Re: [Lsf] [Lsf-pc] hello

Re: [Lsf] [Lsf-pc] hello

[Lukáš Czerner]

On Tue, 23 Jul 2013, Theodore Ts'o wrote:

> Date: Tue, 23 Jul 2013 14:56:56 -0400
> From: Theodore Ts'o <tytso@mit.edu>
> To: Hui Zhu <teawater@gmail.com>, Coly Li <colyli@gmail.com>,
>     Tao Ma <taoma.tm@gmail.com>, china-lsf@googlegroups.com,
>     wwgwork@gmail.com, robin.k.dong@gmail.com, bosong.ly@taobao.com,
>     bekars@gmail.com, jeff.liu@oracle.com, xuandu@taobao.com,
>     he.cheney@gmail.com, 1wongrrq@my.ibm.com, linux-ext4@vger.kernel.org,
>     guijianfeng@cn.fujitsu.com, shi65881583@gmail.com, robtopple@gmail.com,
>     majordomo@vger.linux-kernel.cn, hongbing.zhang@emc.com,
>     lizf@cn.fujitsu.com, Argus.Lau@chandlermacleod.com, gejunly@sina.com,
>     tm@tao.ma, r58472@freescale.com, rhjfgjfgtr@yahoo.com, hxl2000@gmail.com,
>     wang.jasmin@emc.com, linux-kernel@melbourneit.hotkeysparking.com,
>     xwhu@suse.de, happyfly736@163.com, tao.ma@oracle.com, stufever@gmail.com,
>     qiudan@cn.ibm.com, simohayha.bobo@gmail.com, skwoss@gmail.com,
>     mtlxj@163.com, openspace.wang@gmail.com, haozhema.hzm@gmail.com,
>     lxjmt@163.com, shiwh@cn.fujitsu.com, nichola@linuxfoundation.org,
>     qw.hust@gmail.com, linux-fsdevel@vger.kernel.org, xu.chen@intel.com,
>     regis276@gmail.com, miaox@cn.fujitsu.com, huijie.gwj@taobao.com,
>     zhu.yanhai@gmail.com, jack_wang@usish.com,
>     beijinglsf-committee@googlegroups.com,
>     china-lsf-committee@googlegroups.com, xieguangjun@baidu.com,
>     tom.leiming@gmail.com, wanglh@nec-as.nec.com.cn, huangjuan@taobao.com,
>     ye.zhang2@emc.com, vestige.lug@gmail.com, wulinl@cn.ibm.com,
>     mryufeng@gmail.com, lurker0ster@gmail.com, robert.zhangle@gmail.com,
>     Maple.yun@onxion.com, telly@zhtalent.com, hao.bigrat@gmail.com,
>     michael.fu@intel.com, yetiboy1230@gmail.com, liuyan@cn.ibm.com,
>     pengxihan@gmail.com, tanghuijun@baidu.com, rodrigo.cordero.g@gmail.com,
>     shaoh.li@gmail.com, bergwolf@gmail.com, lsf@lists.linux-foundation.org,
>     gnehzuil@gmail.com, i@coly.li, kevin@nvelo.com, vxfrghr@gmail.com,
>     corsac@debian.org, free.hacker@gmail.com, w1z2g3@gmail.com,
>     lidongyang@novell.com, jgoerzen@complete.org, bridges@torproject.org,
>     iris.ji@usense.com.cn, Yuki.Meng@teradata.com,
>     linux-thinkpad@linux-thinkpad.org, Ruijing.Guo@emc.com, wshaowen@ups.com,
>     jerry87905@gmail.com, lsf-pc@lists.linuxfoundation.org,
>     weisong.shi@gmail.com, kouucocu@126.com, realyangjun@gmail.com,
>     shazj99@gmail.com, majordomo@vger.kernel.org, hare@suse.de,
>     flyingwander@gmail.com, ibm-acpi-devel@lists.sourceforge.net,
>     luogeng.dai@emc.com
> Subject: Re: [Lsf] [Lsf-pc] hello
> 
> Here's a follow up as to what happened with the spam mail coming from
> Google accounts:
> 
> https://productforums.google.com/forum/#!msg/gmail/FhMk1Tu4CGE/xghiUoQrnOUJ
> 
> I strongly encourage people to enable two-factor authentication and to

I was trying to use it, but google insist on giving them my phone
number and I do not want to do that. Is there a way to bypass that ?

> avoid using the same passwords across multiple web sites (you can use
> password management systems such as LastPass or KeePass to help).

Or gnupgp.vim plugin and pwgen :)

Thanks!
-Lukas


> 
> Cheers,
> 
> 					- Ted
> _______________________________________________
> Lsf mailing list
> Lsf@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lsf
> 

Re: [Lsf] [Lsf-pc] hello

[James Bottomley]

On Wed, 2013-07-24 at 08:34 +0200, Lukáš Czerner wrote:
> On Tue, 23 Jul 2013, Theodore Ts'o wrote: 
> > Here's a follow up as to what happened with the spam mail coming from
> > Google accounts:
> > 
> > https://productforums.google.com/forum/#!msg/gmail/FhMk1Tu4CGE/xghiUoQrnOUJ
> > 
> > I strongly encourage people to enable two-factor authentication and to
> 
> I was trying to use it, but google insist on giving them my phone
> number and I do not want to do that. Is there a way to bypass that ?

Yes, just to emphasise, the phone number thing is completely unviable
for me as well.  They want to send you a code every time you log on.
It's founded on the assumption you have a single number that can reach
everywhere, which obviously doesn't work when you're travelling.

I thought they had something which used the google authenticator app?
Which can generate the codes without needing an active cell connnection.

James



--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Lsf] [Lsf-pc] hello

[Theodore Ts'o]

On Wed, Jul 24, 2013 at 07:23:23AM -0700, James Bottomley wrote:
> 
> Yes, just to emphasise, the phone number thing is completely unviable
> for me as well.  They want to send you a code every time you log on.
> It's founded on the assumption you have a single number that can reach
> everywhere, which obviously doesn't work when you're travelling.
> 
> I thought they had something which used the google authenticator app?
> Which can generate the codes without needing an active cell connnection.

There is a google authenticator app.  Having the codes sent via SMS is
an option, but it's certainly not the only way to use 2 factor
authentication.

It's been a while since I've done the 2FA signup flow, but I believe
they had streamlined it a bit to make it easier to use.  It may have
been that one of the ways the 2FA signup flow was streamlined was to
assume that everyone would have a cell phone which was SMS-capable,
but not everyone would have an Android phone.  But after you enable
2FA, it is definitely possible to set it up to use the android
application.

Also, you don't need to enter the code every single time you log in,
at least not for consumer accounts.  You can specify that this is a
trusted machine; if you do this, then after you enter the code, an 2FA
authentication cookie which is good for 30 days is set on your
browser, and you don't need to enter the code again subsequently.  On
the other hand, if you're one of the people who are
carefree^H^H^H^Hless to be willing to log in on kiosk machines, or in
general on any machine which you don't personally control, you can
simply leave the check box unchecked, and the 6-digit code will only
be good for that particular login session.

You may have noticed Google employees needing to enter a code much
more frequently, and it may be that if you are using an enterprise
Google account, your enterprise I/T manager can set different policies
for enterprise account.  But what I've described above is the case for
all consumer accounts --- you do have the option of using a Google
Authenticator application, which is available for Android and IOS
devices, which generates a RFC-6238 compliant time-based TOTP code;
and you have the option of designating the browser and the computer
which is running on as trusted, in which case you only need to do the
2FA authentication procedure every 30 days.

Cheers,

						- Ted

Re: [Lsf] [Lsf-pc] hello

[Lukáš Czerner]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3446 bytes --]

On Wed, 24 Jul 2013, Theodore Ts'o wrote:

> Date: Wed, 24 Jul 2013 10:49:20 -0400
> From: Theodore Ts'o <tytso@mit.edu>
> To: James Bottomley <James.Bottomley@hansenpartnership.com>
> Cc: Lukáš Czerner <lczerner@redhat.com>, linux-fsdevel@vger.kernel.org
> Subject: Re: [Lsf] [Lsf-pc] hello
> 
> On Wed, Jul 24, 2013 at 07:23:23AM -0700, James Bottomley wrote:
> > 
> > Yes, just to emphasise, the phone number thing is completely unviable
> > for me as well.  They want to send you a code every time you log on.
> > It's founded on the assumption you have a single number that can reach
> > everywhere, which obviously doesn't work when you're travelling.
> > 
> > I thought they had something which used the google authenticator app?
> > Which can generate the codes without needing an active cell connnection.
> 
> There is a google authenticator app.  Having the codes sent via SMS is
> an option, but it's certainly not the only way to use 2 factor
> authentication.
> 
> It's been a while since I've done the 2FA signup flow, but I believe
> they had streamlined it a bit to make it easier to use.  It may have
> been that one of the ways the 2FA signup flow was streamlined was to
> assume that everyone would have a cell phone which was SMS-capable,
> but not everyone would have an Android phone.  But after you enable
> 2FA, it is definitely possible to set it up to use the android
> application.

Problem I've got is that in order to enable 2FA I need to go through
a series of steps the first one of which is to send me a Google
Authenticator application, even though I already have this installed
on my phone. And apparently they want to send a link to me via sms.
I do not see any way around that unfortunately. So to me this really
looks like a cheap way to get my phone number (which is not the
first attempt from Google I have to say).

Enabling this from the GA application does not seem to be possible
as it tells me to look at the accounts.google.com/security which
takes me back to what I've described earlier. It is quite annoying
:)

-Lukas

> 
> Also, you don't need to enter the code every single time you log in,
> at least not for consumer accounts.  You can specify that this is a
> trusted machine; if you do this, then after you enter the code, an 2FA
> authentication cookie which is good for 30 days is set on your
> browser, and you don't need to enter the code again subsequently.  On
> the other hand, if you're one of the people who are
> carefree^H^H^H^Hless to be willing to log in on kiosk machines, or in
> general on any machine which you don't personally control, you can
> simply leave the check box unchecked, and the 6-digit code will only
> be good for that particular login session.
> 
> You may have noticed Google employees needing to enter a code much
> more frequently, and it may be that if you are using an enterprise
> Google account, your enterprise I/T manager can set different policies
> for enterprise account.  But what I've described above is the case for
> all consumer accounts --- you do have the option of using a Google
> Authenticator application, which is available for Android and IOS
> devices, which generates a RFC-6238 compliant time-based TOTP code;
> and you have the option of designating the browser and the computer
> which is running on as trusted, in which case you only need to do the
> 2FA authentication procedure every 30 days.
> 
> Cheers,
> 
> 						- Ted
> 

Re: [Lsf] [Lsf-pc] hello

[James Bottomley]

On Thu, 2013-07-25 at 12:03 +0200, Lukáš Czerner wrote:
> On Wed, 24 Jul 2013, Theodore Ts'o wrote:
> 
> > Date: Wed, 24 Jul 2013 10:49:20 -0400
> > From: Theodore Ts'o <tytso@mit.edu>
> > To: James Bottomley <James.Bottomley@hansenpartnership.com>
> > Cc: Lukáš Czerner <lczerner@redhat.com>, linux-fsdevel@vger.kernel.org
> > Subject: Re: [Lsf] [Lsf-pc] hello
> > 
> > On Wed, Jul 24, 2013 at 07:23:23AM -0700, James Bottomley wrote:
> > > 
> > > Yes, just to emphasise, the phone number thing is completely unviable
> > > for me as well.  They want to send you a code every time you log on.
> > > It's founded on the assumption you have a single number that can reach
> > > everywhere, which obviously doesn't work when you're travelling.
> > > 
> > > I thought they had something which used the google authenticator app?
> > > Which can generate the codes without needing an active cell connnection.
> > 
> > There is a google authenticator app.  Having the codes sent via SMS is
> > an option, but it's certainly not the only way to use 2 factor
> > authentication.
> > 
> > It's been a while since I've done the 2FA signup flow, but I believe
> > they had streamlined it a bit to make it easier to use.  It may have
> > been that one of the ways the 2FA signup flow was streamlined was to
> > assume that everyone would have a cell phone which was SMS-capable,
> > but not everyone would have an Android phone.  But after you enable
> > 2FA, it is definitely possible to set it up to use the android
> > application.
> 
> Problem I've got is that in order to enable 2FA I need to go through
> a series of steps the first one of which is to send me a Google
> Authenticator application, even though I already have this installed
> on my phone. And apparently they want to send a link to me via sms.

Yes, I did try this on my sip based land line using a voice call ... it
doesn't actually work; at least it never gave me the call back.

> I do not see any way around that unfortunately. So to me this really
> looks like a cheap way to get my phone number (which is not the
> first attempt from Google I have to say).
> 
> Enabling this from the GA application does not seem to be possible
> as it tells me to look at the accounts.google.com/security which
> takes me back to what I've described earlier. It is quite annoying
> :)

I think the crux of the problem is that Google believes you're using
gmail, so they don't think you have an email they could send password
recovery to.  There's probably a small minority of us who already had
functional email accounts, thank you very much, and have tried very hard
to disable the gmail account google forces down your throat with
android.

The usual rule of security is that if you want people to do it, you make
it easy.  This isn't easy (or, in some cases, possible) by any means.

It's perfectly simple: I don't mind Google collecting the phone numbers
of people who want to give them up (or have one number to give).
However, I want account recovery and setup done by email to the address
I control not by phone because I almost always have access to email when
travelling and don't usually have access to a pre defined phone number
(except the internet one which google just failed to deliver the notice
to).

James


James



--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html