Surely you can create a sock puppet for debugging purposes. On Thu, May 17, 2012 at 11:43 AM, Michael Gray <[email protected]> wrote:
> I'm not interested in providing that information. You can reproduce it > without knowing my user name. > On May 17, 2012 8:45 AM, "Mike Hearn" <[email protected]> wrote: > >> If you provide the name of the account you're logging in to, we can go >> take a look what's happening. >> >> On Thu, May 17, 2012 at 5:29 PM, Michael Gray <[email protected]> wrote: >> > Regardless of how you say it works, I can bypass it every time it would >> > seem. Again, by using the method in my original post. It's likely you >> have a >> > bug if this isn't the functionality you're after. >> > >> > I appreciate the statistics but they mean little to me. >> > >> > Thank you for taking the time to respond. I hope my suggestions and >> findings >> > will assist you in correcting these issues >> > >> > On May 17, 2012 5:51 AM, "Mike Hearn" <[email protected]> wrote: >> >> >> >> I understand your concerns, however they are not valid. You can be >> >> assured of the following: >> >> >> >> 1) We do not see this system as a replacement for passwords. If we >> >> block a login the user is notified and asked if it was them, if it >> >> wasn't we ask them to pick a new password. In very high confidence >> >> cases we will immediately force the user to choose a new password, >> >> because passwords are still the first line of defense. >> >> >> >> 2) We do not see this system as a replacement for 2-factor >> >> authentication. However the reality is that the vast majority of our >> >> users do not use 2-factor authentication and this is unlikely to >> >> change any time soon. 2SV imposes a significant extra burden on the >> >> user such that despite heavy promotion many users refuse to sign up, >> >> and of those that do, many choose to unenroll shortly afterwards. >> >> Therefore we also provide this always-on best effort system as well. >> >> >> >> 3) In fact it is very effective at stopping the large, botnet driven >> >> types of attacks we see on a daily basis and so saying it doesn't add >> >> any security is wrong. Since going live the system has successfully >> >> defended tens of millions of users who have a compromised password. A >> >> single unrepresentative data point based on one account isn't enough >> >> for you to judge the utility of the system, whereas we can clearly see >> >> the stopped campaigns (and drop in number of attempts). >> >> >> >> That said, if you have friends and relatives who use Google and you'd >> >> like to to make them more secure, by all means encourage them to set >> >> up two-factor authentication. >> >> >> >> -- >> >> Mike Hearn | Senior Software Engineer | [email protected] | Account >> security team >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
