

Deleting someone’s business off Heroku - petenixey
http://peternixey.com/post/42437568585/10-steps-to-deleting-someones-business-off-heroku

======
willlll
This is link-bait sensationalism. Aside from the downtime, getting your heroku
app recovered from being deleted is not a big deal, assuming you write into
support in a reasonable amount of time.

------
greenyoda
_"This isn’t something that 2-factor authentication is going to fix. 2-factor
auth is great at preventing a man-in-the-middle attack but when the attacker
has your phone, they probably also have the second auth channel."_

Two-factor authentication could be made more secure by requiring you to reply
to a text message with the answer to a security question that couldn't be
found on your phone (e.g., the name of your favorite comic book character).

------
homosaur
This seems like it's going to be a problem a lot of places if people are using
2 factor auth via their phones. You can delete someone's Github also
immediately but I'm not sure if they keep backups somewhere. It sure says that
stuff will be deleted IMMEDIATELY

------
skorecky
This is like saying if someone stole your key ring, they now have access to
your house.

~~~
ianferrel
If your key ring included a teleporter that could steal all your possessions
with a single button click, then yeah.

If someone steals your keys, they stil have to find a time when no one's home,
and it's still hard to steal things from a physical location quickly. Once you
notice your keys are gone, you can call a locksmith and rekey the house.

That's why the article recommends a time delay. There should be enough time to
realize that your access has been compromised, and nothing destructive should
occur faster than that time limit. Ideally, the time limit should be
configurable, so you can go on a vacation and know that even if someone hacks
into your email the day you leave, nothing will get committed until your
return.

~~~
thirsteh
Does any company in the world do something like this? If not, why make it
sound like Heroku is doing something bad by not having it?

I don't think expecting people to protect their email and TOTP secrets is
unreasonable, but it does go to show how vulnerable you are if your unlocked
phone is stolen and you don't react quickly.

Don't give your phone to people you don't trust if it grants them this kind of
access, and if somebody gets a hold of your phone or you lose it, change your
passwords.

~~~
ianferrel
My impression was that Heroku was an example with a lot of impact, not that
this was calling Heroku out for sub-standard practices.

The problem is that standard practices are lacking.

~~~
thirsteh
Believe me, I'm no stranger to flaming service providers, but I'm inclined to
blame the user for not being sufficiently disciplined here. The service
provider shouldn't have to make all these kinds of guesses about what you can
access and within what timeframe.

------
granpappypimp
I also put in a feature request that would fix this. Allow customer to lock
addons and ENV variables and require a unlock password to change them. The
same can be applied to app as a whole and then just disallow changing that
unlock password from a phones browser...only from a desktop.

------
niggler
tl;dr: don't let strangers borrow your phone

------
MalphasWats
"Hi, I'm Insert Name, pleased to meet you. Can I borrow your phone".

"No"

...

"Erm, what do you think you're doing, get your hand out of my pocket!"

No-one touches my phone.

------
mille562
Email apps should allow pin protection (separate from the phone pin). An email
app is a door allowing access to the majority of services people want to keep
secured.

------
timgrimsditch
Sounds like the issue here is: 1\. immediacy 2\. too many auth options on one
(often poorly protected) device

