Monthly Archives: June 2011

Does Google’s multi-factor authentication make your security weaker?

A few months back Google introduced “2-step verification” for all Google accounts.  This amounted to multi-factor authentication (something you know (password) and something you have (token)) for all web-based Google applications.  Cool, right?  They created an app for the Android, I-Phone, and Blackberry devices that acted like a token and if you don’t have one of these devices Google can just send you a code via a text message for you to use to login.  Okay so far?

Up until this point I’d say that Google has done a pretty good job on this implementation.  Of course we haven’t included those users that access their Google accounts via a third-party program (Thunderbird for email, their Android device, maybe some plug-in for Blogger, etc).  These programs don’t have a mechanism for logging in with multi-factor authentication.  Google thought about this and created application passwords that you can use for a program to gain access without using a token.  The passwords appear to be sixteen randomly generated numbers and letters and cannot be viewed after they have been viewed that first time.

This is an interesting concept.  Essentially you have many keys that now fit the same lock.  Loose control of one of those keys and you can simply nullify the key remotely.  So far so good?  Well, what you have also done is increase the number of keys that can get access to your system.  If a brute force attack were done against a Google account before 2-step verification was enacted the security was up to the user’s password strength.  Now an attacker has multiple chances to gain access to the same lock because there are many more keys available.

I would like to point out that sixteen-character passwords are a lot better than most people’s passwords which average eight characters or less.  But is having more keys to the lock (and knowing characteristics about that key) more of a security problem that what is being used without the 2-step verification?  I guess time will tell.  I would like to point out that I don’t have a better solution to the third-party application issue.  Perhaps some sort of machine readable token?

Creative Commons License
Sparks’ Fedora Project Journal by Eric H Christensen is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

SouthEast LinuxFest – Day 3

Southeast LinuxFest Day Three started off with a… headache.  Not a hangover but one of those random migraines that I’ve been trying to ward off with medications.  It wasn’t debilitating but it was annoying enough to keep me out of the Puppet Labs class.

I was able to hack on the Fedora Documentation Guide a bit more and visit with some other Fedorians before they left for the airport or the Failvan.  I talked with Jim and his wife (sorry, I’m horrible with names) from Sudo Make Coffee for a while (they are both entertaining people).  Joat and I decided to leave a little early so after syncing all my documentation repositories and my email (thank you offlineimap) we headed out on the open road, Virginia-bound.

On the way home I was able to tinker with the Documentation Guide more but was having problems with Publican building the chapter I was working on.  Headache and fatigue hid the problem from my view so after activating the MiFi I committed the code to git and requested help on the Docs list.

We arrived back in southeastern Virginia just in time for the storms to come in and start dumping rain.  Funny enough, it rained just long enough for me to exit Joat’s car, grab my stuff, and make it into my truck.  Then, of course, it stopped raining allowing me to make it most of the way home without seeing another drop.  Go figure.

Hope everyone made it home unscathed and perhaps everyone can catch up on their lost sleep.  I will be doing the same in about five minutes as I’m sure I have a full day planned for tomorrow.

Thanks to the SouthEast LinuxFest staff and volunteers for making yet another successful, educational, and entertaining conference (you can go to sleep, now, David).  I certainly hope to be in attendance next year.  Next up, Ohio Linux Fest!

Creative Commons License
Sparks’ Fedora Project Journal by Eric H Christensen is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

SouthEast LinuxFest – Day 2

Day two at SouthEast LinuxFest (SELF) began way too early as I had not received enough sleep.  Of course this is a Linux conference; who really gets enough sleep during these things?

Ben had already setup the Fedora table in the conference area of the hotel so I helped with answering the questions of passers-by and handing out the F14 media that no one really wanted because “didn’t you just release F15?”.  Of course we had just released F15 a couple of weeks before but the media that had been ordered had decided to vacation in Salt Lake City at a UPS distribution center.  Ben had checked and noticed that it was on the way but he was wary as to if it was going to arrive before we left.  Luckily the hotel called him around 10AM to say that UPS had just delivered a box for him at the front desk and F15 media was put on the table for everyone to procure.  I was able to snag a few copies of each DVD (32-bit installation, 64-bit installation, and the cool new multi-desktop 32/64-bit live DVDs) for my LUG (TWUUG).

There were several talks I wanted to attend.  One was “Intro to Puppet” as I have high hopes of installing several VMs at home that I want to not have to individually manage and with the number of servers at work continuing to increase perhaps I can learn something that I can use to make my life easier there as well.  After the introduction I have to say that I really like what Puppet does and I hope to work with it at home in hopes that I wll become competent enough to roll it out at work.  Only problem is that you have to build your servers from scratch with Puppet as it won’t go out to an existing server and help bring them under control.

Another great talk was given by Thomas Cameron of Red Hat.  The topic was SELinux (one of my favorite tools in Linux) and he did an excellent job explaining how to make SELinux work for you instead of fighting you.  I’m going to have to see if my notes make any sense as he was throwing so much information that was note worthy and I’m sure there is no order to my writing.

I find that keynote speakers are always very interesting and entertaining to listen to so I try not to miss their talks.  Spot kept this tradition up with his talk on how we all fail a little and how we can get better when working with FOSS projects (his talk was derived from a blog post he made in May of 2009).  Tom, I only have one word to say to you about your presentation… Cloud!

The rest of the day was spent talking with users and contributors, getting ideas for my next big project, and answering questions that people had about Fedora, documentation (Linux and Fedora), and just generally socializing.  Around supper time a gang (or is it a flock?) of us ventured out on the streets and descended upon “A Taste of Spartinburg”.  After realizing that none of us really had enough cash to get more than a sampling of food we turned our attention to one of the nearby restaurants.  An Irish pub was selected and after putting two long tables together we consumed food and beverages before heading back out on the streets.

After returning to the hotel Jared and I decided that hacking on some documentation was more our speed.  Deciding to resurrect the Documentation Guide we wrote up an outline, attempted to pull anything useful from the previous guide that was many years old, and started populating the chapters.  Somewhere around one o’clock in the morning we decided that we had done enough damage and headed to bed.  It was probably a good thing as reviewing what I had written showed that I was mostly asleep during the last few sections of text.

SELF Day Two was definitely productive and is why I enjoy going to these conferences.

Southeast LinuxFest – Day 1

Day 1 of SELF was quite busy.  Several Fedorians met for a FAD to discuss FUDCon finances.  Ideas were hammered out and Max or Jared or … should be posting details on that later.

After the finance talk, Jared and I got together and started hashing out a framework on the new Fedora Cloud Guide (git).  This guide will be out later this weekend with at least a framework.

I attended Paul’s talk on PyGObject.  Since Python is on my to-do list I was quite interested in the discussion.  Paul explained in great detail how to use PyGObject to create the UI (it’s XML!) for a Python program and how to hook it into your code.

Later, more discussion regarding Docs processes were had.  Working to integrate a QA process into the Docs products has always been an important task that I’ve wanted to see implemented and I’m hoping that this weekend’s discussions, and those on the Docs list, will lead to a formal QA process.

Later in the evening I met up with several friends and hung out.  The social aspect of these conferences shouldn’t be minimized as I generally get more ideas during these discussions than at any other time.  My only problem with these social contacts is that I rarely have time to take this information and put it into products within a sane amount of time.  I’ll try to do better, though.

Creative Commons License
Sparks’ Fedora Project Journal by Eric H Christensen is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Southeast LinuxFest – Day 0

Joat and I left Virginia around 1PM, this afternoon, and made the drive down to Spartinburg for Southeast LinuxFest.  Officially starting on Saturday, we came down a little early for classes that are happening on Friday and the FAD that I’ll be participating in.  I’m also hoping to get some face time with some Fedorians as well.

Not much happening tonight so I’ll write more about what’s happening tomorrow.

Creative Commons License
Sparks’ Fedora Project Journal by Eric H Christensen is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.