Edit: This is still an issue, attackers still get in and we still need better security and intrusion protection.
Originally posted June 1, 2011 on AIXchange
As I wrote recently, I remotely access machines regularly, whether I’m logging in directly or using a tool like webex to observe or help others with their server configurations.
Given my reliance on remote access, I have an opinion about virtually every option out there. For instance, RSA tokens: It can be a pain if the physical token is in another location when you need to login to a server, but it’s still a step forward. And the more recent advent of RSA software is another step forward. This way you don’t have to worry about transporting (or forgetting to pack) a physical RSA token. Either way, with RSA, no one else can gain access without knowing the password and having access to the token or the laptop running the software. (Assuming, of course, that the RSA breach earlier this year didn’t compromise the entire system–see here, here and here.)
In contrast, while I have used Gmail, and I do like it, I worry about someone gaining access to my account and deleting and copying my mail. If someone gets my Google password, it’s game over. That hacker could log in from anywhere and do anything. It does happen. I read about a Gmail user who logged into his account and discovered all of his e-mail had been deleted. Even after he verified his identity, Google could only restore a small fraction of his mail. His data was gone. I recently enabled two-factor authentication for my Google account (see here).
While I’ve not had any issues with it, this reviewer found it difficult to manage with the myriad Google apps he was using. So your experience could be different from mine. In my case it was straight-forward. Once I enabled it and had the Google authenticator application loaded on my phone, it was a simple matter of logging in to my account as usual, and then, when prompted, entering the security code. For things like mobile Gmail on my phone or instant messaging using pidgin, I needed a new password from the Google account website, but that was all easily done.
Since I always carry my phone, I’d love to see more ways to run authentication software on it. With the continuing migration to smartphones it could become more common, but where would it all end? Once software on our smartphones becomes the norm, would we advance to swiping a fingerprint on a keyboard, looking into a webcam for an iris scan or using voice recognition? Who knows what other authentication mechanisms we will eventually conjure up as we try to keep our systems safe.