Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.
Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?
Big difference. Here they have access to all of your passwords on you computer. The iPhone flaw was quickly fix as well. Google doesn't seem to think this is a problem. That is a problem in and of itself.
So... let me get this straight... they compare someone... maybe a roommate... or a coworker... etc... with a couple minutes and the tech savy of going to the control panel for a looksie to someone who is going to "dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software."
That's like not locking your door because someone could throw a brick through the window if they really wanted in.
Do you suppose folks at Google routinely keep a Post-It stuck to their monitors labeled "Secret - Please Don't peek" that has all of their passwords written on the back?
Why would you want to tempt anyone around you that may be a bit ethically challenged?
I doubt they leave their wallet on their desk either.
As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.
Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!
On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.
Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.
Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?
Hardly the same situation as the access to the iPhone was limited, the sequence cumbersome, and passwords to other sites blocked anyway. Plus Apple fixed it.
The problem is the flood of passwords to really do anything online anymore. Using the same ones over and over is a terrible idea.
Yes, But one should use a dedicated app from a well known company that is in the business of selling secure products, not some built in afterthought feature intended to add convenience for people who don't know any better.
Big difference. Here they have access to all of your passwords on you computer. The iPhone flaw was quickly fix as well. Google doesn't seem to think this is a problem. That is a problem in and of itself.
This. I didn't really think it was that big of a deal until I read Google's response. The guy deserves to be flogged for releasing such an asinine comment as Google's official response.
Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.
Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?
In many cases, physical access means "game over" as far as security is concerned.
Quote:
Originally Posted by Damn_Its_Hot
So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."
Do no evil. Yeah...
Did Google screw up? Sure, no question about that. But I wonder what the real answer is. Safari does present a password dialog when you ask it to show passwords, but I would wager that people's Admin passwords are no more secure that whatever they're typing into a form on some website. It's made to be easy because people have so many passwords that they forget which account is for which site. "Normal" people (e.g, my parents) don't use things like 1Password or understand why they need it.
This isn't surprising, but I'm not sure how we move towards a situation where we're all using secure passwords. The idea of a Master Password isn't too bad, but you're (obviously) screwed if it gets out.
So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."
Do no evil. Yeah...
I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password. But that extra security comes with a trade-off in usability.
Hardly the same situation as the access to the iPhone was limited, the sequence cumbersome, and passwords to other sites blocked anyway. Plus Apple fixed it.
Didn't I just say all that? Except for the part where it was fixed.
What I'm talking about is the huge problem the fandroids made it out to be. And on many tech blogs today they're now trying to play this down as a minor issue. Again the usual hypocrisy from the haters.
Comments
Quote:
Originally Posted by EricTheHalfBee
Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.
Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?
Big difference. Here they have access to all of your passwords on you computer. The iPhone flaw was quickly fix as well. Google doesn't seem to think this is a problem. That is a problem in and of itself.
That's like not locking your door because someone could throw a brick through the window if they really wanted in.
Do you suppose folks at Google routinely keep a Post-It stuck to their monitors labeled "Secret - Please Don't peek" that has all of their passwords written on the back?
Why would you want to tempt anyone around you that may be a bit ethically challenged?
I doubt they leave their wallet on their desk either.
I suppose no one remembers the Safari auto form fill exploit that could steal your entire address book in seconds. That was back in July 2010.
I'm sure Google will fix this flaw next update.
That is what security researchers do. They find flaws and then they get fixed.
More click bait for the frothing google haters.
I probably speak for many when I say:
"Huh?"
Quote:
Originally Posted by mstone
I suppose no one remembers the Safari auto form fill exploit that could steal your entire address book in seconds. That was back in July 2010.
I'm sure Google will fix this flaw next update.
That is what security researchers do. They find flaws and then they get fixed.
Except they said it's not a flaw and why bother.
Hardly the same situation as the access to the iPhone was limited, the sequence cumbersome, and passwords to other sites blocked anyway. Plus Apple fixed it.
Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"
Yes, But one should use a dedicated app from a well known company that is in the business of selling secure products, not some built in afterthought feature intended to add convenience for people who don't know any better.
This. I didn't really think it was that big of a deal until I read Google's response. The guy deserves to be flogged for releasing such an asinine comment as Google's official response.
Quote:
Originally Posted by SockRolid
Much of computer security is "mostly just theater" anyway. And the show must go on.
Just put up some UI for the user's system password before you display web passwords.
Too busy to do even that much? Or is there some kind of ideological roadblock?
The ideological roadblock is there because YOU are not Google's customer... You are its product. Never lose sight of this distinction.
Quote:
Originally Posted by PhilBoogie
Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"
What? Like accessing your banking information from your computer? Get a brain!
Um he was quoting creepy Eric as well.
Me, or Eric?
[edit] pipped by jungmark
Quote:
Originally Posted by EricTheHalfBee
Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.
Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?
In many cases, physical access means "game over" as far as security is concerned.
Quote:
Originally Posted by Damn_Its_Hot
So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."
Do no evil. Yeah...
Did Google screw up? Sure, no question about that. But I wonder what the real answer is. Safari does present a password dialog when you ask it to show passwords, but I would wager that people's Admin passwords are no more secure that whatever they're typing into a form on some website. It's made to be easy because people have so many passwords that they forget which account is for which site. "Normal" people (e.g, my parents) don't use things like 1Password or understand why they need it.
This isn't surprising, but I'm not sure how we move towards a situation where we're all using secure passwords. The idea of a Master Password isn't too bad, but you're (obviously) screwed if it gets out.
Quote:
Originally Posted by Damn_Its_Hot
So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."
Do no evil. Yeah...
I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password. But that extra security comes with a trade-off in usability.
"I once set my password to 'penis', but it was too short."
What I'm talking about is the huge problem the fandroids made it out to be. And on many tech blogs today they're now trying to play this down as a minor issue. Again the usual hypocrisy from the haters.