Yesterday, after a nice walk in the autumn woods, I came home and found several emails and Twitter notices from friends that my blogs were gone. I checked the addresses and this is what I received:"This blog is no longer accessible. The name is unavailable for new accounts."
After following the breadcrumb trail left for me by Blogger, I got to a page that informed me:
"There has been suspicious activity
related to this account. To confirm you are the account holder, Google must send you either a text message or a voice message with a code you must enter..."
After I entered a phone number and got the Confirm Code, my blogs were immediately accessible again.
* * * * * * * * * * * * *Google pretends to be helpful
For the past two weeks, every time I logged in to post on my blogs I've had an interrupt page from Google, stating that "for my convenience should I lose my passwords" it would be handy
to have a phone number to use as another confirmation. There's also been a link in that page that said "skip this step"
so of course I did; my password is very strong, nonverbal and would be pretty hard to break unless under a sustained and targeted attack. No robo-sniffer or password dictionary cracker is going to get it.
With Google suggesting
it would be a good idea and also offering me a link to skip this step, it's implied that this is not a required condition of using Google products (in this case my blogs on Blogger, unfortunately snapped up by Google recently).The real deal
This morning's research session was dedicated to what Google calls "Two-step Verification Process" which was launched in mid-February and is just getting around to all your Google accounts.
"Over the next few days you should see a link on your Google Account Settings page that allows you to enabled 2-step verification. This new feature adds an extra layer of security to your Google account by requiring a special passcode in addition to your normal password
."Google Adds 2-Factor Security to Gmail, Apps
[Krebs]Here's a big blah-blah page from Google about "two-step verification"
"2-step verification helps protect a user’s account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can’t sign in without access to the user’s verification codes, which only the user can obtain via their own mobile phone. Requirements: a mobile phone
that can receive the verification code via text message or phone call, or an Android, BlackBerry, or iPhone. These devices use the Google Authenticator mobile app to generate the verification code. "
"You enable 2-step verification for your domain in your Google Apps control panel. The user enrolls
in 2-step verification... Note: You can’t force your users to use 2-step verification, they must opt-in themselves.
* * * * * * * * * * * * *Real security
I've talked before about secure passwords: 16-character non-word, alphanumeric+special characters passwords kept on a single password-protected file on your computer/usb key and using copy/paste for logins, or using something like Passkey
to hold your passwords.
I've also spoken about the "security measure" of "secret questions" - giving an associated (in your mind) answer to such questions as "What was your childhood pet's name?" in light of social networking and the fact that once something is posted to the net, it's out there forever (using tools like the Wayback Machine
). So I recommend choosing your question (if this alternative is offered) or using an answer that is completely unrelated to the questions but associated in your mind with the question
Q. What was your childhood pet's name? A. Squanomish
Q. Where were you born? A. inmymotherswomb
Q. What was your favorite sport? A. escapingbullies
Combine those with the ASCII and spelling variants: Squ@nomiish, inmeyem0therzw0mb, ezkapeingbullieyes and you have a second layer of security, not easily guessed.
And the final simple rule: never use the same password for more than one service
So the password:
6D9F1$%&3[invisible space/ascii character Alt + 255]15~>#b+
is going to be pretty hard to crack by an automated dictionary-cracker. Combined with the type of answer to the above typical "security questions" and the best-practice of never using the same password for more than one service, your account is going to be much more secure than someone using the password "Fluffy" for all their accounts.
The fact is that, like a house, you can never be completely secure
, but you can make it very difficult for a burglar to break in. Given that option most burglars, especially the random, doorknob-turning kind, will go elsewhere to much easier targets. Like a house, if you are the specific target of a dedicated cracker, nothing is going to stop them, but such cases are a lot rarer than you think. I mean, unless you're a multi-billion-dollar CEO, an attorney in a messy divorce case or a bank, who is going to specifically target you?
* * * * * * * * * * * * *The Google Two-Step
It's obvious by now that all this blah-blah about "enrolling" and "allowing" and "opt-in" is plain bullshit
. So is the supposed "security" offered.
The 30-day browser cookie
set by users that click the "Remember verification for this computer" checkbox means that if your computer is stolen, the thief can still access your account without having to provide the second step of verification
, and likely not even the password if your computer was just sleeping and browser already open.
You'll have to repeat this process every 30 days, meaning Google's going to require a constant correlation between your username and your phone number. Change numbers? You're going to have to go through hoops to restore access to your accounts. Change computers between laptop, desktop, netbook or tablet? Delete all cookies on browser close to get rid of trackers, spies and supercookies
? Same deal. Google wants to know where you are and what phone number you are using every 30 days
.Go ahead; try to opt-out, sucker
From more than a dozen posts explaining how to "turn off two-step verification" from both Google and many bloggers, you get this information:
Q.16) How can I turn off 2-step verification on my Google Account
A.16) You can turnoff 2-step verification, by going to Google Accounts –> Using 2-step verification –> click on Turn off 2-step verification…
Here's the separate section on "how to turn off two-step verification"Another article telling you how to turn off two-step verification
"In order to turn off two-step verification, visit this page
or log in to your Google account and go to Settings >> Account Recovery Options >> Recovering your password. That
page will tell you you can "add more information to your account to increase your account-recovery options."
Both ways will take you to this:
click the picture for the Big Picture
Notice that if you have not "opted-in" or "enrolled" or "allowed" this process previously, you will still have to fork over a phone number, receive a verification code and enroll in the program in order to reach the settings page where you can turn off the process, which will happen every 30 days.
Remind you of Facebook much? It should. There's no way to opt-out currently without first opting-in
, and all Google's fanboy press and mealy-mouthing about "opting-in" or "enrolling" or "allowing" are straight-out lies. The interrupt-page I was receiving for the previous two weeks whenever I logged in offering to be "helpful" and offering me a link to "skip this step" was a smokescreen.
* * * * * * * * * * * * *FSCK Google
Am I alarmed by this? I certainly am.
I am alarmed by Google pretending this is an opt-in service, repeating that idea in various words and meaning absolutely the opposite.fsck: a Unix-based system utility for checking the consistency of a file system. Generally, fsck is run automatically at boot time when the operating system detects that a file system is in an inconsistent state.
[fsck is analogous to the Windows utility chkdsk
I am alarmed by Google's persistent and consistent efforts to delete anonymity from the net; to consolidate its holdings and bring them into line with its stated mission of becoming an "Identity Provider
"; Google's connection to OpenID
and the National Strategy for Trusted Identities in Cyberspace
[PDF link to whitehouse paper], which Google calls the Kantara Initiative
(shades of the D.H.A.R.M.A. Initiative
I'm not the only one.Identity Crisis: The Delusion of NSTICReal Names: Google+, Government & The Identity EcosystemGoogle & NSTIC Leading the March to Digital Totalitarianism?Botgirl's curated “Nymwars News and Commentary” site
* * * * * * * * * * * * *
After yesterday's little adventure and today's research, I am accelerating my efforts to completely remove myself from the Google ecosystem by using viable alternatives to every single product Google offers. I do not like liars
and Google has proven to be no better than Facebook in regarding me as a slab of meat to be bought and sold for their profit, telling press about "optional" services that are in fact compulsory now.Google has now proven to me that they are in fact dead-set on "doing evil."
Google must have forgotten everything it knew about the net; I can think of a dozen ways to get around this type of forced identification and access
off the top of my head and during the coming weeks I will be researching even more ways to keep my electronic privacy protected.
What you do is up to you.
* * * * * * * * * * * * *
[double-posted at Netpolitik
* * * * * * * * * * * * *