Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 20 Oct 2018, 09:01
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Gmail's new "Advanced Protection Program"
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [4 Posts]  
Author Message
belham2

Joined: 15 Aug 2016
Posts: 1552

PostPosted: Sun 21 Jan 2018, 06:13    Post subject:  Gmail's new "Advanced Protection Program"  

This thread is NOT about the evilness of Google and the monitoring by them (and every gov't) of what we do and don't do on the web. I don't have time for that paranoid stuff, valid or not, in my life Laughing There's too many other problems on the web. Ones that we can address & take action about---like complete email lockdown security

Thus, this thread is about Gmail, Yubikeys and the new "Advanced Protection Program". Google has rolled out the APP program the past few months, finally listening to us Gmail users who've been using Yubikeys (U2F protocol) with their Gmail accts for a few years now.

For those of you that do not know, there is nothing currently on the internet (in terms of overall email security) that approaches the use of Google Chrome + Yubikeys + the normal use of https and ssl. But now that Google has added this new "APP", it has completely leap-frogged all other existing email setups & systems being offered to online consumers worldwide.

Obviously, this Gmail + U2F + APP is imperative if you're in a country that is oppressive and trying to crack into everything you do on the Internet. But there's even a bigger market, an incredibly bigger market, for all of this. To wit: if you, like many on the Internet, have your fin'l institutions, insurance, health online providers, retirement, etc contacting your email when, for example, a "successful login" or "any transaction" or any parameter you have set up to keep tabs on your stuff (like "any" change in your account), the achilles heel of this setup has always been the email address that those notifications are sent to. How can you remained assured your email accounts are secure? In today's day & age, it is near impossible. But, what Google's doing, they've approached making it impossible & possibly achieved it.

Google responded a few years ago to this "are-my-email-accounts-really-secure?" problem by setting up U2F (i.e. Yubikeys), which has been really good for email security (using U2F for two-factor authentification). The problem has been Google continued you to require having a SMS option, which we all know how insecure it is in terms of 2FA. If you think having SMS is secure as a 2FA option, you need to educate yourself.

Anyhow, many of us lobbied the Gmail team for for the past 18 months, and now they've finally listened. The SMS/email/etc options are gone if you set up APP. The APP program lets you set up two physical keys (i.e. the Yubikeys or others) and then you agree to setting them up as the "ONLY" option for use as 2FA for logging into your email/Google accounts. There's no other way, no SMS, no sending of other emails to verify, nothing. So any hacker could try to gain control of your email, but they are basically "f#cked" because even though they might have your login & passwd credentials for your Gmail, they do not have either of these 2 physical keys (and, no, they cannot be reproduced and/or hacked, unless the hackers have developed quantum computers and have ran them for over 1000 years to approximate what these keys produce). Thus they can never get into your account unless they come to your home, put a gun to your head, force you to log in, and then insert the keys to finally login to your Gmail accts.

I've been testing the new "APP" with my existing Gmail + Yubikeys that I've used for 2 years with my Gmail, and it is impressive. I can't login to my Gmail/Google accts from anywhere with only my login + passwd, nor can I use SMS and/or the Google Authentificater and/or backup codes (like I previously was able to do with my Gmail accounts). Simply, I can't do crap and/or force a login to my email (and Google accounts) without one of the two physical Yubikeys that I set up for my APP-enabled Gmail accts (note that the physical U2F keys + APP setup can be used/setup across an unlimited number of your Gmail/Google accounts).

With the normal ssl & https, Chrome, login+passwd Gmail + required U2F physical keys......the sudden sense of security that comes over you as you realize just how secure your email has become, well, let me say it is very, very welcome in this day and age. Even if you're dumb enough to handle sensitive info on your phone, Iphone and/or android, with a NFC U2F key on your keychain......your overall level of email security just jumped dramatically. Even if someone pawns & controls your overall phone, they can't get into your Gmail/Google accounts without the U2F key. Think about that Idea

Of course, if you lose your 2 physical U2F keys (with Google you can setup more than 2 if you want), it is going to be a big problem trying to get your email accounts back. You'll have to contact Google directly, verbally, where they'll make you wait a number of days while they investigate it, ask you a ton of questions about your account, while also seeing if there's any activity in the account, where it came from, what machines logged in, etc, etc--if there is actually any---before they'll even consider letting you back in. But it'll still take several days, that is now standard practice. But that is the whole point.

One of the great things about this Google "APP" offering, is that you (and only you, with your physical keys) can toggle the APP on and off. So, for example, if you're at home and don't want to bother with plugging your USB key into a USB port & tapping on it to log-in (which honestly I cannot understand why you wouldn't, as it is brain-dead easy & fast), but anyhow, if you desire, you can toggle APP "OFF" while your home. Equally, you can toggle it back "ON" if you're going on holiday/travels and/or heading to another location/location/country for work, etc.


Do yourself a favor, stop relying on email setups that are insecure, sloppy, and will never really actually let you know if they've been compromised or not. How do you know if your current email accounts, their login & passwds, are not already compromised? Answer: you don't. With 2FA that is based on physical, un-crackable keys, suddenly you do know (and you can rest easy that only Google & the gov't can see, lol Laughing....actually, this is a joke, because now Google and/or any gov't can't get into your Google/Gmail accounts without having possession of one of your physical U2F keys ).

And it all is too easy & too inexpensive to not set this stuff up. My Yubikeys cost $18 a piece, from Amazon, and there are other manufacturers of these Universal 2nd Factor (U2F) protocol physical hardware keys/tokens.....along with ones that are used for your phones as they're NFC compatible. And these physical U2F keys (especially Yubikeys) are indestructible. What I've put mine through in the past 2 years, and they still survived & function flawlessly? That is a "wow" in my book.

So get off the pot, people. If you're using an email setup from your ISP/cable/wireless provider, desktop and/or online, even ones that use U2F but idiotically still allow the use of SMS for the 2nd factor authentification, then don't b!tch if you get owned & your email accounts were (and/or currently are) hacked.

The means exist now to completely shut this worry down. Like I said, this (completely securing your email) is something we "should" worry about instead of worriyng about who is spying on us and every little thing we do.

That is a battle for another day & time.


P.S. It is almost "criminal" that the majority of U.S./Canadian banks don't implement this type (only physical U2F keys, and no SMS, no email, no phone calls, nothing) two-factor authentification. At least in Europe, their institutions for the most part are way ahead of the USA---which is scary because Europe still has a long way to go. The point is, SMS and phone software-authentification programs like Google Authenticator, Duo, Clef Authy & others have to be killed off---they'll never, ever be secure.
Back to top
View user's profile Send private message 
disciple

Joined: 20 May 2006
Posts: 6849
Location: Auckland, New Zealand

PostPosted: Mon 22 Jan 2018, 15:07    Post subject:  

Are you sure you can't give us a one paragraph summary?
_________________
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER
Back to top
View user's profile Send private message 
Sailor Enceladus

Joined: 22 Feb 2016
Posts: 1546

PostPosted: Mon 22 Jan 2018, 16:05    Post subject: Re: Gmail's new "Advanced Protection Program"  

disciple wrote:
Are you sure you can't give us a one paragraph summary?

Is this short enough? Smile

belham2 wrote:
actually, this is a joke, because now Google and/or any gov't can't get into your Google/Gmail accounts without having possession of one of your physical U2F keys ).

edit: Hmm, I thought you said "can".... but you said "can't".... really... hmmmm
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1698
Location: N.E. USA

PostPosted: Mon 22 Jan 2018, 17:57    Post subject:  

Jeez Belham... if the banks and fiduciaries did that, it would solve the problem. There's no money in THAT. I mean, we might earn interest on the money entrusted... perish the thought!

With tongue firmly implanted in cheek
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [4 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1970s ][ Queries: 14 (0.0109s) ][ GZIP on ]