Tuesday, November 8, 2011

The Implacable Iron Fist of Google

Yesterday, after a nice walk in the autumn woods, I came home and found several emails and Twitter notices from friends that my blogs were gone. I checked the addresses and this is what I received:

"This blog is no longer accessible. The name is unavailable for new accounts."


After following the breadcrumb trail left for me by Blogger, I got to a page that informed me:

"There has been suspicious activity related to this account. To confirm you are the account holder, Google must send you either a text message or a voice message with a code you must enter..."

After I entered a phone number and got the Confirm Code, my blogs were immediately accessible again.

* * * * * * * * * * * * *

Google pretends to be helpful

For the past two weeks, every time I logged in to post on my blogs I've had an interrupt page from Google, stating that "for my convenience should I lose my passwords" it would be handy to have a phone number to use as another confirmation. There's also been a link in that page that said "skip this step" so of course I did; my password is very strong, nonverbal and would be pretty hard to break unless under a sustained and targeted attack. No robo-sniffer or password dictionary cracker is going to get it.

With Google suggesting it would be a good idea and also offering me a link to skip this step, it's implied that this is not a required condition of using Google products (in this case my blogs on Blogger, unfortunately snapped up by Google recently).

The real deal

This morning's research session was dedicated to what Google calls "Two-step Verification Process" which was launched in mid-February and is just getting around to all your Google accounts.

"Over the next few days you should see a link on your Google Account Settings page that allows you to enabled 2-step verification. This new feature adds an extra layer of security to your Google account by requiring a special passcode in addition to your normal password."

Google Adds 2-Factor Security to Gmail, Apps [Krebs]

Here's a big blah-blah page from Google about "two-step verification"

"2-step verification helps protect a user’s account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can’t sign in without access to the user’s verification codes, which only the user can obtain via their own mobile phone. Requirements: a mobile phone that can receive the verification code via text message or phone call, or an Android, BlackBerry, or iPhone. These devices use the Google Authenticator mobile app to generate the verification code. "

"You enable 2-step verification for your domain in your Google Apps control panel. The user enrolls in 2-step verification... Note: You can’t force your users to use 2-step verification, they must opt-in themselves."

* * * * * * * * * * * * *

Real security

I've talked before about secure passwords: 16-character non-word, alphanumeric+special characters passwords kept on a single password-protected file on your computer/usb key and using copy/paste for logins, or using something like Passkey to hold your passwords.

I've also spoken about the "security measure" of "secret questions" - giving an associated (in your mind) answer to such questions as "What was your childhood pet's name?" in light of social networking and the fact that once something is posted to the net, it's out there forever (using tools like the Wayback Machine). So I recommend choosing your question (if this alternative is offered) or using an answer that is completely unrelated to the questions but associated in your mind with the question:

Q. What was your childhood pet's name? A. Squanomish
Q. Where were you born? A. inmymotherswomb
Q. What was your favorite sport? A. escapingbullies

Combine those with the ASCII and spelling variants: Squ@nomiish, inmeyem0therzw0mb, ezkapeingbullieyes and you have a second layer of security, not easily guessed.

And the final simple rule: never use the same password for more than one service.

So the password:
6D9F1$%&3[invisible space/ascii character Alt + 255]15~>#b+

is going to be pretty hard to crack by an automated dictionary-cracker. Combined with the type of answer to the above typical "security questions" and the best-practice of never using the same password for more than one service, your account is going to be much more secure than someone using the password "Fluffy" for all their accounts.

The fact is that, like a house, you can never be completely secure, but you can make it very difficult for a burglar to break in. Given that option most burglars, especially the random, doorknob-turning kind, will go elsewhere to much easier targets. Like a house, if you are the specific target of a dedicated cracker, nothing is going to stop them, but such cases are a lot rarer than you think. I mean, unless you're a multi-billion-dollar CEO, an attorney in a messy divorce case or a bank, who is going to specifically target you?

* * * * * * * * * * * * *

The Google Two-Step

It's obvious by now that all this blah-blah about "enrolling" and "allowing" and "opt-in" is plain bullshit. So is the supposed "security" offered.

The 30-day browser cookie set by users that click the "Remember verification for this computer" checkbox means that if your computer is stolen, the thief can still access your account without having to provide the second step of verification, and likely not even the password if your computer was just sleeping and browser already open.

You'll have to repeat this process every 30 days, meaning Google's going to require a constant correlation between your username and your phone number. Change numbers? You're going to have to go through hoops to restore access to your accounts. Change computers between laptop, desktop, netbook or tablet? Delete all cookies on browser close to get rid of trackers, spies and supercookies? Same deal. Google wants to know where you are and what phone number you are using every 30 days.

Go ahead; try to opt-out, sucker

From more than a dozen posts explaining how to "turn off two-step verification" from both Google and many bloggers, you get this information:

Q.16) How can I turn off 2-step verification on my Google Account
A.16) You can turnoff 2-step verification, by going to Google Accounts –> Using 2-step verification –> click on Turn off 2-step verification…

Here's the separate section on "how to turn off two-step verification"

Another article telling you how to turn off two-step verification

"In order to turn off two-step verification, visit this page or log in to your Google account and go to Settings >> Account Recovery Options >> Recovering your password. That page will tell you you can "add more information to your account to increase your account-recovery options."

Both ways will take you to this:

click the picture for the Big Picture

Notice that if you have not "opted-in" or "enrolled" or "allowed" this process previously, you will still have to fork over a phone number, receive a verification code and enroll in the program in order to reach the settings page where you can turn off the process, which will happen every 30 days.

Remind you of Facebook much? It should. There's no way to opt-out currently without first opting-in, and all Google's fanboy press and mealy-mouthing about "opting-in" or "enrolling" or "allowing" are straight-out lies. The interrupt-page I was receiving for the previous two weeks whenever I logged in offering to be "helpful" and offering me a link to "skip this step" was a smokescreen.

* * * * * * * * * * * * *

FSCK Google

Am I alarmed by this? I certainly am. I am alarmed by Google pretending this is an opt-in service, repeating that idea in various words and meaning absolutely the opposite.

fsck: a Unix-based system utility for checking the consistency of a file system. Generally, fsck is run automatically at boot time when the operating system detects that a file system is in an inconsistent state. [fsck is analogous to the Windows utility chkdsk]

I am alarmed by Google's persistent and consistent efforts to delete anonymity from the net; to consolidate its holdings and bring them into line with its stated mission of becoming an "Identity Provider"; Google's connection to OpenID and the National Strategy for Trusted Identities in Cyberspace [PDF link to whitehouse paper], which Google calls the Kantara Initiative (shades of the D.H.A.R.M.A. Initiative!).

I'm not the only one.

Identity Crisis: The Delusion of NSTIC

Real Names: Google+, Government & The Identity Ecosystem

Google & NSTIC Leading the March to Digital Totalitarianism?

Botgirl's curated “Nymwars News and Commentary” site

* * * * * * * * * * * * *

After yesterday's little adventure and today's research, I am accelerating my efforts to completely remove myself from the Google ecosystem by using viable alternatives to every single product Google offers. I do not like liars and Google has proven to be no better than Facebook in regarding me as a slab of meat to be bought and sold for their profit, telling press about "optional" services that are in fact compulsory now.

Google has now proven to me that they are in fact dead-set on "doing evil."

Google must have forgotten everything it knew about the net; I can think of a dozen ways to get around this type of forced identification and access off the top of my head and during the coming weeks I will be researching even more ways to keep my electronic privacy protected.

What you do is up to you.

* * * * * * * * * * * * *

[double-posted at Netpolitik]


* * * * * * * * * * * * *


eternalmetaverse said...

I got the same message. But I had already switched to Wordpress so f@ck u GOOGLE! Later i got almost the same message regarding my hotmail accounts, 3 accounts and i closed them too.... hell no I wont go! I wont walk that path holding hand with google.

sororNishi said...

Yep, I'm more or less out...tho I do use Google search at times, it's just better.... mostly I use Duckduckgo.
As far as passwords go I am fairly lax except with my bank account... "could do better" I guess..:))
Not sure why anyone would want to upload stuff to my Flickr account or post vids in my YouTube really.
I'm much more likely to exclude myself than anyone else.

Wizzy Gynoid said...

if i were Google right now i would be quaking in my boots. why? because i know i wouldn't want Miso as an enemy. :D

ramblinginavirtualworldwithshug said...

I am seeing blogs steadily moving out of blogspot since Google took command, often to Wordpress.

Scarp Godenot said...

Great Post Miso! Well Done. We need to spread the word on this utterly invasive and somewhat frightening development.

Can you imagine a future world where a politician decides to make anyone with certain opinions subject to arrest and worse? I can. It is VERY easy to picture this. The fight is NOW, not later. I will NEVER use gmail or blogspot again. Already switched to Bing, and will switch again if they show the same tendencies.

Ironically my Facebook is still in my online only name and not linked to rl at all... heh. Although I almost never go there.

I am very disappointed that Google +, which COULD have been a great social network was strangled by the Narcissistic personality of Vic Gundotra, who is apparently incapable of admitting to any errors in judgement. This despite a LONG record of internal Google employees predicting exactly this consequence and begging him to decide otherwise....

Sad state of affairs....