to restore access to your accounts. Change computers between laptop, desktop, netbook or tablet? Delete all cookies on browser close to get rid of trackers, spies and
supercookies? Same deal. Google wants to know where you are and what phone number you are using
every 30 days.
Go ahead; try to opt-out, suckerFrom more than a dozen posts explaining how to "turn off two-step verification" from both Google and many bloggers, you get this information:
Q.16) How can I turn off 2-step verification on my Google Account
A.16) You can turnoff 2-step verification, by going to Google Accounts –> Using 2-step verification –> click on Turn off 2-step verification…
Here's the separate section on "how to turn off two-step verification"Another article telling you how to turn off two-step verification"In order to turn off two-step verification, visit
this page or log in to your Google account and go to Settings >> Account Recovery Options >> Recovering your password.
That page will tell you you can "add more information to your account to increase your account-recovery options."
Both ways will take you to this:
click the picture for the Big Picture Notice that if you have not "opted-in" or "enrolled" or "allowed" this process previously,
you will still have to fork over a phone number, receive a verification code and enroll in the program in order to reach the settings page where you can turn off the process, which will happen every 30 days.Remind you of Facebook much? It should. There's no way to opt-out currently
without first opting-in, and all Google's fanboy press and mealy-mouthing about "opting-in" or "enrolling" or "allowing" are straight-out lies. The interrupt-page I was receiving for the previous two weeks whenever I logged in offering to be "helpful" and offering me a link to "skip this step" was a smokescreen.
66:75:63:6b:20:47:6f:6f:67:6c:65
FSCK GoogleAm I alarmed by this?
I certainly am. I am alarmed by Google pretending this is an opt-in service, repeating that idea in various words and meaning absolutely the opposite.
fsck: a Unix-based system utility for checking the consistency of a file system. Generally, fsck is run automatically at boot time when the operating system detects that a file system is in an inconsistent state. [fsck is analogous to the Windows utility
chkdsk]
I am alarmed by Google's persistent and consistent efforts to delete anonymity from the net; to consolidate its holdings and bring them into line with its stated mission of becoming an "
Identity Provider"; Google's connection to
OpenID and the
National Strategy for Trusted Identities in Cyberspace [PDF link to whitehouse paper], which Google calls the
Kantara Initiative (shades of the
D.H.A.R.M.A. Initiative!).
I'm not the only one.
Identity Crisis: The Delusion of NSTICReal Names: Google+, Government & The Identity EcosystemGoogle & NSTIC Leading the March to Digital Totalitarianism?Botgirl's curated “Nymwars News and Commentary” site66:75:63:6b:20:47:6f:6f:67:6c:65
After yesterday's little adventure and today's research, I am accelerating my efforts to completely remove myself from the Google ecosystem by using viable alternatives to every single product Google offers.
I do not like liars and Google has proven to be no better than Facebook in regarding me as a slab of meat to be bought and sold for their profit, telling press about "optional" services that are in fact compulsory now.
Google has now proven to me that they are in fact dead-set on "doing evil."Google must have forgotten everything it knew about the net;
I can think of a dozen ways to get around this type of forced identification and access off the top of my head and during the coming weeks I will be researching even more ways to keep my electronic privacy protected. What you do is up to you.
66:75:63:6b:20:47:6f:6f:67:6c:65