Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

And that's why I always have tier passwords. Depending on how sensitive accounts are, I have about 5 passwords I use downwards from oh-God-if-they-get-in-I'm-ruined to meh-so-what-you-can-have-it. Reusing balanced with security.

Which reminds me, if you see me suddenly posting odd stuff, please reset my password to "blubbers". :D

Finally, I like/hate the idea of OpenID. If anyone can get into the loop at some point I'm doomed. Only thing I got through OpenID is very low level stuff, tier 4 and 5. At tier 3, only one person knows my password, and it's dictionary-proof. At 2, I have a single password nobody knows. At tier one, I use a long password combined with special chars when limited, and hardware-assisted login when not (I carry a card and a digital token at all times).

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

You could still use multiple OpenIDs.

Also, you could use more advanced authentication methods with OpenID, e.g. some multi-factor authentication like those Verisign pseudo-RNG-dongles.

I've been toying with the idea of writing my own OpenID provider that would require me to approve account access from my N900.

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

They have nothing to do with Random Numbers.

Rather, the value is specifically computed every time you actually ask it to do so (VeriSign doesn't implement Time counters, but others do, which is far more secure).

Try to imagine that you have a 3DES key, and every time you press the generation button, the Event Counter is incremented, and you generate a new 3DES key from the Event Counter and the previous 3DES key. With this key, you can generate an OTP, which is then sent to the server for authentication.

They are really, far, far more than simple RNG's; so no need to try and simplify them in that way.

Source: I work in the industry.

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

Recently I've tried multi calendar widget just to try what it is. Because i didn't like it. after a few minutes of testing I've decided to uninstall it. The process was going ok but suddenly I saw that it is downloading and installing something. Later I saw in the app manager an other widget- eve on-line. I don't like the de that something is installing to my phone without my permission. I'm starting to lose faith in those community applications. How can I know that it is not recording somewhere my bank account password?

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

Thank you, it means I'm not crazy! Please comment here and paste anything you have in the Application Manager log.

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

Sorry, I didn't intend to offend anyone, I just couldn't remember any product names at the time of writing. Simply attempting to communicate my point.

But, let me try to justify my choice of words:
(a) To external observer, those numbers should look random, if it's being done properly.
(b) But it's obvious that they cannot be real random, otherwise they couldn't contain information.Thus, pseudo-random.

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

@Tomaszd and fw190:

Could you please clarify something for us. Which repository are these applications coming from? Can you specify versions?

Thanks.

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

I have one of those, it computes a reply from the challenge request from the server and internal clock (and PIN), meaning that the password is only valid that minute (among other things). They do have the drawback of time desync. If I don't use it often enough, clocks desync and I have to call them.

Heh, me too, but while it does provide nice security, it has the disadvantage of having no more protection from spoofing the OID provider, plus, if N900 dies no more login. More break points.

Ideally, I shouldn't keep my passwords online. But there's so many of them! Right now, I have 84 stored user/password combos, and those don't even include VPN, VNC, FTP and Tier 1 and 2.

When forums will support OpenID across the board, we'll have a lot less of these. Most don't.

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

No. When you use it in async mode (challenge/response), then there is absolutely no use of the internal clock. It can be that the authentication server only allows a specific challenge for a specific length of time.

The whole point of challenge/response is that you can use any challenge. Obviously, competitors to the company I used to work for may have implemented new algorithms, but there is no security value in having time-bound Challenge/Responses.

One way of testing this is to use your token, and hence get a challenge. Then wait 10 minutes, and replay the challenge again. It should output the same[1] response.

[1]: CR also suffers from key decay. What I mean by this is that because it is impossible to know what challenges have been provided to the device, it is also impossible to compute further values of the response (hence the futility of time-based CR).

If you want, I can go into much further detail of the algorithms. Three months have passed, so I'm legally allowed to disclose stuff now.

Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
 

Could be. It has 2 modes:

* Login: I input user name (set) and a password. The password is given by a token, after entering PIN. However, if I generate a password, wait for 60 seconds, then enter the password, it will not work. If I don't use it enough, it desyncs, and I need to call them to allow me one time-ignorant login. Once that happens, it works again. I have no other explanation than the fact that the token has an internal clock it uses.

* Transaction: Site gives me a random number (challenge). I press the signature button on the device, input the number, then it gives me a similar number. I enter that into the site and the transaction goes through. If I delay, it does not go through, and it re-issues me a different challenge. It could be timed, it could be clock based, I can't tell because in order to sign you have to log in, so time is sync.


I don't need the info, but as a programmer not only by job but by sheer passion, I'd love the insight.