Two-step authentication: a necessity for secure webapps

Recently, my girlfriends Gmail account showed that it had been accessed from Poland, France, and the United States, all within a couple hours of each other. This breach of security was horrifying, and pointed out how easy it can be for someone to access another persons account.

We’re not sure how her password leaked. Maybe it was through a phishing site or some malware/key logger on her machine. But that was neither here nor there. The plain fact is that her account was granting access to unknown parties without her permission.

Not too long ago, Google announced 2-step verification for Gmail. With 2-step verification, the user logs in with their password, and then enters in a code that was obtained using their mobile phone. A friend of mine also uses a similar procedure for his World of Warcraft account.

I’ve signed up for 2-step authentication as well, and don’t mind the subtle inconvenience. If you are a Gmail user, you should try it out today.

Features like these make account security much stronger, and it is time that more secure websites start offering it (especially online banking).

What happened to Google SMS?

I’ve been using Google SMS now for a couple years. It allows users of “feature-phones” basic access to some of the luxuries that smart-phone users get.

Google SMS Search is accessible by sending a text message to 466453. It’s free and quick.

For instance, sending a message ncaab michigan state would reply with:

Basketball: NCAA
Michigan State Spartans (13-9)
Last game: Feb 2, Iowa Hawkeyes 72 - Michigan State Spartans 52
Next game: @ Wisconsin Badgers, Feb 6 1:00pm ET
www.ncaa.com

Tip: get phonebook entries: send HELP PHONEBOOK to learn more.

This works great, providing up-to-date sports scores, local listings, and more. Lately I’ve been getting odd results when doing sports searches:

Here’s what I saw today when sending the same message ncaab michigan state:

Did you mean 'NCAAF michigan state'?

Basketball: NCAA
Michigan State Spartans (13-9)
Last game: Feb 2, Iowa Hawkeyes 72 - Michigan State Spartans 52
Next game: @ Wisconsin Badgers, Feb 6 1:00pm ET
www.ncaa.com

Tip: get phonebook entries: send HELP PHONEBOOK to learn more.

No, I didn’t want football scores. In fact, college football is out of season. According to the command HELP SPORTS:

For EU Football and NBA/NHL/NFL/MLB scores and schedules, 
type SCORE and team name (ex: 'SCORE Arsenal', 'SCORE red sox').

For NCAA sports, enter NCAAB (basketball) or NCAAF (football)
and team name (ex: 'NCAAB Duke', 'NCAAF USC'). No results for sports 
not in season.

So yes, I didn’t get results for a sport not in season. But the response that I got is pretty awkward. In the traditional Google search, when you get a “Did you mean…”, it will usually auto-correct your search for you and return those results. In this case, it didn’t auto-correct my search.

So what happens if I do send a message with NCAAF michigan state?

Local listings:
State of Michigan: Branch Offices
400 Albert Avenue
East Lansing
1 (888) 767-6424

Tip: check flight status; send HELP FLIGHT to learn more.

Weird huh? All of this used to work as it prescribed. I wonder what has happened?

Google I/O 2011: No love for Academia?

Reading blogs on the web would make one believe that attendees of last year’s Google I/O conference are allowed to register January 31, a week before general registration opens.

Yet a couple days ago I received an email telling me to “mark my calendar for February 7th, when general registration will open.”  Last year I attended the conference using the Academia discount, and as far as I can tell, the Academia discount is the reason why there is no preference.

Why isn’t Google showing appreciation to their peers in academia?

Don’t be evil? Google Street View’s ulterior motives

You may have used Google Street View before. Street View is a service that allows you to walk around cities as if you were standing right there in the street.

Did you hear about Google “accidentally” collecting personal information from wireless networks? In May, 2010, Google made public that their street view cars had accidentally collected data from wireless networks. Spain and Canada have been threatening fines, and now Google has this to say:

Google still intends to offer location-based services, but does not intend to resume collection of WiFi data through its Street View cars. Collection is discontinued and Google has no plans to resume it.

That’s a very interesting quote considering the Reuters article had said that this was mistake. The quote makes the WiFi data collection sound intentional, however they will continue their “location-based services”.

These location-based services allow websites to provide special targeted advertisements or targeted content based on where you are located. A couple years ago this meant that they would use your computers IP address to see what city you were located in.

Now with Google’s location-service, they can get within 30 feet of your actual location.

When the street view cars were driving around your neighborhood, they weren’t just taking pictures. They were also collecting wireless SSID and signal strength data. Using triangulation, they can now determine exactly where you are sitting.

If you are connected to the internet with a wired connection the accuracy will be low, but on wireless it is stunning.

Moral of the story: Things aren’t always what they seem at first. While all the world’s data may be great when you’re working on a research paper, it can also be frightening for privacy.

Protecting your open source project from poisonous people

This previous Thursday I attended a talk by Brian “Fitz” Fitzpatrick of Google on “How to Protect Your Open Source Project from Poisonous People”. Brian started Google’s Chicago Engineering office in 2005 working as an engineer on Google Code. He now leads several of Google’s Chicago engineering efforts, including Google Code, the Data Liberation Front, and the Google Affiliate Network. He also serves as internal advisor for Google’s open source efforts.

Brian started off the talk by recommending “Producing Open Source Software“, a free book written by Karl Fogel. I’ve added the book to my future reading list, and will try to take it in once the semester ends.

A lot of students within Computer Science think that the hardest part about making software is inventing algorithms or finding ways to use obscure data structures for improved performance. As someone who has worked within industry now for a few years, I immediately knew where he was going with this. I agreed with Brian when he said that the actual hardest problem is working with other people.

Poisonous people on a project can make others leave and cause fighting over little things. To reduce this problem, you’ll want to build a strong community based on politeness, respect, trust, and humility. If a person joins on to the project and is causing a disruption of some sorts, it is best to identify behaviors and address them the best way you can. Notice there that addressing behaviors is the goal, not addressing people.

Addressing behaviors vs. addressing people comes up in a lot of conflict resolution scenarios, and often the importance of it is overlooked. Jay Smooth describes a very similar scenario very well.

Brian also recommended defining a mission for the project. As he said, if the mission isn’t already defined, someone else will define it for you.

Feel free to read the rest of my notes from the talk as I’ve typed them up on a Google Doc.