Re: google account say it will no longer deliver email

[rhkramer]

On Thursday, June 09, 2022 02:13:31 AM mick crane wrote:
> I finally had to set up an app password for mail to work.
> During the process of discovering what to click on there was the
> statement.
> "Google will never use the content of your emails in order to select
> what ads you are shown."
> or words to that effect.

Ahh, good, I have a bridge to sell 

Re: google account say it will no longer deliver email

[mick crane]

On 2022-06-09 03:09, DdB wrote:

The Big Tech companies are busy to de-anonymise the internet in order 
to

augment their knowledge/income even more, and in order to do that, it
would be very convenient, if every user was forced to authenticate
themself undoubtedly. But let's not talk about that. Let the "official
reasonning" be based on "security". Great cover story, bcoz we like to
trust the security mirage [Bruce Schneier]!


I finally had to set up an app password for mail to work.
During the process of discovering what to click on there was the 
statement.
"Google will never use the content of your emails in order to select 
what ads you are shown."

or words to that effect.

mick
--
Key ID4BFEBB31

Re: google account say it will no longer deliver email

[DdB]

Am 09.06.2022 um 01:54 schrieb rhkra...@gmail.com:
>> if we leave aside for a moment incriminations of corporate power and
>> plots, is there some reason to connect the two methods?
> No -- from a purely logical point of view (afaics) there is no reason to 
> connect them -- Google apparently has some reason that I have not seen 
> disclosed (I didn't look very hard for it).
> 

pouring oil into the flame ;-)

"Don't be evil" - which used to be Google's motto, could not be farther
from the truth:

Back in the days, the google search algorithm was based on a reference
count: The more a site was referenced by other sites, the higher it
would be ranked.

More than a decade ago, that was changed (more or less silently) and
currently, the (big) companies, making the most sales, get up in the
rankings, which lead to an enormous flow of money from the less
priviledged/poorer people (and small companies) to the big ones, thereby
strengthening the already ongoing tendency to make the rich people even
richer. And when that got discovered by the employees ... (imagine: they
stopped publishing their data)

The Big Tech companies are busy to de-anonymise the internet in order to
augment their knowledge/income even more, and in order to do that, it
would be very convenient, if every user was forced to authenticate
themself undoubtedly. But let's not talk about that. Let the "official
reasonning" be based on "security". Great cover story, bcoz we like to
trust the security mirage [Bruce Schneier]!

But hell! What do we even know?
At least, i for myself left Gmail and all the other Alphabet
dependencies at this point.

DdB



signature.asc
Description: OpenPGP digital signature

Re: google account say it will no longer deliver email

[rhkramer]

On Wednesday, June 08, 2022 05:58:44 PM Felmon Davis wrote:
> I don't understand the *logical* connection. logically you can have
> app-specific pw's without 2-step auth. (not sure about the other way
> around.)

Google requires 2-step authorization as a prerequisite to application specific 
passwords on their system.  It is not phrased as a recommendation, but I don't 
know if it is enforced with code or not.

Anyway, I didn't want to test it, but I may have now spent more time reading / 
writing about it that I would have testing it.  Maybe tomorrow (but maybe 
not).

> if we leave aside for a moment incriminations of corporate power and
> plots, is there some reason to connect the two methods?

No -- from a purely logical point of view (afaics) there is no reason to 
connect them -- Google apparently has some reason that I have not seen 
disclosed (I didn't look very hard for it).

Re: google account say it will no longer deliver email

[Felmon Davis]

On Wed, 8 Jun 2022, Kamil Jońca wrote:


rhkra...@gmail.com writes:


On Wednesday, June 08, 2022 12:18:58 PM Curt wrote:

On 2022-06-08, Felmon Davis  wrote:

that's the thing: I don't understand how the parts fit together; what
is the connection between:

(1) 2-step auth
(2) app-specific pw


Without (1) turned on, you cannot create (2).


But, once you've created (2), can you turn (1) back off (and still have (2)
work)?


I do not remember, but I think, that this makes all "app passwords"
invalid.


I don't understand the *logical* connection. logically you can have 
app-specific pw's without 2-step auth. (not sure about the other way 
around.)


if we leave aside for a moment incriminations of corporate power and 
plots, is there some reason to connect the two methods?


anyway, invalidating your pw's is a good reason not to fool around if 
you've set up several devices already. so if your app-specific pw gets 
lost, I guess that justifies the 2-step?


fjd

--
Davis

Verbum sat sapienti.

Re: google account say it will no longer deliver email

[Kamil Jońca]

rhkra...@gmail.com writes:

> On Wednesday, June 08, 2022 12:18:58 PM Curt wrote:
>> On 2022-06-08, Felmon Davis  wrote:
>> > that's the thing: I don't understand how the parts fit together; what
>> > is the connection between:
>> > 
>> > (1) 2-step auth
>> > (2) app-specific pw
>> 
>> Without (1) turned on, you cannot create (2).
>
> But, once you've created (2), can you turn (1) back off (and still have (2) 
> work)?

I do not remember, but I think, that this makes all "app passwords"
invalid.

KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/

Re: google account say it will no longer deliver email

[Curt]

On 2022-06-08, rhkra...@gmail.com  wrote:
> On Wednesday, June 08, 2022 12:18:58 PM Curt wrote:
>> On 2022-06-08, Felmon Davis  wrote:
>> > that's the thing: I don't understand how the parts fit together; what
>> > is the connection between:
>> > 
>> > (1) 2-step auth
>> > (2) app-specific pw
>> 
>> Without (1) turned on, you cannot create (2).
>
> But, once you've created (2), can you turn (1) back off (and still have (2) 
> work)?
>
>

Try it and report back. I doubt anything untoward that might happen will be
irrevocable (although you never know, do you).

- 

Re: google account say it will no longer deliver email

[rhkramer]

On Wednesday, June 08, 2022 12:18:58 PM Curt wrote:
> On 2022-06-08, Felmon Davis  wrote:
> > that's the thing: I don't understand how the parts fit together; what
> > is the connection between:
> > 
> > (1) 2-step auth
> > (2) app-specific pw
> 
> Without (1) turned on, you cannot create (2).

But, once you've created (2), can you turn (1) back off (and still have (2) 
work)?

Re: google account say it will no longer deliver email

[Curt]

On 2022-06-08, Felmon Davis  wrote:
> On Wed, 8 Jun 2022, rhkra...@gmail.com wrote:
>
>> On Tuesday, June 07, 2022 09:38:42 PM Felmon Davis wrote:
>>> be it a/b testing or b/s testing, the change seems to have gone into
>>> effect and I can only use Alpine by acquiring an "app-password".
>>>
>>> I'm wondering if I can turn off 2-step authentification now.
>>
>> I'm curious about the same thing -- I suspect not, and not sure when / if 
>> I'll
>> test it.  It would be nice if someone knew.
>
> that's the thing: I don't understand how the parts fit together; what 
> is the connection between:
>
> (1) 2-step auth
> (2) app-specific pw

Without (1) turned on, you cannot create (2).

Re: google account say it will no longer deliver email

[Felmon Davis]

On Wed, 8 Jun 2022, rhkra...@gmail.com wrote:


On Tuesday, June 07, 2022 09:38:42 PM Felmon Davis wrote:

be it a/b testing or b/s testing, the change seems to have gone into
effect and I can only use Alpine by acquiring an "app-password".

I'm wondering if I can turn off 2-step authentification now.


I'm curious about the same thing -- I suspect not, and not sure when / if I'll
test it.  It would be nice if someone knew.


that's the thing: I don't understand how the parts fit together; what 
is the connection between:


(1) 2-step auth
(2) app-specific pw

I would have thought method (1) is good for getting back on board if 
you lose 
your pw.


method (2) just seems like using a pw like one always does except it's 
handed to you.


I may go empirical and try to cancel 2-step and see.

I'd rather learn from others.

fjd

--
Davis

Verbum sat sapienti.

Re: google account say it will no longer deliver email

[rhkramer]

On Tuesday, June 07, 2022 09:38:42 PM Felmon Davis wrote:
> be it a/b testing or b/s testing, the change seems to have gone into
> effect and I can only use Alpine by acquiring an "app-password".
> 
> I'm wondering if I can turn off 2-step authentification now.

I'm curious about the same thing -- I suspect not, and not sure when / if I'll 
test it.  It would be nice if someone knew.

Re: google account say it will no longer deliver email

[tomas]

On Wed, Jun 08, 2022 at 03:38:42AM +0200, Felmon Davis wrote:
> On Sat, 4 Jun 2022, to...@tuxteam.de wrote:
> 
> > On Sat, Jun 04, 2022 at 07:21:57PM +0200, Felmon Davis wrote:
> > > On Sat, 4 Jun 2022, to...@tuxteam.de wrote:
> > 
> > [...]
> > 
> > > I misspoke or miswrote: I have Alpine running but *without* the 
> > > app-specific
> > > setting.
> > > 
> > > > They're messing with your brain. I'd leave the sinking ship.
> > > > 
> > > 
> > > I'm glad to have my Alpine still. we'll see.
> > 
> > I wasn't thinking of Alpine when I wrote "sinking ship" ;-)
> > 
> > Alpine is free software. Free software never sinks ;-) ;-)
> > 
> > Cheers
> 
> sometimes it fails to function though.
> 
> be it a/b testing or b/s testing, the change seems to have gone into effect
> and I can only use Alpine by acquiring an "app-password".
> 
> I'm wondering if I can turn off 2-step authentification now.

I wasn't clear enough, it seems. With "sinking ship" I was rather
referring to Google "mail".

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Felmon Davis]

On Sat, 4 Jun 2022, to...@tuxteam.de wrote:


On Sat, Jun 04, 2022 at 07:21:57PM +0200, Felmon Davis wrote:

On Sat, 4 Jun 2022, to...@tuxteam.de wrote:


[...]


I misspoke or miswrote: I have Alpine running but *without* the app-specific
setting.


They're messing with your brain. I'd leave the sinking ship.



I'm glad to have my Alpine still. we'll see.


I wasn't thinking of Alpine when I wrote "sinking ship" ;-)

Alpine is free software. Free software never sinks ;-) ;-)

Cheers


sometimes it fails to function though.

be it a/b testing or b/s testing, the change seems to have gone into 
effect and I can only use Alpine by acquiring an "app-password".


I'm wondering if I can turn off 2-step authentification now.

fjd

--
Davis

Verbum sat sapienti.

Re: google account say it will no longer deliver email

[sp...@caiway.net]

On Sat, 04 Jun 2022 20:08:37 -0500
John Hasler  wrote:

> Please don't feed the troll.

No worry John,

I have the tools prepared.

Most secure laptop in the world. The writer of my BIOS is a coreboot forker. He 
soldered the CMOS by hand.
Capitalists can't even break in my BIOS to stop me.
They can put me in jail 5 - 6 months, I still have some Japanese tai-chi to do.
When they feed me bananas I might even consider go voluntary.

I am feeded far too long by the wrong system.

And I have friends.

Arne

Re: google account say it will no longer deliver email

[gene heskett]

On Saturday, 4 June 2022 20:40:34 EDT Larry Martell wrote:
> On Sat, Jun 4, 2022 at 4:17 PM sp...@caiway.net  
wrote:
> > Hi,
> > 
> > The reason:
> > 
> > I am promoting a free volunteer-run run society.
> > 
> > This mailing list as example for how I learned. Thanks!
> > 
> > Things go faster and better.
> > 
> > 
> > All those commercial ones only have one goal: make more profit.
> > 
> > Led by stupid managers with only $ $ eyes giving orders to
> > developers.
> 
> So you are against people making profit for their labors?
> 
> .
This whole, and apparently endless thread, by folks who are in serious 
need of understanding just how unbreakable a law TANSTAAFL actually is.

So Larry, put it in language they might be able to understand.  And say 
Hi to Carol for me.

Cheers, Gene Heskett.
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis

Re: google account say it will no longer deliver email

[sp...@caiway.net]

https://www.kaiostech.com/developers/

let firefox win the browserwar
help the third world before they get captured by american capitalism

we have the tools

Arne


On Sat, 4 Jun 2022 19:50:02 -0500
Larry Martell  wrote:

> On Sat, Jun 4, 2022 at 7:44 PM sp...@caiway.net  wrote:
> >
> > NO!
> >
> > Some people like to work for a boss and follow orders from imbiciles.
> 
> You sound like an imbecile to me.
> 
> 
> > On Sat, 4 Jun 2022 19:40:34 -0500
> > Larry Martell  wrote:
> >
> > > On Sat, Jun 4, 2022 at 4:17 PM sp...@caiway.net  wrote:
> > > >
> > > > Hi,
> > > >
> > > > The reason:
> > > >
> > > > I am promoting a free volunteer-run run society.
> > > >
> > > > This mailing list as example for how I learned. Thanks!
> > > >
> > > > Things go faster and better.
> > > >
> > > >
> > > > All those commercial ones only have one goal: make more profit.
> > > >
> > > > Led by stupid managers with only $ $ eyes giving orders to developers.
> > >
> > > So you are against people making profit for their labors?
> >
> 

Re: google account say it will no longer deliver email

[John Hasler]

Please don't feed the troll.
-- 
John Hasler 
j...@sugarbit.com
Elmwood, WI USA

Re: google account say it will no longer deliver email

[Larry Martell]

On Sat, Jun 4, 2022 at 7:44 PM sp...@caiway.net  wrote:
>
> NO!
>
> Some people like to work for a boss and follow orders from imbiciles.

You sound like an imbecile to me.


> On Sat, 4 Jun 2022 19:40:34 -0500
> Larry Martell  wrote:
>
> > On Sat, Jun 4, 2022 at 4:17 PM sp...@caiway.net  wrote:
> > >
> > > Hi,
> > >
> > > The reason:
> > >
> > > I am promoting a free volunteer-run run society.
> > >
> > > This mailing list as example for how I learned. Thanks!
> > >
> > > Things go faster and better.
> > >
> > >
> > > All those commercial ones only have one goal: make more profit.
> > >
> > > Led by stupid managers with only $ $ eyes giving orders to developers.
> >
> > So you are against people making profit for their labors?
>

Re: google account say it will no longer deliver email

[sp...@caiway.net]

NO!

Some people like to work for a boss and follow orders from imbiciles.


Arne

On Sat, 4 Jun 2022 19:40:34 -0500
Larry Martell  wrote:

> On Sat, Jun 4, 2022 at 4:17 PM sp...@caiway.net  wrote:
> >
> > Hi,
> >
> > The reason:
> >
> > I am promoting a free volunteer-run run society.
> >
> > This mailing list as example for how I learned. Thanks!
> >
> > Things go faster and better.
> >
> >
> > All those commercial ones only have one goal: make more profit.
> >
> > Led by stupid managers with only $ $ eyes giving orders to developers.
> 
> So you are against people making profit for their labors?

Re: google account say it will no longer deliver email

[Larry Martell]

On Sat, Jun 4, 2022 at 4:17 PM sp...@caiway.net  wrote:
>
> Hi,
>
> The reason:
>
> I am promoting a free volunteer-run run society.
>
> This mailing list as example for how I learned. Thanks!
>
> Things go faster and better.
>
>
> All those commercial ones only have one goal: make more profit.
>
> Led by stupid managers with only $ $ eyes giving orders to developers.

So you are against people making profit for their labors?

Re: google account say it will no longer deliver email

[sp...@caiway.net]

On Sat, 4 Jun 2022 17:07:32 -0400
Edwin Zimmerman  wrote:

> 
> > There will be always volunteers for learning/perfectioning a mailserver.
> >
> > Donations for the best mailserver in the world for example.
> As a sysadmin of a mailserver, I can tell you this would never be able to 
> compete on uptime, security, and features of gmail.
> 

rsync to every country for example

# uprecords
 #   Uptime | System Boot up
+---
 1   131 days, 03:28:53 | Linux 4.19.152Fri Mar 12 16:19:55 2021
 277 days, 18:00:15 | Linux 5.10.0-8-amd64  Tue Oct 12 02:00:22 2021
 371 days, 00:45:31 | Linux 5.10.0-8-amd64  Sun Jan  9 23:44:43 2022
 462 days, 05:55:04 | Linux 5.7.10-arne-t620q   Mon Aug  3 19:35:15 2020
 552 days, 07:34:58 | Linux 5.10.0-8-amd64  Fri Aug 20 18:25:01 2021
->   649 days, 16:57:39 | Linux 5.10.0-8-amd64  Sat Apr 16 06:23:31 2022
 734 days, 23:00:23 | Linux 4.19.152Sun Dec  6 18:30:36 2020
 834 days, 02:00:06 | Linux 4.19.152Mon Nov  2 16:03:18 2020
 929 days, 13:00:08 | Linux 4.19.0-6-amd64  Thu Nov 21 02:59:06 2019
1026 days, 15:55:15 | Linux 5.3.0-0.bpo.2-amd6  Fri Jun 26 00:46:57 2020
+---
1up in 2 days, 14:37:20 | atTue Jun  7 13:58:29 2022
no1 in81 days, 10:31:15 | atThu Aug 25 09:52:24 2022
up   946 days, 19:40:23 | since Wed Oct 30 18:46:50 2019
  down 1 day , 07:53:57 | since Wed Oct 30 18:46:50 2019
   %up   99.860 | since Wed Oct 30 18:46:50 2019

on the downtime: powerloss, experimenting, learning

on a thin client I keep a webserver running at home:

https://linuxmuseum.arnekai.net/

538Mb now

And now I am setting up buku server, I found another job of playing with 
debian/devuan

That is an example of working with volunteers

PS.

I could use some mirrors

keeping linux history is important

Re: google account say it will no longer deliver email

[sp...@caiway.net]

Hi,

The reason:

I am promoting a free volunteer-run run society.

This mailing list as example for how I learned. Thanks!

Things go faster and better.


All those commercial ones only have one goal: make more profit.

Led by stupid managers with only $ $ eyes giving orders to developers.


Thanks,

have a nice day

Arne

On Sat, 4 Jun 2022 16:29:18 -0400
wec  wrote:

> On 6/4/22 4:02 PM, sp...@caiway.net wrote:
> 
> > Hi,
> >
> > My first mail provider (in Oslo) promised free mailadress for life.
> >
> > Then it was sold to a kapitalist and they started to ask money.
> >
> > I do not like that.
> >
> > I know it is possible to run a free host.
> >
> > By volunteers running the server for example.
> Why not you be the first volunteer???
> >
> >
> >
> > Arne
> >
> >
> > On Sat, 04 Jun 2022 14:00:27 -0500
> > John Hasler  wrote:
> >
> >> Arne writes:
> >>> So I am also in the search for a good free provider.
> >> Why does it need to be free?
> 

Re: google account say it will no longer deliver email

[Edwin Zimmerman]

> There will be always volunteers for learning/perfectioning a mailserver.
>
> Donations for the best mailserver in the world for example.
As a sysadmin of a mailserver, I can tell you this would never be able to 
compete on uptime, security, and features of gmail.

Re: google account say it will no longer deliver email

[Alain D D Williams]

On Sat, Jun 04, 2022 at 10:02:05PM +0200, sp...@caiway.net wrote:
> Hi,
> 
> My first mail provider (in Oslo) promised free mailadress for life.
> 
> Then it was sold to a kapitalist and they started to ask money.
> 
> I do not like that.
> 
> I know it is possible to run a free host.
> 
> By volunteers running the server for example.

Oh - great ... please do us all a favour and set up a free host and give us
free addresses for life.

Thanks!

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include 

Re: google account say it will no longer deliver email

[wec]

On 6/4/22 4:02 PM, sp...@caiway.net wrote:


Hi,

My first mail provider (in Oslo) promised free mailadress for life.

Then it was sold to a kapitalist and they started to ask money.

I do not like that.

I know it is possible to run a free host.

By volunteers running the server for example.

Why not you be the first volunteer???




Arne


On Sat, 04 Jun 2022 14:00:27 -0500
John Hasler  wrote:


Arne writes:

So I am also in the search for a good free provider.

Why does it need to be free?

Re: google account say it will no longer deliver email

[sp...@caiway.net]

On Sat, 04 Jun 2022 15:34:19 -0500
John Hasler  wrote:

> sp...@caiway.net writes:
> > I know it is possible to run a free host.
> > By volunteers running the server for example.
> 
> There are expenses.  Who pays them?


There will be always volunteers for learning/perfectioning a mailserver.

Donations for the best mailserver in the world for example.

IMHO

Arne

Re: google account say it will no longer deliver email

[John Hasler]

sp...@caiway.net writes:
> I know it is possible to run a free host.
> By volunteers running the server for example.

There are expenses.  Who pays them?
-- 
John Hasler 
j...@sugarbit.com
Elmwood, WI USA

Re: google account say it will no longer deliver email

[sp...@caiway.net]

Hi,

My first mail provider (in Oslo) promised free mailadress for life.

Then it was sold to a kapitalist and they started to ask money.

I do not like that.

I know it is possible to run a free host.

By volunteers running the server for example.



Arne


On Sat, 04 Jun 2022 14:00:27 -0500
John Hasler  wrote:

> Arne writes:
> > So I am also in the search for a good free provider.
> 
> Why does it need to be free?

Re: google account say it will no longer deliver email

[Richard Owlett]

On 06/04/2022 01:50 PM, sp...@caiway.net wrote:
*SNIP*


So I am also in the search for a good free provider.



FREE COSTS *TOO MUCH*   

If you think Google et al are charities

 I have a bridge for sale in Brooklyn.

Re: google account say it will no longer deliver email

[John Hasler]

Arne writes:
> So I am also in the search for a good free provider.

Why does it need to be free?
-- 
John Hasler 
j...@sugarbit.com
Elmwood, WI USA

Re: google account say it will no longer deliver email

[sp...@caiway.net]

Hi,


IMO I would search for another mail account.

I use google mail only for sites where i expect SPAM.

Last time I checked google mail is some 3 years ago.


So I tried my provider's mail account.

There it is not possible to send to protonmail.
It has also no working web interface.

So I am also in the search for a good free provider.

Arne



On Wed, 11 May 2022 15:25:34 +0200
Fero Dali  wrote:

> I got a warning from google that my account will be discontinued.
> 
> > On May 30, you may lose access to apps that are using less secure sign-in
> > technology
> > To help keep your account secure, Google will no longer support the use of
> > third-party apps or devices which ask you to sign in to your Google Account
> > using only your username and password. Instead, you’ll need to sign in
> > using Sign in with Google
> 
>  I have used a google account to read email from mailing lists. I am using
> fetchmail to get emails from google. Now it says it will discontinue this
> access to my mail. I do not want to use webmail (I need to receive my mail
> on my computer). Is there a way to somehow download emails from gmail
> as I used to after May 30?
> 
> Thanks
> 

Re: google account say it will no longer deliver email

[tomas]

On Sat, Jun 04, 2022 at 07:21:57PM +0200, Felmon Davis wrote:
> On Sat, 4 Jun 2022, to...@tuxteam.de wrote:

[...]

> I misspoke or miswrote: I have Alpine running but *without* the app-specific
> setting.
> 
> > They're messing with your brain. I'd leave the sinking ship.
> > 
> 
> I'm glad to have my Alpine still. we'll see.

I wasn't thinking of Alpine when I wrote "sinking ship" ;-)

Alpine is free software. Free software never sinks ;-) ;-)

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[tomas]

On Sat, Jun 04, 2022 at 04:39:39PM +0200, Felmon Davis wrote:

[...]

> the furniture, Gentlemen, mind the furniture!

That one's good :-)

Thanks for a hearty laugh!

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Felmon Davis]

On Sat, 4 Jun 2022, to...@tuxteam.de wrote:


On Sat, Jun 04, 2022 at 03:45:00PM +0200, Felmon Davis wrote:




I do think Google et al. sometimes make pronouncements and then don't get
off their ass ('arse' if you prefer) - that how committees work with (or
against) other committees.


I think they do constant A/B testing. Perhaps they have a built-in feedback
loop (increase B if A loses less than a given fraction or something).


for now, I still have Alpine with the app-specific setting.


I misspoke or miswrote: I have Alpine running but *without* the 
app-specific setting.



They're messing with your brain. I'd leave the sinking ship.



I'm glad to have my Alpine still. we'll see.

fjd


--
Davis

Verbum sat sapienti.

Re: google account say it will no longer deliver email

[Felmon Davis]

On Sat, 4 Jun 2022, to...@tuxteam.de wrote:


On Sat, Jun 04, 2022 at 02:24:16PM -, Curt wrote:

On 2022-06-04,   wrote:







Bullshit.


Famous last word.



I've already determined that your principles go no deeper than your
dime-a-dozen opinions.


This might be due to your short-sightedness. Or not.


the furniture, Gentlemen, mind the furniture!

we have an announcement of Google's intent. let's see if they carry it 
out. and if they follow through, there is a work-around which rhkramer 
and others have used.


I'm kinda thinking they are wrangling among themselves. but we don't 
have to.


fjd

--
Davis

Verbum sat sapienti.

Re: google account say it will no longer deliver email

[tomas]

On Sat, Jun 04, 2022 at 02:24:16PM -, Curt wrote:
> On 2022-06-04,   wrote:
> >
> >> >
> 
> >> Bullshit.
> >
> > Famous last word.
> >
> 
> I've already determined that your principles go no deeper than your
> dime-a-dozen opinions.

This might be due to your short-sightedness. Or not.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Curt]

On 2022-06-04,   wrote:
>
>> >

>> Bullshit.
>
> Famous last word.
>

I've already determined that your principles go no deeper than your
dime-a-dozen opinions.

Re: google account say it will no longer deliver email

[Curt]

On 2022-06-04, Brad Rogers  wrote:
>
>>Bullshit.
>>
> Well!
>
> What a witty, erudite, cogent, well reasoned, rational and eloquently
> put explanation.
>
> I'm convinced.
>


That's what's missing from *your* affirmation and the very reason it is
pure bullshit.

Re: google account say it will no longer deliver email

[tomas]

On Sat, Jun 04, 2022 at 03:45:00PM +0200, Felmon Davis wrote:
> On Sat, 4 Jun 2022, Brad Rogers wrote:
> 
> > On Sat, 4 Jun 2022 11:50:55 - (UTC)
> > Curt  wrote:
> > 
> > Hello Curt,
> > 
> > > Bullshit.
> > > 
> > Well!
> > 
> > What a witty, erudite, cogent, well reasoned, rational and eloquently
> > put explanation.
> > 
> > I'm convinced.
> > 
> > 
> 
> not his usual stylistic savoir-faire but who cares? we'll soon know what's
> going on.
> 
> I do think Google et al. sometimes make pronouncements and then don't get
> off their ass ('arse' if you prefer) - that how committees work with (or
> against) other committees.

I think they do constant A/B testing. Perhaps they have a built-in feedback
loop (increase B if A loses less than a given fraction or something).

> for now, I still have Alpine with the app-specific setting.

They're messing with your brain. I'd leave the sinking ship.

;-P

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Felmon Davis]

On Sat, 4 Jun 2022, Brad Rogers wrote:


On Sat, 4 Jun 2022 11:50:55 - (UTC)
Curt  wrote:

Hello Curt,


Bullshit.


Well!

What a witty, erudite, cogent, well reasoned, rational and eloquently
put explanation.

I'm convinced.




not his usual stylistic savoir-faire but who cares? we'll soon know 
what's going on.


I do think Google et al. sometimes make pronouncements and then don't 
get off their ass ('arse' if you prefer) - that how committees work 
with (or against) other committees.


for now, I still have Alpine with the app-specific setting.

fjd

--
Davis

Verbum sat sapienti.

Re: google account say it will no longer deliver email

[Brad Rogers]

On Sat, 4 Jun 2022 11:50:55 - (UTC)
Curt  wrote:

Hello Curt,

>Bullshit.
>
Well!

What a witty, erudite, cogent, well reasoned, rational and eloquently
put explanation.

I'm convinced.

-- 
 Regards  _
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
You destroyed my confidence, you broke my nerve
Nervous Wreck - Radio Stars


pgpmVcCTyTRW6.pgp
Description: OpenPGP digital signature

Re: google account say it will no longer deliver email

[tomas]

On Sat, Jun 04, 2022 at 11:50:55AM -, Curt wrote:
> On 2022-06-02, Brad Rogers  wrote:
> >
> > Expect access from anything other than google's own web interface to go
> > away at some point in the future.
> >
> 
> Bullshit.

Famous last word.

-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Curt]

On 2022-06-02, Brad Rogers  wrote:
>
> Expect access from anything other than google's own web interface to go
> away at some point in the future.
>

Bullshit.

Re: google account say it will no longer deliver email

[rhkramer]

On Thursday, June 02, 2022 01:59:45 PM rhkra...@gmail.com wrote:
> I then entered that in place of the old passwords in kmail.  (I don't think
> it stated it -- I wasn't sure whether to enter the spaces as part of the
> password or not -- I did, and that worked.)

An update -- that was on an old (the Debian Wheezy) version of kmail, on a 
newer version of kmail, I had to take the spaces out.  (Maybe on the older 
version of kmail something took the spaces out automatically?)

Re: google account say it will no longer deliver email

[Brad Rogers]

On Thu, 2 Jun 2022 20:33:54 +0200 (CEST)
Felmon Davis  wrote:

Hello Felmon,

>guess Google's still trying to figure out which 3rd-party clients they 
>dislike.

All of them.

Expect access from anything other than google's own web interface to go
away at some point in the future.

-- 
 Regards  _
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
It's not your heart, it's your bank I want to break
It's Yer Money - Wonder Stuff


pgpUjasb0pVZI.pgp
Description: OpenPGP digital signature

Re: google account say it will no longer deliver email

[Felmon Davis]

On Thu, 2 Jun 2022, pa...@quillandmouse.com wrote:


On Thu, 2 Jun 2022 13:59:45 -0400
rhkra...@gmail.com wrote:


My gmail (normally delivered by pop3 to my old version of kmail (on
Wheezy) stopped working around 8:30 am this morning.

I set up an application specific password this morning, and that old
version of kmail (version 1.13.7 for kde 4.8.4 on Debian Wheezy)
works again using pop3

I had a little trouble setting it up until I got to the right place
in google -- I first tried to change the settings on the gmail
webclient page but couldn't find the correct options.  Then logged in
on google.com and did find the correct option (Security), and then,
in general terms, turned on 2 step verification and eventually found
the option to set up an application specific password.

I then entered that in place of the old passwords in kmail.  (I don't
think it stated it -- I wasn't sure whether to enter the spaces as
part of the password or not -- I did, and that worked.)



I had this same problem starting about the same time. I was in the
middle of another project and didn't have time to deal with it.
Claw-Mail was issuing error alerts every 10 minutes as it would try to
fetch gmail.

However, as of about 30 minutes ago, it is now working again, and I did
nothing to it.

Paul


that's my experience too - right now email via Alpine seems to be 
working again.


however I do intend to follow rhkramer's path and do the 2fa 
and the "app-specific password" two-step.


guess Google's still trying to figure out which 3rd-party clients they 
dislike.


fjd

--
Davis

Verbum sat sapienti.

Re: google account say it will no longer deliver email

[paulf]

On Thu, 2 Jun 2022 13:59:45 -0400
rhkra...@gmail.com wrote:

> On Thursday, June 02, 2022 11:13:14 AM nemo wrote:
> > Me too except today it doesn't seem to be working. must test but I
> > think I've been shut out, using Alpine with non-secure apps
> > switched on. fjd
> 
> My gmail (normally delivered by pop3 to my old version of kmail (on
> Wheezy) stopped working around 8:30 am this morning. 
> 
> I set up an application specific password this morning, and that old
> version of kmail (version 1.13.7 for kde 4.8.4 on Debian Wheezy)
> works again using pop3 
> 
> I had a little trouble setting it up until I got to the right place
> in google -- I first tried to change the settings on the gmail
> webclient page but couldn't find the correct options.  Then logged in
> on google.com and did find the correct option (Security), and then,
> in general terms, turned on 2 step verification and eventually found
> the option to set up an application specific password.
> 
> I then entered that in place of the old passwords in kmail.  (I don't
> think it stated it -- I wasn't sure whether to enter the spaces as
> part of the password or not -- I did, and that worked.)
> 

I had this same problem starting about the same time. I was in the
middle of another project and didn't have time to deal with it.
Claw-Mail was issuing error alerts every 10 minutes as it would try to
fetch gmail.

However, as of about 30 minutes ago, it is now working again, and I did
nothing to it.

Paul


-- 
Paul M. Foster
Personal Blog: http://noferblatz.com
Company Site: http://quillandmouse.com
Software Projects: https://gitlab.com/paulmfoster

Re: google account say it will no longer deliver email

[rhkramer]

On Thursday, June 02, 2022 11:13:14 AM nemo wrote:
> Me too except today it doesn't seem to be working. must test but I think
> I've been shut out, using Alpine with non-secure apps switched on.
> fjd

My gmail (normally delivered by pop3 to my old version of kmail (on Wheezy) 
stopped working around 8:30 am this morning. 

I set up an application specific password this morning, and that old version of 
kmail (version 1.13.7 for kde 4.8.4 on Debian Wheezy) works again using pop3 

I had a little trouble setting it up until I got to the right place in google 
-- I first tried to change the settings on the gmail webclient page but 
couldn't find the correct options.  Then logged in on google.com and did find 
the correct option (Security), and then, in general terms, turned on 2 step 
verification and eventually found the option to set up an application specific 
password.

I then entered that in place of the old passwords in kmail.  (I don't think it 
stated it -- I wasn't sure whether to enter the spaces as part of the password 
or not -- I did, and that worked.)

Re: google account say it will no longer deliver email

[nemo]

On Wed, Jun 1, 2022 at 10:24 PM mick crane  wrote:

> On 2022-06-01 18:04, Brian wrote:
> > On Thu 12 May 2022 at 10:08:01 -, Virgo Pärna wrote:
> >
> >> On Wed, 11 May 2022 20:09:14 +0200, Fero Dali 
> >> wrote:
> >> > Sorry for misunderstanding: it seems that my account will continue to
> work but
> >> > ability to download mail with POP3 without OAUTH2 will be unavailable.
> >> >
> >>
> >>  Actually, even without OAUTH2 it should be still possible. With
> >> two factor authentication enabled it is possible to generate app
> >> password for use with standard authentication.
> >
> > It's June 1st and my ability to collect mail via POP3 from gmail is
> > unimpaired. No  OAUTH2 or 2FA at this site. Whatever Google intended
> > the situation to be after May 30th, it appears the interpretation by
> > some users of their mail was off the mark.
>
> I'd just allowed non secure apps a year or so ago and seems to be still
> working.
>
> mick
>

Me too except today it doesn't seem to be working. must test but I think
I've been shut out, using Alpine with non-secure apps switched on.
fjd

Re: google account say it will no longer deliver email

[mick crane]

On 2022-06-01 18:04, Brian wrote:

On Thu 12 May 2022 at 10:08:01 -, Virgo Pärna wrote:

On Wed, 11 May 2022 20:09:14 +0200, Fero Dali  
wrote:

> Sorry for misunderstanding: it seems that my account will continue to work but
> ability to download mail with POP3 without OAUTH2 will be unavailable.
>

Actually, even without OAUTH2 it should be still possible. With
two factor authentication enabled it is possible to generate app
password for use with standard authentication.


It's June 1st and my ability to collect mail via POP3 from gmail is
unimpaired. No  OAUTH2 or 2FA at this site. Whatever Google intended
the situation to be after May 30th, it appears the interpretation by
some users of their mail was off the mark.


I'd just allowed non secure apps a year or so ago and seems to be still 
working.


mick

--
Key ID4BFEBB31

Re: google account say it will no longer deliver email

[Brian]

On Wed 01 Jun 2022 at 10:44:17 -0700, Patrick Bartek wrote:

> On Wed, 1 Jun 2022 18:04:02 +0100
> Brian  wrote:
> 
> > On Thu 12 May 2022 at 10:08:01 -, Virgo Pärna wrote:
> > 
> > > On Wed, 11 May 2022 20:09:14 +0200, Fero Dali 
> > > wrote:  
> > > > Sorry for misunderstanding: it seems that my account will
> > > > continue to work but ability to download mail with POP3 without
> > > > OAUTH2 will be unavailable. 
> > > 
> > >   Actually, even without OAUTH2 it should be still possible.
> > > With two factor authentication enabled it is possible to generate
> > > app password for use with standard authentication.  
> > 
> > It's June 1st and my ability to collect mail via POP3 from gmail is
> > unimpaired. No  OAUTH2 or 2FA at this site. Whatever Google intended
> > the situation to be after May 30th, it appears the interpretation by
> > some users of their mail was off the mark.
> > 
> 
> Still works here, too. Claws-mail 3.17.3 IMAP.  No OAuth2 or 2FA.
> Neither of which this version of Claws supports, IIRC. Of course,
> notification email did say "may not" not won't.

Indeed, the mail did say that. However, many vociferous users went
into Chicken Licken mode and forecast distaster.

-- 
Brian.

Re: google account say it will no longer deliver email

[Patrick Bartek]

On Wed, 1 Jun 2022 18:04:02 +0100
Brian  wrote:

> On Thu 12 May 2022 at 10:08:01 -, Virgo Pärna wrote:
> 
> > On Wed, 11 May 2022 20:09:14 +0200, Fero Dali 
> > wrote:  
> > > Sorry for misunderstanding: it seems that my account will
> > > continue to work but ability to download mail with POP3 without
> > > OAUTH2 will be unavailable. 
> > 
> > Actually, even without OAUTH2 it should be still possible.
> > With two factor authentication enabled it is possible to generate
> > app password for use with standard authentication.  
> 
> It's June 1st and my ability to collect mail via POP3 from gmail is
> unimpaired. No  OAUTH2 or 2FA at this site. Whatever Google intended
> the situation to be after May 30th, it appears the interpretation by
> some users of their mail was off the mark.
> 

Still works here, too. Claws-mail 3.17.3 IMAP.  No OAuth2 or 2FA.
Neither of which this version of Claws supports, IIRC. Of course,
notification email did say "may not" not won't.

FWIW: Yahoo mail ceased working with Claws several years ago due to
security changes.  Though still accessible via web browser with only a
password.

B

Re: google account say it will no longer deliver email

[Brian]

On Thu 12 May 2022 at 10:08:01 -, Virgo Pärna wrote:

> On Wed, 11 May 2022 20:09:14 +0200, Fero Dali  wrote:
> > Sorry for misunderstanding: it seems that my account will continue to work 
> > but
> > ability to download mail with POP3 without OAUTH2 will be unavailable.
> >
> 
>   Actually, even without OAUTH2 it should be still possible. With
> two factor authentication enabled it is possible to generate app
> password for use with standard authentication.

It's June 1st and my ability to collect mail via POP3 from gmail is
unimpaired. No  OAUTH2 or 2FA at this site. Whatever Google intended
the situation to be after May 30th, it appears the interpretation by
some users of their mail was off the mark.

-- 
Brian.

Re: google account say it will no longer deliver email

[David Wright]

On Mon 16 May 2022 at 14:31:50 (+0100), Brian wrote:
> On Sun 15 May 2022 at 22:39:14 -0500, David Wright wrote:
> > On Sat 14 May 2022 at 14:02:36 (+0100), Brian wrote:
> > > On Sat 14 May 2022 at 12:02:49 -, Curt wrote:
> > > > On 2022-05-14,  wrote:
> > > > > On Sat, May 14, 2022 at 08:58:37AM -, Curt wrote:
> > > > >
> > > > > [...]
> > > > >
> > > > >> What about data breaches, and sites keeping your password
> > > > >> in plain text (though it seems access to the cryptographically hashed
> > > > >> passcodes is already a pretty good leg up)? What good is our entropy 
> > > > >> then?
> > > > >
> > > > > As stated elsewhere: unique passwords. Don't use a password you're 
> > > > > using
> > > > > elsewhere. Much less so with a site you don't trust.
> > > > 
> > > > As always, I'm very uncertain where your goal posts are placed or what
> > > > tacit agenda you're following. No one has advocated the use of unique
> > > > passwords. 
> > > > 
> > > > In my plausible scenario, you're password entropy counts for nothing.
> > > > Your password, unique or otherwise, has been compromised. 2FA would
> > > > prevent illegal entry to your account in this case. The subject we're
> > > > addressing here is your assertion that 2FA adds no extra security. I
> > > > have demonstrated that it does.
> > > 
> > > Preventing data breaches are outside the scope of the user, providing
> > > a high entropy password is not. If accessing a  site is of importance
> > > to him, then, in your plausible scenario, an eight character password
> > > effectively gives little security.
> > > 
> > > That is not an argument for 2FA but for a user having a responsible
> > > password policy to guard agains such breaches.
> > 
> > Preventing data breaches might be outside my control, but mitigating
> > their effect might not be. So I like to have 2FA set up as entering
> > a code in response to a phone call. There's some peace of mind in my
> > /not/ receiving any of those calls unless /I/ try to login.
> > 
> > Were it to ring unexpectedly and I heard a woman with a crisp British
> > accent announce "Hello [pause] You have requested a code for logging
> > in to your account; the number is one three fave [sic] seven nine
> > nine; this code will expire in ten minutes", I would know something's
> > afoot, and I've got some urgent calls to make.
> 
> Something may be untoward, but it very likely won't be as a result of
> your 16/20 character, high entropy password being brute-forced after a
> data breach at your credit card provider. This mitigation technique
> should be sufficient to bring peace of mind.

Sure, there's always the argument that your password only has to be
difficult enough to crack that numerous others will already be being
exploited. There's no point in their trying to crack more and more
difficult passwords when there's already a plentiful harvest available.

> OTOH, 2FA is part of the regulatory aspect for some financial entities
> and impossible to avoid. Of what use is a strong password in that
> situation? Strong or weak, autherntication now takes place with the
> second factor.

Technically, it's only the "second" factor because it's normally
solicited by success with the password. It doesn't /have to/ be
that way. For example, I could schedule a code to be sent to my
phone at noon every Tuesday and, if I chose to use it, authentication
would take place with what we're currently calling the "first" factor,
the password.

One facility I didn't mention in connection with 2FA by phone. It's
conventional when you log in to be reminded of when you logged in
previously. With 2FA, I don't have to stretch my memory cells to
recall when that was, I can just look at the list of dialled calls.

(Note: I'm only explaining why 2FA by phone suits me. I'm not making
any arguments with respect to the exchanges further up the thread.)

Cheers,
David.

Re: google account say it will no longer deliver email

[Brian]

On Sun 15 May 2022 at 22:39:14 -0500, David Wright wrote:

> On Sat 14 May 2022 at 14:02:36 (+0100), Brian wrote:
> > On Sat 14 May 2022 at 12:02:49 -, Curt wrote:
> > > On 2022-05-14,  wrote:
> > > > On Sat, May 14, 2022 at 08:58:37AM -, Curt wrote:
> > > >
> > > > [...]
> > > >
> > > >> What about data breaches, and sites keeping your password
> > > >> in plain text (though it seems access to the cryptographically hashed
> > > >> passcodes is already a pretty good leg up)? What good is our entropy 
> > > >> then?
> > > >
> > > > As stated elsewhere: unique passwords. Don't use a password you're using
> > > > elsewhere. Much less so with a site you don't trust.
> > > 
> > > As always, I'm very uncertain where your goal posts are placed or what
> > > tacit agenda you're following. No one has advocated the use of unique
> > > passwords. 
> > > 
> > > In my plausible scenario, you're password entropy counts for nothing.
> > > Your password, unique or otherwise, has been compromised. 2FA would
> > > prevent illegal entry to your account in this case. The subject we're
> > > addressing here is your assertion that 2FA adds no extra security. I
> > > have demonstrated that it does.
> > 
> > Preventing data breaches are outside the scope of the user, providing
> > a high entropy password is not. If accessing a  site is of importance
> > to him, then, in your plausible scenario, an eight character password
> > effectively gives little security.
> > 
> > That is not an argument for 2FA but for a user having a responsible
> > password policy to guard agains such breaches.
> 
> Preventing data breaches might be outside my control, but mitigating
> their effect might not be. So I like to have 2FA set up as entering
> a code in response to a phone call. There's some peace of mind in my
> /not/ receiving any of those calls unless /I/ try to login.
> 
> Were it to ring unexpectedly and I heard a woman with a crisp British
> accent announce "Hello [pause] You have requested a code for logging
> in to your account; the number is one three fave [sic] seven nine
> nine; this code will expire in ten minutes", I would know something's
> afoot, and I've got some urgent calls to make.

Something may be untoward, but it very likely won't be as a result of
your 16/20 character, high entropy password being brute-forced after a
data breach at your credit card provider. This mitigation technique
should be sufficient to bring peace of mind.

OTOH, 2FA is part of the regulatory aspect for some financial entities
and impossible to avoid. Of what use is a strong password in that
situation? Strong or weak, autherntication now takes place with the
second factor.

-- 
Brian.

Re: google account say it will no longer deliver email

[Celejar]

On Sat, 14 May 2022 07:25:36 +0200
 wrote:

> On Sat, May 14, 2022 at 03:05:11PM +1200, Ash Joubert wrote:
> > On 14/05/2022 00:42, Michael Stone wrote:
> > > On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> > > > A loong password is not "equivalent" to 2FA, that's right. Good
> > > > password management (of which length is but a part) is as secure
> > > > as 2FA.
> > > 
> > > No, it really isn't.
> > 
> > A good password will not protect you from password reset via a weak channel
> > such as email on an insecure server.
> > 
> > 2FA will not protect you if the second factor is weak or resolves to the
> > same device. Hint: if you store your password and TOTP key in the same
> > manager then you have only one factor.
> 
> Not to speak of SIM spoofing or social engineering of your mobile phone
> provider (yes, it has been observed in the wild). There goes your SMS
> second factor.

Once again, it is well understood (although, bafflingly, often not by
those who should care, such as financial institutions) that SMS is a
terrible choice for 2FA. Hardware tokens, or at least authenticator
apps, are far better. (Although as others have pointed out in this
thread, if your auth app is stored together with your password, that
can eliminate some (but not all) of the benefits of 2FA.)

-- 
Celejar

Re: google account say it will no longer deliver email

[Celejar]

On Sat, 14 May 2022 15:05:11 +1200
Ash Joubert  wrote:

> On 14/05/2022 00:42, Michael Stone wrote:
> > On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> >> A loong password is not "equivalent" to 2FA, that's right. Good
> >> password management (of which length is but a part) is as secure
> >> as 2FA.
> > 
> > No, it really isn't.
> 
> A good password will not protect you from password reset via a weak 
> channel such as email on an insecure server.
> 
> 2FA will not protect you if the second factor is weak or resolves to the 
> same device. Hint: if you store your password and TOTP key in the same 
> manager then you have only one factor.

But as you concede below, this is an argument against poorly
implemented 2FA, not against well-implemented 2FA.

> 2FA often smells to me like security theatre, a band-aid over a sucking 
> chest wound of weak security practices, much like forced password 
> expiry. Done well, in addition to good security practices, including 
> strong unique random passwords, 2FA enhances security, but the cost is 
> high. Note however that the cost of a compromise can be devastating.

Is the cost really that high? U2F hardware keys are readily available
for as little as $15 USD (perhaps less - I just took a very quick look
on Amazon), and they can secure all your accounts (that support U2F
2FA).

> If you use 2FA, you must include it in your disaster recovery plans. 
> Imagine all your on-site devices including your phone are destroyed. Now 
> recover.

A very good point. For that, well-implemented 2FA systems typically
encourage the printing out / saving of a handful of OTP passcodes
(which you should backup / print out and save offsite). But of course,
the same is true for passwords as well (assuming you're using (as you
should) long, random ones that are difficult or impossible to remember).

But I agree that it's complicated:

https://dmitryfrank.com/articles/backup_u2f_token

-- 
Celejar

Re: google account say it will no longer deliver email

[Curt]

On 2022-05-16,   wrote:

> Just in case, let me stated that I never implied that 2FA doesn't do
> any good. It /is/ a mitigation indeed. But for me, the bang it brings
> isn't worth the buck it costs. Simply that.
>

But you did imply it. To the question of data breaches and sites storing
your password in plain text, you replied, "unique passwords," as if that
non sequitur in the form of sound advice rendered 2FA superfluous and
could mitigate the scenario in which your unique password is part of a
list on the darknet following a data breach.

Re: google account say it will no longer deliver email

[Stella Ashburne]

Excuse me, Fero Dali, how is your post/question relevant to this mailing list?

Re: google account say it will no longer deliver email

[tomas]

On Mon, May 16, 2022 at 07:59:38AM -, Curt wrote:

[...]

> B. purports breaches are outside user control but then with alacrity
> asserts that the user should guard against them. 
> 
> 2FA is a mitigating factor in this real-world case (and they are
> *legion*). No rational argument has been presented so far as to why it
> wouldn't be (all brain-damaged "theories" and ill-formed "ideologies"
> and ersatz "philosophies" by the usual straw men aside).

Difficult to say to whom you are referring to, due to lots of passive
voice being used in your post.

Just in case, let me stated that I never implied that 2FA doesn't do
any good. It /is/ a mitigation indeed. But for me, the bang it brings
isn't worth the buck it costs. Simply that.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Curt]

On 2022-05-16, David Wright  wrote:
>> 
>> Preventing data breaches are outside the scope of the user, providing
>> a high entropy password is not. If accessing a  site is of importance
>> to him, then, in your plausible scenario, an eight character password
>> effectively gives little security.
>> 
>> That is not an argument for 2FA but for a user having a responsible
>> password policy to guard agains such breaches.
>
> Preventing data breaches might be outside my control, but mitigating
> their effect might not be. So I like to have 2FA set up as entering

B. purports breaches are outside user control but then with alacrity
asserts that the user should guard against them. 

2FA is a mitigating factor in this real-world case (and they are
*legion*). No rational argument has been presented so far as to why it
wouldn't be (all brain-damaged "theories" and ill-formed "ideologies"
and ersatz "philosophies" by the usual straw men aside).

Re: google account say it will no longer deliver email

[David Wright]

On Sat 14 May 2022 at 14:02:36 (+0100), Brian wrote:
> On Sat 14 May 2022 at 12:02:49 -, Curt wrote:
> > On 2022-05-14,  wrote:
> > > On Sat, May 14, 2022 at 08:58:37AM -, Curt wrote:
> > >
> > > [...]
> > >
> > >> What about data breaches, and sites keeping your password
> > >> in plain text (though it seems access to the cryptographically hashed
> > >> passcodes is already a pretty good leg up)? What good is our entropy 
> > >> then?
> > >
> > > As stated elsewhere: unique passwords. Don't use a password you're using
> > > elsewhere. Much less so with a site you don't trust.
> > 
> > As always, I'm very uncertain where your goal posts are placed or what
> > tacit agenda you're following. No one has advocated the use of unique
> > passwords. 
> > 
> > In my plausible scenario, you're password entropy counts for nothing.
> > Your password, unique or otherwise, has been compromised. 2FA would
> > prevent illegal entry to your account in this case. The subject we're
> > addressing here is your assertion that 2FA adds no extra security. I
> > have demonstrated that it does.
> 
> Preventing data breaches are outside the scope of the user, providing
> a high entropy password is not. If accessing a  site is of importance
> to him, then, in your plausible scenario, an eight character password
> effectively gives little security.
> 
> That is not an argument for 2FA but for a user having a responsible
> password policy to guard agains such breaches.

Preventing data breaches might be outside my control, but mitigating
their effect might not be. So I like to have 2FA set up as entering
a code in response to a phone call. There's some peace of mind in my
/not/ receiving any of those calls unless /I/ try to login.

Were it to ring unexpectedly and I heard a woman with a crisp British
accent announce "Hello [pause] You have requested a code for logging
in to your account; the number is one three fave [sic] seven nine
nine; this code will expire in ten minutes", I would know something's
afoot, and I've got some urgent calls to make.

Cheers,
David.

Re: google account say it will no longer deliver email

[tomas]

On Sun, May 15, 2022 at 07:58:25AM -0400, gene heskett wrote:

[...]

> So are we tolerating the vegetables, Tomas, but not too well.
> Politicians and diapers need frequent changing, usually for the same 
> reason.

I was rather thinking in terms "we vegetables are well tolerated" ;-)

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[gene heskett]

On Sunday, 15 May 2022 00:36:41 EDT to...@tuxteam.de wrote:
> On Sat, May 14, 2022 at 08:27:46PM +0100, Brian wrote:
> 
> [...]
> 
> > The scene is Margaret Thatcher in a restaurant with her Cabinet.
> > 
> >   Waitor: What do you want, madam?
> >   Margaret: Lamb staeks.
> >   Waitor: What about the vegetables?
> >   Margaret: They will have the same as me.
> :
> :-)
> :
> > Satire is probably dead in today's Europe.
> 
> Satire's doing fine around here, thank you. As for the vegetables...
> we're coping too, as well as we can :)
> 
> Cheers
> --
> t

So are we tolerating the vegetables, Tomas, but not too well.
Politicians and diapers need frequent changing, usually for the same 
reason.

Cheers, Gene Heskett.
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis

Re: google account say it will no longer deliver email

[tomas]

On Sat, May 14, 2022 at 08:27:46PM +0100, Brian wrote:

[...]

> The scene is Margaret Thatcher in a restaurant with her Cabinet.
> 
>   Waitor: What do you want, madam?
>   Margaret: Lamb staeks.
>   Waitor: What about the vegetables?
>   Margaret: They will have the same as me.

:-)

> Satire is probably dead in today's Europe.

Satire's doing fine around here, thank you. As for the vegetables...
we're coping too, as well as we can :)

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[gene heskett]

On Saturday, 14 May 2022 14:43:08 EDT Brian wrote:
> On Sat 14 May 2022 at 15:21:06 +0200, to...@tuxteam.de wrote:
> > On Sat, May 14, 2022 at 12:42:28PM +0100, Brian wrote:
> [...]
> 
> > > Let me introduce you to my bank: they reduced the maximum 20 chars
> > > to 16 and did not allow some special chars such as "!" and ".".
> > > Mind you, I feel much more secure - 3FA is used :).
> > 
> > Three? Why not go all the way to 5FA [1]?
> > 
> > Cheers
> > 
> > [1] https://boingboing.net/2005/09/14/gillettes-5blade-raz.html
> > 
> > (not linking to the original Onion because their Javascript
> > doesn't want to play with me)
> 
> I have just realised that PayPal does 5FA. It meets the Gillete
> standard. Or should that be the MAD standard? Our capacity to
> put up with sysadmin (management?) nonsense is unlimited.
> 
> --
> Brian.
> 
No, it is not unlimited, Brian.  Business sites in particular often have 
a 20+ char pw for me, and if, after I set a 20+ char pw, I have to trim 
the end of it to make it work again, they get a nastygram. My bank, about 
2 years ago did some minor revamping and wound at an 8 char limit. They 
not only thanked me for the nastygram, and advised me that it had been 
raised to 32.  I am a big enough depositor they don't want to upset me.

The nagging thing about using FF is that it drops to a secret question 
and a 6 digit OTP response I've 5 minutes to respond to. And I can't set 
kmail to refresh the local imap image any faster than 5 minutes...

Take care, and stay well, Brian.

Cheers, Gene Heskett.
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis

Re: google account say it will no longer deliver email

[Brian]

On Sat 14 May 2022 at 20:51:14 +0200, to...@tuxteam.de wrote:

> On Sat, May 14, 2022 at 07:43:08PM +0100, Brian wrote:
> > On Sat 14 May 2022 at 15:21:06 +0200, to...@tuxteam.de wrote:
> 
> [FIVE blades!1!!]
> 
> > I have just realised that PayPal does 5FA. It meets the Gillete
> > standard. Or should that be the MAD standard? Our capacity to
> > put up with sysadmin (management?) nonsense is unlimited.
> 
> :-o
> 
> Now I thought I had good satire. They do spoil everything, don't they?
> 
> Thanks for that data point.

The scene is Margaret Thatcher in a restaurant with her Cabinet.

  Waitor: What do you want, madam?
  Margaret: Lamb staeks.
  Waitor: What about the vegetables?
  Margaret: They will have the same as me.

Satire is probably dead in today's Europe.

-- 
Brian.

Re: google account say it will no longer deliver email

[tomas]

On Sat, May 14, 2022 at 07:43:08PM +0100, Brian wrote:
> On Sat 14 May 2022 at 15:21:06 +0200, to...@tuxteam.de wrote:

[FIVE blades!1!!]

> I have just realised that PayPal does 5FA. It meets the Gillete
> standard. Or should that be the MAD standard? Our capacity to
> put up with sysadmin (management?) nonsense is unlimited.

:-o

Now I thought I had good satire. They do spoil everything, don't they?

Thanks for that data point.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Brian]

On Sat 14 May 2022 at 15:21:06 +0200, to...@tuxteam.de wrote:

> On Sat, May 14, 2022 at 12:42:28PM +0100, Brian wrote:

[...]

> > Let me introduce you to my bank: they reduced the maximum 20 chars
> > to 16 and did not allow some special chars such as "!" and ".".
> > Mind you, I feel much more secure - 3FA is used :).
> 
> Three? Why not go all the way to 5FA [1]?
> 
> Cheers
> 
> [1] https://boingboing.net/2005/09/14/gillettes-5blade-raz.html
> (not linking to the original Onion because their Javascript
> doesn't want to play with me)

I have just realised that PayPal does 5FA. It meets the Gillete
standard. Or should that be the MAD standard? Our capacity to
put up with sysadmin (management?) nonsense is unlimited.

-- 
Brian.

Re: google account say it will no longer deliver email

[Brian]

On Sat 14 May 2022 at 15:21:06 +0200, to...@tuxteam.de wrote:

> On Sat, May 14, 2022 at 12:42:28PM +0100, Brian wrote:
> > On Sat 14 May 2022 at 07:23:47 +0200, to...@tuxteam.de wrote:

[...]
 
> > > [strong, unique, random]
> > > 
> > > That's it. The unique part can't be stressed enough: if your have
> > > umpteen services out there, it's a matter of time until one of
> > > those passwords leak (incompetent service provider, phishing,
> > > etc.). It better be different from your other passwords.
> > > 
> > > To minimise stress, I let a tool generate my passwords (pwgen).
> > > Important ones are 16 char (disk & backup encryption, bank account
> > > key armor, etc.), less important ones (e.g. local login) just 8.
> > 
> > Let me introduce you to my bank: they reduced the maximum 20 chars
> > to 16 and did not allow some special chars such as "!" and ".".
> > Mind you, I feel much more secure - 3FA is used :).
> 
> Three? Why not go all the way to 5FA [1]?
> 
> Cheers
> 
> [1] https://boingboing.net/2005/09/14/gillettes-5blade-raz.html
> (not linking to the original Onion because their Javascript
> doesn't want to play with me)

With MFA in play, does it really matter whether a password is strong
and unique? The only thing in this situation it now appears to do is
authorise a phone call or email.

-- 
Brian.

Re: google account say it will no longer deliver email

[tomas]

On Sat, May 14, 2022 at 12:42:28PM +0100, Brian wrote:
> On Sat 14 May 2022 at 07:23:47 +0200, to...@tuxteam.de wrote:
> 
> > On Sat, May 14, 2022 at 02:40:53PM +1200, Ash Joubert wrote:
> > > On 13/05/2022 12:23, Nicholas Geovanis wrote:
> > > > That's the value added in exchange for Ash's "massive pain in the arse".
> > > > Just making the 1st factor be
> > > > a loong password is not equivalent to 2FA in any way. Machine reaching 
> > > > back
> > > > to you is the difference.
> > > 
> > > There are attacks that 2FA can defeat, especially things like password 
> > > reset
> > > via compromised email server, but in general, two weak factors are not a
> > > match for a strong unique random password [...]
> > 
> > [strong, unique, random]
> > 
> > That's it. The unique part can't be stressed enough: if your have
> > umpteen services out there, it's a matter of time until one of
> > those passwords leak (incompetent service provider, phishing,
> > etc.). It better be different from your other passwords.
> > 
> > To minimise stress, I let a tool generate my passwords (pwgen).
> > Important ones are 16 char (disk & backup encryption, bank account
> > key armor, etc.), less important ones (e.g. local login) just 8.
> 
> Let me introduce you to my bank: they reduced the maximum 20 chars
> to 16 and did not allow some special chars such as "!" and ".".
> Mind you, I feel much more secure - 3FA is used :).

Three? Why not go all the way to 5FA [1]?

Cheers

[1] https://boingboing.net/2005/09/14/gillettes-5blade-raz.html
(not linking to the original Onion because their Javascript
doesn't want to play with me)

-- 
tomás


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Brian]

On Sat 14 May 2022 at 12:02:49 -, Curt wrote:

> On 2022-05-14,   wrote:
> >
> > On Sat, May 14, 2022 at 08:58:37AM -, Curt wrote:
> >
> > [...]
> >
> >> What about data breaches, and sites keeping your password
> >> in plain text (though it seems access to the cryptographically hashed
> >> passcodes is already a pretty good leg up)? What good is our entropy then?
> >
> > As stated elsewhere: unique passwords. Don't use a password you're using
> > elsewhere. Much less so with a site you don't trust.
> 
> As always, I'm very uncertain where your goal posts are placed or what
> tacit agenda you're following. No one has advocated the use of unique
> passwords. 
> 
> In my plausible scenario, you're password entropy counts for nothing.
> Your password, unique or otherwise, has been compromised. 2FA would
> prevent illegal entry to your account in this case. The subject we're
> addressing here is your assertion that 2FA adds no extra security. I
> have demonstrated that it does.

Preventing data breaches are outside the scope of the user, providing
a high entropy password is not. If accessing a  site is of importance
to him, then, in your plausible scenario, an eight character password
effectively gives little security.

That is not an argument for 2FA but for a user having a responsible
password policy to guard agains such breaches.

-- 
Brian.

Re: google account say it will no longer deliver email

[Curt]

On 2022-05-14,   wrote:
>
> On Sat, May 14, 2022 at 08:58:37AM -, Curt wrote:
>
> [...]
>
>> What about data breaches, and sites keeping your password
>> in plain text (though it seems access to the cryptographically hashed
>> passcodes is already a pretty good leg up)? What good is our entropy then?
>
> As stated elsewhere: unique passwords. Don't use a password you're using
> elsewhere. Much less so with a site you don't trust.

As always, I'm very uncertain where your goal posts are placed or what
tacit agenda you're following. No one has advocated the use of unique
passwords. 

In my plausible scenario, you're password entropy counts for nothing.
Your password, unique or otherwise, has been compromised. 2FA would
prevent illegal entry to your account in this case. The subject we're
addressing here is your assertion that 2FA adds no extra security. I
have demonstrated that it does. 

> Cheers

Re: google account say it will no longer deliver email

[Brian]

On Sat 14 May 2022 at 08:58:37 -, Curt wrote:

> On 2022-05-14, Ash Joubert  wrote:
> > On 13/05/2022 12:23, Nicholas Geovanis wrote:
> >> That's the value added in exchange for Ash's "massive pain in the arse".
> >> Just making the 1st factor be
> >> a loong password is not equivalent to 2FA in any way. Machine reaching back
> >> to you is the difference.
> >
> > There are attacks that 2FA can defeat, especially things like password 
> > reset via compromised email server, but in general, two weak factors are 
> > not a match for a strong unique random password. In particular, it is 
> > not uncommon for sms/email/totp second factor to resolve to exactly the 
> > same device as the first factor, reducing 2FA to a single factor. 
> > Compromise such a user's phone and it is all over.
> 
> What about data breaches, and sites keeping your password
> in plain text (though it seems access to the cryptographically hashed
> passcodes is already a pretty good leg up)? What good is our entropy then?
> 
> https://en.wikipedia.org/wiki/List_of_data_breaches
> 
> https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

The time to brute force a hash depends on password entropy. The
second link is an interesting read, but I do not think evrything
in a cracker's garden is rosy. One can only hope providers use
decentt hashing techniques and keep data safe.

-- 
Brian.

Re: google account say it will no longer deliver email

[Brian]

On Sat 14 May 2022 at 07:23:47 +0200, to...@tuxteam.de wrote:

> On Sat, May 14, 2022 at 02:40:53PM +1200, Ash Joubert wrote:
> > On 13/05/2022 12:23, Nicholas Geovanis wrote:
> > > That's the value added in exchange for Ash's "massive pain in the arse".
> > > Just making the 1st factor be
> > > a loong password is not equivalent to 2FA in any way. Machine reaching 
> > > back
> > > to you is the difference.
> > 
> > There are attacks that 2FA can defeat, especially things like password reset
> > via compromised email server, but in general, two weak factors are not a
> > match for a strong unique random password [...]
> 
> [strong, unique, random]
> 
> That's it. The unique part can't be stressed enough: if your have
> umpteen services out there, it's a matter of time until one of
> those passwords leak (incompetent service provider, phishing,
> etc.). It better be different from your other passwords.
> 
> To minimise stress, I let a tool generate my passwords (pwgen).
> Important ones are 16 char (disk & backup encryption, bank account
> key armor, etc.), less important ones (e.g. local login) just 8.

Let me introduce you to my bank: they reduced the maximum 20 chars
to 16 and did not allow some special chars such as "!" and ".".
Mind you, I feel much more secure - 3FA is used :).

-- 
Brian.

Re: google account say it will no longer deliver email

[tomas]

On Sat, May 14, 2022 at 11:21:39AM +0200, to...@tuxteam.de wrote:
> On Sat, May 14, 2022 at 08:58:37AM -, Curt wrote:
> 
> [...]
> 
> > What about data breaches [...]

> As stated elsewhere: unique passwords [...]

Or, if I may put it in another terms: Recycle your trash. Never
recycle your passwords.

Cheers
-- 
t 


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[tomas]

On Sat, May 14, 2022 at 08:58:37AM -, Curt wrote:

[...]

> What about data breaches, and sites keeping your password
> in plain text (though it seems access to the cryptographically hashed
> passcodes is already a pretty good leg up)? What good is our entropy then?

As stated elsewhere: unique passwords. Don't use a password you're using
elsewhere. Much less so with a site you don't trust.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Curt]

On 2022-05-14, Ash Joubert  wrote:
> On 13/05/2022 12:23, Nicholas Geovanis wrote:
>> That's the value added in exchange for Ash's "massive pain in the arse".
>> Just making the 1st factor be
>> a loong password is not equivalent to 2FA in any way. Machine reaching back
>> to you is the difference.
>
> There are attacks that 2FA can defeat, especially things like password 
> reset via compromised email server, but in general, two weak factors are 
> not a match for a strong unique random password. In particular, it is 
> not uncommon for sms/email/totp second factor to resolve to exactly the 
> same device as the first factor, reducing 2FA to a single factor. 
> Compromise such a user's phone and it is all over.

What about data breaches, and sites keeping your password
in plain text (though it seems access to the cryptographically hashed
passcodes is already a pretty good leg up)? What good is our entropy then?

https://en.wikipedia.org/wiki/List_of_data_breaches

https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Re: google account say it will no longer deliver email

[tomas]

On Sat, May 14, 2022 at 03:05:11PM +1200, Ash Joubert wrote:
> On 14/05/2022 00:42, Michael Stone wrote:
> > On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> > > A loong password is not "equivalent" to 2FA, that's right. Good
> > > password management (of which length is but a part) is as secure
> > > as 2FA.
> > 
> > No, it really isn't.
> 
> A good password will not protect you from password reset via a weak channel
> such as email on an insecure server.
> 
> 2FA will not protect you if the second factor is weak or resolves to the
> same device. Hint: if you store your password and TOTP key in the same
> manager then you have only one factor.

Not to speak of SIM spoofing or social engineering of your mobile phone
provider (yes, it has been observed in the wild). There goes your SMS
second factor.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[tomas]

On Sat, May 14, 2022 at 02:40:53PM +1200, Ash Joubert wrote:
> On 13/05/2022 12:23, Nicholas Geovanis wrote:
> > That's the value added in exchange for Ash's "massive pain in the arse".
> > Just making the 1st factor be
> > a loong password is not equivalent to 2FA in any way. Machine reaching back
> > to you is the difference.
> 
> There are attacks that 2FA can defeat, especially things like password reset
> via compromised email server, but in general, two weak factors are not a
> match for a strong unique random password [...]

[strong, unique, random]

That's it. The unique part can't be stressed enough: if your have
umpteen services out there, it's a matter of time until one of
those passwords leak (incompetent service provider, phishing,
etc.). It better be different from your other passwords.

To minimise stress, I let a tool generate my passwords (pwgen).
Important ones are 16 char (disk & backup encryption, bank account
key armor, etc.), less important ones (e.g. local login) just 8.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Ash Joubert]

On 14/05/2022 00:42, Michael Stone wrote:

On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:

A loong password is not "equivalent" to 2FA, that's right. Good
password management (of which length is but a part) is as secure
as 2FA.


No, it really isn't.


A good password will not protect you from password reset via a weak 
channel such as email on an insecure server.


2FA will not protect you if the second factor is weak or resolves to the 
same device. Hint: if you store your password and TOTP key in the same 
manager then you have only one factor.


2FA often smells to me like security theatre, a band-aid over a sucking 
chest wound of weak security practices, much like forced password 
expiry. Done well, in addition to good security practices, including 
strong unique random passwords, 2FA enhances security, but the cost is 
high. Note however that the cost of a compromise can be devastating.


If you use 2FA, you must include it in your disaster recovery plans. 
Imagine all your on-site devices including your phone are destroyed. Now 
recover.


Kind regards,

--
Ash Joubert 
Director
Transient Software Limited 
New Zealand

Re: google account say it will no longer deliver email

[Ash Joubert]

On 13/05/2022 12:23, Nicholas Geovanis wrote:

That's the value added in exchange for Ash's "massive pain in the arse".
Just making the 1st factor be
a loong password is not equivalent to 2FA in any way. Machine reaching back
to you is the difference.


There are attacks that 2FA can defeat, especially things like password 
reset via compromised email server, but in general, two weak factors are 
not a match for a strong unique random password. In particular, it is 
not uncommon for sms/email/totp second factor to resolve to exactly the 
same device as the first factor, reducing 2FA to a single factor. 
Compromise such a user's phone and it is all over.


If Bob username "bob" chooses password "bob123" (real example, name 
changed to protect the guilty) for both his email and website login, 2FA 
via email is easily circumvented by intercepting the email. If both 
email and website had strong unique random passwords, many attacks are 
prevented. Password reset attacks via intercepted emails on the email 
server remain a threat.


It is not enough for a password to be looong. It must be strong AND 
unique AND random. Even a strong password is exploitable if one 
compromised site can be used to obtain it and access many other sites. 
It has to be random because someone else may have used the first 100 
decimal digits or pi or e or the first paragraph of your favourite book. 
Strong goes without saying.


Kind regards,

--
Ash Joubert 
Director
Transient Software Limited 
New Zealand

Re: google account say it will no longer deliver email

[David]

On Sat, 14 May 2022 at 04:40, Brian  wrote:
> On Fri 13 May 2022 at 20:01:20 +0200, Kamil Jońca wrote:
> > Brian  writes:
> > > On Fri 13 May 2022 at 08:42:21 -0400, Michael Stone wrote:
> > >> On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:

> > >> > A loong password is not "equivalent" to 2FA, that's right. Good
> > >> > password management (of which length is but a part) is as secure
> > >> > as 2FA.
[...]
> > Password can be stolen, while with 2fa you have to take control over two
> > factors.
[...]
> Your claim is a good example of "frighten the user into doing what we want".

[Statements above are heavily trimmed and provide context only.
They are independent and do not represent a conversation.]

Speaking of "frighten the user into doing what we want" ...

Yesterday I needed to log in to a (different) gmail account that
I had not used for some time, so gmail reasonably required
some authentication.

1) Username (email address) ... I provided it.
2) Password (random chars, medium length) ... I provided it.
3) One-time auth token (sent to an unidentified non-gmail mailbox) ...
I provided it.

You would think that would be enough to satisfy 2FA, but it wasn't.

I was then prompted to enter a phone number, and it was
impossible to proceed without doing so, to obtain a onetime
token sent by SMS.

"so that we can verify your identity" or words to that effect.

The point is, I have never in my life before given gmail any phone
number. So gmail claiming that one was required to identify me
was a lie. At that point, any phone number would satisfy the process.

And denying access until I provided one, gave me a very
unpleasant feeling of being blackmailed into coughing up a phone
number in response to a lie.

Luckily, I was able to satisfy the requirement without revealing
any information that I care about. It will be annoying for future
logins though, so I now intend to move that content to a different
hosting service.

Diversity, not having all eggs (email, phones) in one basket is
my best solution to this. Use multiple, cheap, minimal, easily
swappable solutions where possible. The gmail account I'm
using to write this is only used for mailing lists, for example.

Re: google account say it will no longer deliver email

[Kamil Jońca]

Brian  writes:

[...]

> When was the last time you experienced that or heard of a well-documented
> case of it happening?
I do not know what you mean "well documented"
https://haveibeenpwned.com/ is enough?

> I do not even know what my passwords are.

Does not matter. I also know very few my passwords (or rathers
'secrets') - only these to unlock password manager(s).

> Nothing to
>  be stolen!
Erm? Could you clarify? 


I do not know what is your point.
I believe you can protect your passwords. (So do I , I hope). But we
are rather rare species now.
Moreover, although your provider should not keep password in plain,
quite often they do.

> Your claim is a good example of "frighten the user into doing what we want".
Well, no? I think I was clear, that I do not like google/ms behavior.
KJ


-- 
http://wolnelektury.pl/wesprzyj/teraz/

Re: google account say it will no longer deliver email

[Brian]

On Fri 13 May 2022 at 20:01:20 +0200, Kamil Jońca wrote:

> Brian  writes:
> 
> > On Fri 13 May 2022 at 08:42:21 -0400, Michael Stone wrote:
> >
> >> On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> >> > A loong password is not "equivalent" to 2FA, that's right. Good
> >> > password management (of which length is but a part) is as secure
> >> > as 2FA.
> >> 
> >> No, it really isn't.
> >
> > How does a 40 random character, high entropy sound for Google? Good
> > enough to go up against 2FA? Avoiding the tedium and inconveniece,
> > of course.
> 
> Think about leaks.
> Password can be stolen, while with 2fa you have to take control over two
> factors.

When was the last time you experienced that or heard of a well-documented
case of it happening? I do not even know what my passwords are. Nothing to
 be stolen!

Your claim is a good example of "frighten the user into doing what we want".

-- 
Brian.

Re: google account say it will no longer deliver email

[Kamil Jońca]

Brian  writes:

> On Fri 13 May 2022 at 08:42:21 -0400, Michael Stone wrote:
>
>> On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
>> > A loong password is not "equivalent" to 2FA, that's right. Good
>> > password management (of which length is but a part) is as secure
>> > as 2FA.
>> 
>> No, it really isn't.
>
> How does a 40 random character, high entropy sound for Google? Good
> enough to go up against 2FA? Avoiding the tedium and inconveniece,
> of course.

Think about leaks.
Password can be stolen, while with 2fa you have to take control over two
factors.

Saying that IMO "app paswords" (maybe with time validity)  are good
compromise between security and convenience.
And I do not like oauth2 in its current incarnation.
KJ


-- 
http://wolnelektury.pl/wesprzyj/teraz/

Re: google account say it will no longer deliver email

[Brian]

On Fri 13 May 2022 at 08:42:21 -0400, Michael Stone wrote:

> On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> > A loong password is not "equivalent" to 2FA, that's right. Good
> > password management (of which length is but a part) is as secure
> > as 2FA.
> 
> No, it really isn't.

How does a 40 random character, high entropy sound for Google? Good
enough to go up against 2FA? Avoiding the tedium and inconveniece,
of course.

Re: google account say it will no longer deliver email

[David Wright]

On Fri 13 May 2022 at 14:02:40 (+0200), to...@tuxteam.de wrote:
> On Fri, May 13, 2022 at 11:44:52AM -, Curt wrote:
> > On 2022-05-13,   wrote:
> > >
> > >> > It's just the basic antipattern you can see everywhere in surveillance
> > 
> > >> You seem to be seeing these antipatterns at the drop of any hat.
> > >
> > > Uh -- whatever you mean to say with that.
> > 
> > I meant that you applied (or employed) the term quite recently in a
> > completely unrelated thread about openssh, and David Wright's
> > observation that logging in remotely as root can be problematic.
> 
> Hm. It seems I was unclear. Trying to fix it (hopefully *not* making
> it worse):
> 
>  - I do agree that logging in as root remotely can be problematic
>(especially when root has a weak password). So I think it is
>a good thing for the admin to be able to disable that.
>  - I think the software forcing the admin to do that would be an
>antipattern. OpenSSH *doesn't* force the admin to do that,
>so it *doesn't* follow that antipattern.

What I don't understand about that thread is why the shift in
focus to ssh, openssh, and logging in (or otherwise) as root.
I don't see any antipatterns there (they certainly haven't been
spelled out), but just choices made by the sysadmin, between
no root password, having a password but not usable for remote
logins, and so on. Choices helped along by our Debian developers.

Surely the serious antipatterns mentioned in that thread are:
. running setuid scripts, as the OP claimed was possible in the past,
. suggestion to run said scripts as root, without having seen them.

(One of the benefits of posting scripts here is that they get
criticised, usually constructively, and hence improved.)

Cheers,
David.

Re: google account say it will no longer deliver email

[Michael Stone]

On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:

A loong password is not "equivalent" to 2FA, that's right. Good
password management (of which length is but a part) is as secure
as 2FA.


No, it really isn't.

Re: google account say it will no longer deliver email

[tomas]

On Fri, May 13, 2022 at 11:44:52AM -, Curt wrote:
> On 2022-05-13,   wrote:
> >
> >> > It's just the basic antipattern you can see everywhere in surveillance
> 
> >> You seem to be seeing these antipatterns at the drop of any hat.
> >
> > Uh -- whatever you mean to say with that.
> 
> I meant that you applied (or employed) the term quite recently in a
> completely unrelated thread about openssh, and David Wright's
> observation that logging in remotely as root can be problematic.

Hm. It seems I was unclear. Trying to fix it (hopefully *not* making
it worse):

 - I do agree that logging in as root remotely can be problematic
   (especially when root has a weak password). So I think it is
   a good thing for the admin to be able to disable that.
 - I think the software forcing the admin to do that would be an
   antipattern. OpenSSH *doesn't* force the admin to do that,
   so it *doesn't* follow that antipattern.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Curt]

On 2022-05-13,   wrote:
>
>> > It's just the basic antipattern you can see everywhere in surveillance

>> You seem to be seeing these antipatterns at the drop of any hat.
>
> Uh -- whatever you mean to say with that.

I meant that you applied (or employed) the term quite recently in a
completely unrelated thread about openssh, and David Wright's
observation that logging in remotely as root can be problematic.


> [...]
>
>> I guess the devil, as always, will be hiding somewhere in the details.
>
> It always does, indeed.
>
> Cheers
> --=20
> t
>
> --Dpz3S9OQGoUbsVHa
> Content-Type: application/pgp-signature; name="signature.asc"
>
>
> --Dpz3S9OQGoUbsVHa--
>
>


-- 

Re: google account say it will no longer deliver email

[tomas]

On Fri, May 13, 2022 at 09:36:13AM -, Curt wrote:
> On 2022-05-13,   wrote:
> >
> > It's just the basic antipattern you can see everywhere in surveillance
> 
> You seem to be seeing these antipatterns at the drop of any hat.

Uh -- whatever you mean to say with that.

[...]

> I guess the devil, as always, will be hiding somewhere in the details.

It always does, indeed.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Curt]

On 2022-05-13,   wrote:
>
> It's just the basic antipattern you can see everywhere in surveillance

You seem to be seeing these antipatterns at the drop of any hat.

But I read recently about a brand new password antipattern (whatever those are).
The only thing is, I don't really understand what the hell it is exactly.

  In a joint effort to make the web more secure and usable for all,
  Apple, Google and Microsoft today announced plans to expand support
  for a common passwordless sign-in standard created by the FIDO
  Alliance and the World Wide Web Consortium. The new capability will
  allow websites and apps to offer consistent, secure, and easy
  passwordless sign-ins to consumers across devices and platforms.  

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

I guess the devil, as always, will be hiding somewhere in the details.

Re: google account say it will no longer deliver email

[Kamil Jońca]

Virgo Pärna  writes:

> On Thu, 12 May 2022 20:59:16 +0200, Fero Dali  wrote:
>> On Thu, May 12, 2022 at 8:08 PM Virgo Pärna  wrote:
>>>
>>> Tried rechecking all mails, but did not find that mail. TOTP
>>> based twofactor can be used even without phone app.
>>
>> I made a mistake and replied privately to mick crane and he was very
>> kind and repost that mail to the list:
>> https://lists.debian.org/debian-user/2022/05/msg00331.html
>>
>
>   Ok. Google Authenticator based 2 factor is TOTP. That is why I
> said, that it can be used without phone. Keepass password manager
> supports it. But that does mean, that you need to have access to those
> programs anywhere, where you are logging into gmail. So that can be an
> issue.
yubikeys can be 2FA, either as U2F or totp (at least this one
https://www.yubico.com/pl/product/yubikey-5-nfc/ or 
https://www.yubico.com/pl/product/yubikey-5-nfc/)


KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/

Re: google account say it will no longer deliver email

[DdB]

I am suffering from Googles changes too.
Thunderbird, which i am using a very old version of that is still able
to run enigmail for PGP encryption, does not yet support OAuth2. And the
more recent release has nothing comparable to enigmail, its support for
encryption lacks about everything, i need, mostly i do not trust their
handling of secrets.

Since the older version ceases to work, and the newer would disclose my
keys, i am in fact FORCED to leave gmail. Not all that convenient, but
not all that bad either, i did prepare for it since more than a year.

kind regards
DdB

Am 13.05.2022 um 01:06 schrieb Ash Joubert:
> Thunderbird supports OAuth2 and I use it for Gmail IMAP. K-9 Mail on
> Android does not support OAuth2 so I use the Gmail app on Android for
> Gmail alone.
>
> Kind regards,


-- 

Liebe ist ...
Datakanja

Re: google account say it will no longer deliver email

[tomas]

On Thu, May 12, 2022 at 07:23:31PM -0500, Nicholas Geovanis wrote:
> On Thu, May 12, 2022 at 6:06 PM Ash Joubert  wrote:
> ...trimmed...
> 
> 
> > Two-factor authentication is when you need to confirm your login with an
> > SMS message or one-time pad or other second way of authenticating that
> > you are who you claim to be. 2FA is popular because users choose weak
> > passwords and share them between services. If users generate a unique
> > strong random password for every service, little is gained with 2FA, and
> > 2FA is then just a massive pain in the arse. But user behaviour is
> > unreliable.
> >
> 
> In the last couple years many corporate and not-for-profit organizations
> have implemented
> 2-factor authentication internally. Even in the physical office many
> transactions require 2FA interaction.
> Where I am now that is also the case, and 2FA is configured to prompt with
> a choice between receiving
> the 2nd factor by SMS text message, voice call, or email. They're using
> Pulse 2FA. So your provider
> can do that too if they want to. But the whole point of 2FA is that there
> shall be a second response
> from a previously known location for you: phone number, email address, etc.
> 
> That's the value added in exchange for Ash's "massive pain in the arse".
> Just making the 1st factor be
> a loong password is not equivalent to 2FA in any way. Machine reaching back
> to you is the difference.

The only "value added" is for those third-party providers: they know where
& when you are logging into which service and can monetize on it.

It's just the basic antipattern you can see everywhere in surveillance
capitalism: provide a service which interposes between users and the
things they do (search, communicate, marketplace, transport; in the
current case: identity management), try to make them dependent, monetize
the knowledge you gain about your users.

Not all 2FA is like that, of course. When your second factor is a
hardware dongle (best if you control it, i.e. it's open hardware and
free firmware, Nitrokey comes as near as it gets). Still, why?

A loong password is not "equivalent" to 2FA, that's right. Good
password management (of which length is but a part) is as secure
as 2FA.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: google account say it will no longer deliver email

[Nicholas Geovanis]

On Thu, May 12, 2022 at 6:06 PM Ash Joubert  wrote:
...trimmed...


> Two-factor authentication is when you need to confirm your login with an
> SMS message or one-time pad or other second way of authenticating that
> you are who you claim to be. 2FA is popular because users choose weak
> passwords and share them between services. If users generate a unique
> strong random password for every service, little is gained with 2FA, and
> 2FA is then just a massive pain in the arse. But user behaviour is
> unreliable.
>

In the last couple years many corporate and not-for-profit organizations
have implemented
2-factor authentication internally. Even in the physical office many
transactions require 2FA interaction.
Where I am now that is also the case, and 2FA is configured to prompt with
a choice between receiving
the 2nd factor by SMS text message, voice call, or email. They're using
Pulse 2FA. So your provider
can do that too if they want to. But the whole point of 2FA is that there
shall be a second response
from a previously known location for you: phone number, email address, etc.

That's the value added in exchange for Ash's "massive pain in the arse".
Just making the 1st factor be
a loong password is not equivalent to 2FA in any way. Machine reaching back
to you is the difference.

...
>
> Kind regards,
>
> --
> Ash Joubert 
> Director
> Transient Software Limited 
> New Zealand
>
>

Re: google account say it will no longer deliver email

[tv.debian]

Le 13/05/2022 à 01:06, Ash Joubert a écrit :

On 13/05/2022 01:23, Fero Dali wrote:

BTW as far as I understand OAUTH2 and two factor authentication
are the same thing. I might be wrong though.


They are not. OAuth2 is a delegated access framework: with OAuth2 for 
Gmail, you use your Google password once to authorise Google to give 
your email client a token that it can then use to access your email, 
contacts, and calendar and *only* those, and not any other Google 
services. This means that your main Google password is not stored in 
your email client, reducing the risk that it might be compromised, as 
well as limiting the access of your email client.


Two-factor authentication is when you need to confirm your login with an 
SMS message or one-time pad or other second way of authenticating that 
you are who you claim to be. 2FA is popular because users choose weak 
passwords and share them between services. If users generate a unique 
strong random password for every service, little is gained with 2FA, and 
2FA is then just a massive pain in the arse. But user behaviour is 
unreliable.


Thunderbird supports OAuth2 and I use it for Gmail IMAP. K-9 Mail on 
Android does not support OAuth2 so I use the Gmail app on Android for 
Gmail alone.


Kind regards,



This is off-topic but on Android "FairEmail" supports OAuth2 with Google 
and others, only in it's Play store version sadly, not the F-Droid one. 
I am not affiliated with the author of "fairEmail" and used K9 previously.

Re: google account say it will no longer deliver email

[Ash Joubert]

On 13/05/2022 01:23, Fero Dali wrote:

BTW as far as I understand OAUTH2 and two factor authentication
are the same thing. I might be wrong though.


They are not. OAuth2 is a delegated access framework: with OAuth2 for 
Gmail, you use your Google password once to authorise Google to give 
your email client a token that it can then use to access your email, 
contacts, and calendar and *only* those, and not any other Google 
services. This means that your main Google password is not stored in 
your email client, reducing the risk that it might be compromised, as 
well as limiting the access of your email client.


Two-factor authentication is when you need to confirm your login with an 
SMS message or one-time pad or other second way of authenticating that 
you are who you claim to be. 2FA is popular because users choose weak 
passwords and share them between services. If users generate a unique 
strong random password for every service, little is gained with 2FA, and 
2FA is then just a massive pain in the arse. But user behaviour is 
unreliable.


Thunderbird supports OAuth2 and I use it for Gmail IMAP. K-9 Mail on 
Android does not support OAuth2 so I use the Gmail app on Android for 
Gmail alone.


Kind regards,

--
Ash Joubert 
Director
Transient Software Limited 
New Zealand

Re: google account say it will no longer deliver email

[Fero Dali]

On Thu, May 12, 2022 at 8:08 PM Virgo Pärna  wrote:
>
> Tried rechecking all mails, but did not find that mail. TOTP
> based twofactor can be used even without phone app.

I made a mistake and replied privately to mick crane and he was very
kind and repost that mail to the list:
https://lists.debian.org/debian-user/2022/05/msg00331.html