February 7, 2023

State of the Art: Remember All Those Passwords? No Need

Have these security pundits ever listened to themselves?

That advice is clearly unfollowable. I currently have account names and passwords for 87 Web sites (banks, airlines, blogs, shopping, e-mail, Facebook, Twitter). How is anyone — even a security professional — supposed to memorize 87 long, complex password strings, let alone remember which goes with which Web site?

So most people use the same password over and over again, and live with the guilt.

There are solutions. Most Mac and Windows Web browsers now offer to memorize passwords for you. But that feature doesn’t work on all Web sites, and is generally of little help when you pick up your phone or tablet. At that point, the only person you’ve locked out of all your online accounts is you.

The only decent solution is to install a dedicated password memorization program (like Roboform, KeyPass, LastPass, 1Password, and so on). Last week, one of the best was just improved: Dashlane, now at 2.0. It’s attractive, effective, loaded with timesaving features and available for Mac, Windows, iPhone and Android — and it’s free.

Installation is quick. Dashlane works in Safari, Chrome, Internet Explorer and Firefox. It can import existing password “vaults” from rival programs.

Dashlane has two primary features. First, yes, it’s a password memorizer. Every time you type your account name and password into a Web page and press enter, Dashlane pops up, offering to memorize that information and fill it in the next time.

In fact, it also offers to log you in — not just to enter your password, but also to click “log in” for you. In effect, Dashlane has just removed the login blockade entirely. When you go to Facebook, Twitter or Gmail, you just click your bookmark, smile at the briefest flash of the login screen and arrive at the site.

Since Dashlane is now storing and auto-entering your passwords, you’re now free to follow the security experts’ advice. You can make up long, unguessable passwords — a different one for every Web site, since you don’t have to remember any of them. In fact, each time you sign up for a new account, Dashlane offers to make up such a password for you, and then, of course, to memorize it.

Dashlane’s second huge feature is even more amazing. It can also fill in other kinds of Web site forms: your name/address/phone number, and even your credit card information.

When you’re buying something online, and you click into the credit card number box, Dashlane displays pictures of your credit cards: Visa, MasterCard, American Express or whatever — even PayPal.

When you click the one you want to use, Dashlane instantly fills in the long card number, your name, the expiration date, even that accursed security code, in the right boxes. Every time you order something online, you save between 30 seconds and five minutes, depending on whether you have your card information memorized or have to go burrow through your wallet.

When you make a purchase, Dashlane even offers to store all the details in a digital receipt that you can call up later, along with a screenshot of the Web site where you shopped. This feature makes online shopping so frictionless, every dot-com retailer on earth ought to be promoting Dashlane as if its profits depended on it.

In fact, Dashlane can fill in all kinds of forms automatically: phone numbers, job titles, tax numbers and so on. If you’ve ever recorded multiple answers — you have two different Twitter accounts, say — two tidy buttons appear beneath the name box, bearing the account names. Click the one you want.

Unlike some rival programs, Dashlane doesn’t require you to associate one set of personal information to each “profile.” If you have three addresses, for example, you’re always offered those three when filling in a form. You don’t have to create three personalities’ worth of personal information.

So far, Dashlane probably seems designed for convenience, and that’s true. Behind the scenes, of course, its ultimate goal is security.

E-mail: pogue@nytimes.com

Article source: http://www.nytimes.com/2013/06/06/technology/personaltech/too-many-passwords-and-no-way-to-remember-them-until-now.html?partner=rss&emc=rss

Bits Blog: Yahoo Breach Extends Beyond Yahoo to Gmail, Hotmail, AOL Users

Yahoo confirmed Thursday that a file containing approximately 400,000 usernames and passwords to Yahoo and other companies was stolen Wednesday. A group of hackers, known as the D33D Company, posted usernames and passwords for what appeared to be 453,492 accounts belonging to Yahoo, but also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users.

The hackers wrote a brief footnote to the data dump, which has since been pulled offline:

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

The hackers claimed to have stolen the passwords using a hacking technique called an SQL injection, which exploits a software vulnerability.

The breach comes just one month after LinkedIn, the online social network for professionals, had millions of user passwords exposed after hackers breached its systems. The breaches highlight the ease with which hackers are able to infiltrate systems, even at some of the most widely-used and sophisticated technology companies.

Security researchers at Rapid7, a security company, analyzed the dumped account information and found that it included account information not just for Yahoo users but for Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. Marcus Carey, a researcher at Rapid7, found that among the data were some 106,000 Gmail accounts, 55,000 Hotmail accounts and 25,000 AOL accounts.

Dana Lengkeek, a spokeswoman for Yahoo, said that the compromised accounts belonged to Yahoo’s Contributor Network, previously Associated Content, and that fewer than 5 percent of the passwords posted were still valid.

“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying companies whose user accounts may have been compromised,” Ms. Lengkeek said in the statement. “We apologize to affected users. We encourage users to change their passwords on a regular basis.”

Mr. Carey said it was unclear whether Yahoo’s breach had been contained and noted that hackers could still be inside its systems.

“Since Yahoo is still investigating this breach there’s a possibility that it hasn’t been contained yet,” Mr. Carey said in an e-mail, adding that people may need to change their passwords multiple times. “You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out attackers are still entrenched in Yahoo’s systems.”

Yahoo users should also consider changing their passwords to other sites for which they might have used the same password, as hackers tend to test those passwords across multiple sites. For more tips on how to craft a secure password, click here.

Article source: http://bits.blogs.nytimes.com/2012/07/12/yahoo-breach-extends-beyond-yahoo-to-gmail-hotmail-aol-users/?partner=rss&emc=rss

Bits Blog: Consultants in the Cloud

Earlier this week we published an article about Google Apps, and Google’s struggle to displace Microsoft Office and Sharepoint inside large corporations. While Google has worked without a large consulting partner, it should be said that several smaller consultancies are working to encourage companies to adopt Google’s cloud-based office productivity software.

Among these are Dito, SADA Systems, Appirio and Cloud Sherpas. Each offers a somewhat different approach. SADA is reselling both Microsoft and Google products. Appirio offers Google along with a broad range of other cloud services for business, like Salesforce.com. Dito is making much of moving companies to Google’s Chromebooks, which are lightweight laptops built for cloud interactions. Cloud Sherpas is among the largest consultants stressing Apps, and it claims to have moved over 1 million people to Google Apps.

Overall, these resellers are pursuing a business that initially looks like traditional reselling, but in fact works along different lines. “Moving to the cloud is a whole different model,” says Michael Cohn, the founder and senior vice president of marketing at Cloud Sherpas, “Google is offering us a recurring revenue stream.”

Consultants like him used to charge hundreds of thousands of dollars for a job like installing Lotus Notes in an IBM mainframe for a company. Now he sells Google Apps for business for the standard $50 per person per year, and gives Google $40 of that. In exchange, Cloud Sherpas aids companies in things like the migration of data onto Google’s servers, training people on the systems, and offering tips on updates to Google products, of which there can be a dozen or more a week.

The company also charges for jobs like building a button on Gmail to connect directly to an internal human resources application, which might cost $10,000, or migrating hundreds of specialty applications to the cloud system, which Mr. Cohn says could run $500,000. There is a growing business in teaching companies how to work more collaboratively in real time, as the Google+ social network becomes more attuned to business, by installing applications to manage the flow of work.

Despite these specialized payments, the important effect is making consulting much more like an annuity business, which can be very profitable if customers keep signing up and do not need too much specialized care. “This used to be a one-time margin business,” says Mr. Cohn, “now it’s about ARPU,” or average revenue per user, a term most often used by cellphone companies.

Mr. Cohn estimates there are about 2,500 independent companies and individuals involved in the Google Apps ecosystem. Google may not be able to make headway with larger consultants because the company is viewed as a threat to the existing consultancy cash-flow model.

It may also be, however, that building up a business with small developers is similar to approaches Google has used before. Its maps business gained traction by enabling outsiders everywhere to use the data via the Web. Even bloggers writing on its free Blogger service are to Google a kind of outside developer, since every page they add incrementally improves the value and quality of Google’s search engine, and creates new real estate where they might put ads. Google also likes the small Web-based developer model, since it makes it harder for Microsoft to find and target what is being built on Google products.

Google is not alone in its push for Web-based developers. VMWare is another notable company pushing open-source software and product development on the Web, possibly as a way to increase the demand for its core computer server software virtualization business. And, of course, Microsoft is trying to get there, too, with Windows Azure.

If the annuity-based payment model underpinning most “software as a service” products on the cloud also holds for these new consultants, and they gain ground, the big companies may soon have to take note.

Article source: http://feeds.nytimes.com/click.phdo?i=5e2b5c24b0b408290c4c8c5318f1f27f

Google Details Electricity Usage of Its Data Centers

The company said that its data centers continuously drew almost 260 million watts — about a quarter of the output of a nuclear power plant — to run Google searches, YouTube views, Gmail messaging and display ads on all those services around the world.

Though the electricity figure may seem large, the company asserts that the world is using less energy as a result of the billions of operations carried out in Google data centers. Google says people should consider things like the amount of gasoline saved when someone conducts a Google search rather than, say, driving to the library. “They look big in the small context,” Urs Hoelzle, Google’s senior vice president of technical infrastructure, said in an interview.

Google says that people conduct over a billion searches a day and numerous other downloads and queries, and it calculates that the average energy consumption for a typical user is small, about 180 watt-hours a month, or the equivalent of running a 60-watt light bulb for three hours. The overall electricity figure includes all Google operations worldwide, including the energy required to run its campuses and office parks, he added.

While comparing different types of electricity loads is difficult, utility companies estimate that 260 million watts could power all of the homes in a sizable city — say, 100,000 to 200,000 homes.

For years, Google maintained a wall of silence worthy of a government security agency on how much electricity the company used — a silence that experts speculated was used to cloak how quickly it was outstripping the competition in the scale and sophistication of its data centers.

The electricity figures are no longer seen as a key to decoding the company’s operations, said Mr. Hoelzle. Google is known to have built efficient data centers. Unlike many data-driven companies, Google designs and builds most of its data centers from scratch, including its servers that use energy-saving chips and software.

Noah Horowitz, senior scientist at the Natural Resources Defense Council in San Francisco, applauded Google for releasing the figures but cautioned that despite the advent of increasingly powerful and energy-efficient computing tools, electricity use at data centers was still rising, as every major corporation now relied on them. He said the figures did not include the electricity drawn by the personal computers, tablets and iPhones that use information from Google’s data centers.

“When we hit the Google search button,” Mr. Horowitz said, “it’s not for free.”

Google also estimated that its total carbon emissions for 2010 were just under 1.5 million metric tons, with most of that attributable to carbon fuels that provide electricity for the data centers. In part because of special arrangements the company has made to purchase electricity from wind farms, Google says that 25 percent of its energy is supplied by renewable fuels, and estimates that it will reach 30 percent in 2011.

Google also released an estimate that an average search uses 0.3 watt-hours of electricity, a figure that may be difficult for many people to understand intuitively. But when multiplied by Google’s estimate of more than a billion searches a day, the figure yields a somewhat surprising result: approximately 12.5 million watts of Google’s 260-million-watt total can be accounted for by searches, the company’s bread-and-butter service.

The rest is used by Google’s other services, including YouTube, whose power consumption the company also depicted as very small.

The announcement is likely to spur further competition in an industry where every company is already striving to appear “greener” than the next, said Dennis Symanski, a senior data center project manager at the Electric Power Research Institute, a nonprofit organization. At professional conferences on the topic, Mr. Symanski said, “They’re all clamoring to get on the podium to claim that they have the most efficient data center.”

Article source: http://www.nytimes.com/2011/09/09/technology/google-details-electricity-output-of-its-data-centers.html?partner=rss&emc=rss

Microsoft Forms Partnership With China’s Leading Search Engine

SHANGHAI — A year and a half after Google pulled its popular search engine out of mainland China, partly over concerns about censorship, its rival Microsoft has struck a deal with the biggest Chinese search engine, Baidu.com, to offer Web search services in English.

Baidu, previously primarily a Chinese-language search engine, made the announcement Monday afternoon, saying Microsoft’s search engine, Bing, was expected to appear on Baidu’s Web pages by the end of this year.

Baidu, which dominates Chinese-language search services here with about 83 percent of the market, has been trying for years to improve its English-language search services because English searches on its site are as many as 10 million a day, the company said. Now it has a powerful partner.

“More and more people here are searching for English terms,” Kaiser Kuo, the company’s spokesman, said Monday. “But Baidu hasn’t done a good job. So here’s a way for us to do it.”

Baidu and Microsoft did not disclose terms of the agreement. But the new English-language search results will undoubtedly be censored, since Beijing maintains strict controls over Internet companies and requires those operating on the mainland to censor results the government deems dangerous or troublesome, including references to human rights issues and dissidents.

Microsoft seems to be betting it can get access to what is already the world’s largest Internet population of about 470 million users.

Google continues to be available on the mainland, though its search engine, which operates in English and Chinese, was moved last year to Hong Kong, where Beijing’s censorship rules do not apply. But lately, Google’s search engine and its e-mail service, Gmail, have become more difficult to connect to on the mainland. The company, which is based in Mountain View, California, has blamed the Chinese government for interfering with its operations.

For Microsoft, it could be an opportunity. In a statement released Monday, Shen Xiangyang, Microsoft’s senior global vice president, said: “Bing’s cooperation with Baidu will allow the vast Baidu users to receive better English search experiences and results” and allow more Chinese users to experience Bing.

Article source: http://feeds.nytimes.com/click.phdo?i=bbf3a9339e2e27882c0a1cd418f268cc

China Rejects Google’s Hacking Charge

BEIJING — China’s official Communist Party newspaper issued a caustic response on Monday to Google’s charge that Chinese hackers had taken aim at influential users of its Gmail service, calling the accusations “political gaming” aimed at fomenting new discord between the Beijing and Washington governments.

The newspaper, People’s Daily, published a front-page editorial in Monday’s international editions that also suggested that Google’s actions could cost it credibility in the business world.

“Many international bystanders believe that Google’s charge is thickly tainted with political colors, and one can’t dismiss the fact that Google is taking advantage and provoking new Sino-American Internet security disputes with sinister intentions,” stated the editorial. “Today’s Google really makes one wring one’s hands. What was once a model of leading Internet innovation has now become a political tool for slandering other countries.”

“Once the international winds change,” the editorial later added, “Google might become a political sacrifice and might be discarded by the market.”

Google declined to officially comment on the editorial, but a spokesman responded to the article’s headline, “Google, What Do You Want?” The company publicly charged that Chinese hackers had broken into Gmail accounts to protect its users and help them stay safe online, the spokesman said. “We think users should be aware of this disturbing campaign,” he said.

Google officials had said last Wednesday that hackers in Jinan, a coastal city in eastern China’s Shandong province, had sought to gain access to the Gmail accounts of hundreds of American government officials, Chinese political activists, military personnel, journalists and Asian officials. The attacks used a polished version of a rudimentary technique, called spear phishing, to trick recipients into revealing their e-mail passwords. American officials said they had no evidence any confidential information was breached, or even that many people fell for the attack. In January 2010, Google tied hackers in the same city to a more sophisticated and wide-ranging assault on its computer systems. The company has not suggested that the Chinese government was behind those attacks, though speculation to that effect has been widespread, particularly since the company’s services have been plagued with unexplained disruptions.

In the days after Google’s latest accusation, Chinese users of Gmail and the popular Google Maps service have seen connections slow to a crawl, while the same services accessed over private networks have remained trouble-free.

Chinese officials have attributed Google’s service problems to technical issues that do not involve the government, and they have denied any government role in hacking Google computers or e-mail accounts. On Thursday, a Foreign Ministry spokesperson called hacking a criminal activity and said that China also suffered attacks by hackers.

Google has lost significant share of the market over the last few years, as it suffered both hacking attacks and government censorship of its Web searches. The company moved its search operations off the mainland last year to uncensored servers in Hong Kong.

After commanding more than a third of China’s market for online searches in 2009, Google saw its share decline by the first three months of 2011 to 19.2 percent, a 2 percent drop from the last quarter of 2010, according to the Chinese research firm Analysys International.

The biggest beneficiary of Google’s losses appeared to be Baidu, a Chinese Internet portal whose share of searches jumped almost as much as Google’s declined.

China’s state-owned mobile-telecommunications companies also have dropped Google’s mobile search service for competing products.

Google nevertheless has said that its revenues from mainland China operations are increasing year-over-year. Instead of search, the company considers its biggest opportunity in China to be display advertising and selling ads to Chinese companies that appear on Web sites outside China. The company has more than 500 employees in China and hundreds of business partners.

Xiyun Yang contributed research from Beijing, and Claire Cain Miller contributed reporting from San Francisco.

Article source: http://www.nytimes.com/2011/06/07/world/asia/07china.html?partner=rss&emc=rss

Google Introduces New Social Networking Tool, as It Settles Federal Privacy Charge

Google is taking another stab at social networking, even as it pays a price for social networking privacy blunders it has made in the past.

Google introduced its latest social tool Wednesday, the same day it settled with the Federal Trade Commission over charges of deceptive privacy practices in its introduction last year of Buzz, the social networking tool in Gmail.

Under the settlement, Google agreed to start a privacy program and undergo privacy audits for 20 years; it faces $16,000 fines for future privacy misrepresentations. This is the first time the F.T.C. has charged a company with such violations, and the first time it has ordered a company to introduce a privacy program, the commission said.

The new social networking tool, +1, lets people annotate Google search results and ads so they can recommend Web pages to friends and acquaintances. It is the biggest feature yet in Google’s long-awaited social networking toolkit.

Both the introduction of +1 and the F.T.C. charges highlight two of Google’s biggest challenges: heightened competition from Facebook, and near-constant criticism from privacy advocates and policy makers over its practices.

As it tries to make its services more social, the company has come under intense scrutiny from people concerned about its widespread grasp of personal information. But at the same time, it is in the unusual position of racing to catch up with a rival, as Facebook captures more of Internet users’ time, information and advertising dollars.

Of particular concern to Google is the fact that many people now turn to Facebook with search queries, like seeking the best place to go on vacation, because they trust their friends’ advice more than that of an anonymous search engine.

In an interview about the new tool, Matt Cutts, a principal search engineer at Google who worked on +1, took great pains to emphasize that the company had learned from the privacy outcry after it introduced Buzz, which lets Gmail users share status updates, photos and videos. Its introduction in February 2010 unleashed a barrage of criticism from privacy advocates and everyday users because it automatically included users’ e-mail contacts in their social network.

Mr. Cutts repeatedly stressed that anything people share with +1 is public.

“If you wouldn’t feel comfortable telling your friends and broadcasting this to the world, then of course you don’t have to click the +1 button,” he said. With +1, Google wants to personalize search results. People logged into their Google accounts will be able to click a +1 button next to search results to publicly recommend the pages. People perusing search results will see how many Google users recommended a page and see names and photos of people they know.

Google will find people that users know through Gmail and chat contacts, as well as people users follow on Google Reader or Buzz. Later it will include contacts from other social sites like Twitter and Flickr. But it will not include contacts from Facebook, because Facebook information is not publicly shared on the Web, Mr. Cutts said

People will also be able to recommend ads. And if someone recommends a search result that links to a hotel’s Web site and the hotel later advertises on Google, that person’s recommendation will appear with the ad.

Google’s +1 is remarkably similar to Facebook’s Like button, which lets people recommend Web sites and ads to their friends. Later, Web publishers will be able to include a +1 button on their pages, just as many include a Facebook Like button today.

But Mr. Cutts said it differed from the Facebook feature because “it’s useful right there when you’re searching but doesn’t crowd or muck up your activity stream where people might not want to see it.”

In bringing the charges against Google, the F.T.C. said the company violated its own privacy policy when it used the information from users’ Gmail accounts for Buzz without obtaining their permission. The settlement prohibits Google from making any similar privacy misrepresentations, and requires Google to provide users with the ability to opt in to any changes to existing products that involve collecting user information.

“This is a legal order and goes further than voluntary commitment,” said Jessica Rich, the deputy director of the F.T.C. Bureau of Consumer Protection in a news conference with reporters Wednesday.

Google has apologized for the Buzz debacle before — and did again on Wednesday — but said the rules mandated by the F.T.C. would not change the way it operates.

“We don’t see this as being a significant change in how we run our business because this is the standard we hold ourselves to already,” said Jill Hazelbaker, a Google spokeswoman.

The F.T.C. said it expects the settlement to have broad consequences for the Web industry.

“We think that many of the provisions in this order are good practices that we would expect to see widely followed throughout the industry,” Ms. Rich said. “The difference is Google would be subject to civil penalties if they violated it.”

Article source: http://feeds.nytimes.com/click.phdo?i=ba1aa219a86f6e8575f22709594890cd