

Show HN: My wife's email was hacked, I created an app to protect online accounts - urb
https://getlogdog.com/

======
PeterWhittaker
Interesting. Potentially useful. Love it when people create new products. Very
scary to put yourself out there like that. Especially in the security space.

From reading the site and URB's comments on this page, LogDog appears to be a
host intrusion detection (HID) package that works first in "learning mode" to
establish a baseline set of acceptable or normal behaviours for any given user
then eventually moves into notification mode in which it signals to the user
that unusual activity has taken place.

Unusual, in this context, means anything outside the thresholds established
during learning mode. Presumably, learning mode continues over time and the
system becomes more refined.

So far, so good.

What's not so good:

1\. The basic premise is "trust us, we know what to look for, but won't tell
you because we don't want the bad guys to know". This is security through
obscurity and I'm afraid I can characterize this only as "charmingly naive".
A) The bad guys already know, guaranteed. B) Unless you are truly expert in
this area (see below), you don't and are only guessing. I don't want to harsh
anyone's mellow, but you need to be able to back up your claims - especially
when you claim your product will make someone's life more secure. We will
consider believing your claims after we have read the research papers you are
going to publish, the papers that provide enough information for thems of us
who know this area to guess at your bona fides but not so much as to reveal
all your secrets.

2\. All data sent to servers is anonymized. So you say. I will take you at
your word. But it means nothing, unless you have done the extremely hard work
necessary to show that the data you maintain cannot in any way be used to
establish identity after the fact, whether it be by patterns of behaviour or
other means. This is an area of active security research and active attacks,
and is not for the faint of heart. I invite you to research super cookies,
click profiling, etc., etc.

3\. Re #2: Your servers are now known to attackers who want that juicy high
value data that they can probably do more with than you - unless you are as
large and as well funded (they are both). Please describe, at least at a high
level, how you are protecting this high value asset you have created. If you
cannot, we cannot expect our data to be safe. Regardless of claims of
anonymization. Convince us you understand defense in depth, prevent-detect-
respond-recover, etc.

4\. No offense, but this is a security product from someone with no documented
(as far as we can tell) expertise or experience in this area. Everyone who has
ever developed a security product from scratch has gotten the first release
wrong. Every single time. This stuff is complex and complicated, it takes
tremendous experience in the field to design a tool properly, let alone
implement one, experience gained either from starting from scratch and
surviving to release 4 or 5 or from working on other products developed by
experts/survivors.

URB, you may find comments herein and on this page to be assertive, even
aggressive. None of us will apologize for this. You are making BOLD claims and
providing no reasons for anyone to believe you know what you are doing. You
need to do that work before the security community will accept this product.

Try to get hold of Bruce Schneier or another well-known, respected commenter
in the field. If you can convince a few such people by giving them a
privileged, behind the scenes view (they won't sign your NDA, there is nothing
for them in that), that will a) provide real marketing bumpf and b) go a long
way to silencing many critics.

But note that you still need to address 2 and 3, even if you convince the best
of the best of 1 and 4. Good luck, those are hard problems to solve.

~~~
swalsh
"No offense, but this is a security product from someone with no documented
(as far as we can tell) expertise or experience in this area. "

This is my theory on why santoshi released bitcoin anonymously. ad hominem
attacks like this are way too common in security. Often there's some
justifications, but i'd prefer if conversations were about the content alone.

~~~
PeterWhittaker
I'm not sure that this actually qualifies as an ad hominem attack. In cases
such as this, a lack of experience and expertise is a serious concern.

True, there may well be outliers who, with little to no previous experience in
a field, are able to master and advance it - but they are outliers.

As to specific comparison with Santoshi and Bitcoin, it doesn't stand, due to
the relatively poor history and documentation for LogDog and the relatively
greater history and documentation for Bitcoin: There is the 2008 research
paper that built upon well-known and well-examined previous work on electronic
cash, anonymous payments, etc., etc., and there is the subsequent open source
client. No one ever said "trust us, this is cool". Instead, they wrote
detailed papers and code and released those to the world - and we made up our
own minds.

LogDog is, by comparison, _sui generis_ , a thing of itself, that has sprung
into being with neither preamble nor publicized foundations.

URB may be the outlier. Or not. Given the lack of documentation, the lack of
openness, and the apparent lack of expertise, we are but wise to raise the
questions.

So far, URB seems responsive and engaged, and not particulary evasive. Those
are good things for that particular hominid.

------
talles

      Hundreds of parameters are used to identify unauthorized access to your accounts.
    

I would love to know how.

Seriously, no sarcasm here, I'm actually curious about those _hundreds of
parameters_.

~~~
urb
Obviously I can't go into too much detail, but we cross reference data from
the different services we monitor and thus create a fairly robust usage
profile.

~~~
milesskorpen
It isn't at all obvious to me why you can't reveal more information, unless
your signals are something trivial a hacker could mimic. Please explain more.

~~~
rudolf0
Here's the unfortunate truth: a good majority of security companies out there
are banking on the hope that the signals they are looking for are not known to
hackers and so cannot be mimicked or evaded.

>unless your signals are something trivial a hacker could mimic

Name _any_ security product out there, whether they make software tools or
hardware appliances, and chances are there is a set of trivial signals a
malicious actor can mimic to appear to be trusted by that product, or a set of
trivial signals to avoid to prevent being considered malicious.

And yet those products can still provide tremendous value. There is serious
value in a large team of intelligent, experienced, resourceful people spending
8-10 hours a day tracking fraud and crime patterns so they can detect
suspicious activity and meticulously add to and update their signatures. Yes,
if their list of signatures was published on a fraud forum, the fraudsters
would see it and take advantage of it and the company would have more workload
trying to detect the new pattern changes. But it's still a useful service for
many people.

My only concern in OP's case is that neither he nor his company has any track
record in the security industry. He's perfectly reasonable to not reveal the
precise technical details of how they're detecting suspicious activity,
though.

------
rbxs
Refusing to explain how LogDog works, how should you trust them with your
precious accounts?

------
jpetersonmn
"1 in 4 online accounts gets hacked."

I've got hundreds of online accounts and so far none have been hacked. Where
you getting this number from?

I think for you to be successful in this venture you're going to have to be
very transparent in how everything works, based on comments so far that's not
the case.

------
72deluxe
Looks interesting. Does anyone else use Two-Factor authentication for their
emails? I do.

I also use that SMS service for PayPal.

Does nobody else?

~~~
organsnyder
I use two-factor auth whenever it is available. I've also mandated it for all
user accounts (on Google Apps) at my organization.

For a while, I was trying to encourage adoption by expounding on its benefits,
but then one of our users (without two-factor auth) had her account hacked,
and I was able to employ the panic around the office to justify making it
mandatory for everyone. This caused some pain for a little while (when two-
factor auth enforcement is enabled for a Google Apps domain, users without
two-factor auth enabled must use a temporary code, which can only be retrieved
by a domain admin), and I wouldn't recommend this approach for more than a
dozen users or so.

~~~
72deluxe
Great idea. I am surprised so few use two-factor authentication. My bank
requires it for logging in, sending money, even for going into the branch
(thanks Barclays); RSA fobs or Quest Defender fobs were also used in a company
I used to work for, for their VPN.

With Google, the list of massive passwords they provide for logging in via
POP3 is a useful thing to print off and have secreted at your house somewhere
in case your phone gets pinched.

And periodically/regularly tidying up old emails from your inbox (archiving
them offline somewhere) is a way to keep the email account a bit safer, as
there isn't any info in the mailbox.

------
Mauricio_
Do I have to believe the reddit-like story in the title? Looking at the
website it looks way too professional to be something suddenly made out of the
blue one day after your wife got hacked.

~~~
RockyMcNuts
Yes. Also, you are required to believe eBay was founded to help Pierre
Omidyar's fiancée collect Pez dispensers. And Sara Blakely got Spanx off the
ground by dragging Bergdorf buyers into dressing rooms and demonstrating
control-top girdle underwear. If you can't invent a believable meet-cute
creation myth, how can you create a good company?

According to Wikipedia "The frequently repeated story that eBay was founded to
help Omidyar's fiancée trade Pez candy dispensers was fabricated by a public
relations manager in 1997 to interest the media. This was revealed in Adam
Cohen's 2002 book,[14] and confirmed by eBay."
[http://en.wikipedia.org/wiki/Pierre_Omidyar](http://en.wikipedia.org/wiki/Pierre_Omidyar)

------
AdmiralAsshat
Could you elaborate a bit on some of the things you're checking for as signs
of "suspicious activity"?

I ask because I receive warning emails on occasion from Gmail ever since I
started routing all of my data through a rotating-server VPN. I imagine LogDog
might send similar emails, which is not necessarily a bad thing--I'm just
curious exactly what else you're monitoring other than suspicious
IP/geolocation.

~~~
urb
LogDog monitors multiple parameters and will not send you alerts just because
your VPN changes IPs. We establish a usage profile and only alert on
significant anomalies.

~~~
AdmiralAsshat
And, again, what would be an example of an "anomaly", other than an IP address
from India suddenly signing in?

~~~
mobiplayer
A strange IP, signing in at early morning hours when you usually don't, using
a different browser, different OS, different language config, different
browser plugins, running through all your email folders... THAT would be
suspicious all together, most of them are not by themselves.

I understand that URB doesn't want to reveal all they do. It's the same way AV
companies do not reveal how the develop all their signatures.

Everyone crying "you should reveal all your secrets, otherwise you're doing
security through obscurity" do not get it. It's not secret because of security
concerns, but for competitive advantage against other companies in the field.
Why aren't we asking FireEye, Mandiant, CloudFlare, Incapsula or any of the
other supercool security company what are they parameters for behavioural
detection? Do we feel we have a superior moral stance against LogDog because
we don't know them?

------
pzxc
I don't understand how it works or could possibly work. How is your app going
to detect that someone is accessing one of my accounts from Israel, as
indicated in your screenshot?

Do you have software running on google's servers so that it knows what IP
addresses are accessing gmail/evernote/one of the other services and can
geolocate? (Obviously not). So how is this supposed to work?

~~~
pandog
If you scroll to the bottom in Gmail you can see a "Last account activity: 1
hour ago: Details" link. If you click that you can see everyone who logged on.

~~~
minimaxir
As far as I know, there's no official API to access this data. And that data
definitely isn't available for all the services regardless.

~~~
kefs
This shows sessions across all Google products:

[https://security.google.com/settings/security/activity?pli=1](https://security.google.com/settings/security/activity?pli=1)

~~~
monkey_slap
Thanks for this. I actually found 2 devices that I didn't recognize.

------
nerdy
"Don't get hacked, get a LogDog"

From what I can tell this service does absolutely nothing to protect you from
being hacked.

It's more like a "you might've been hacked" notification.

~~~
urb
If you know something suspicious is happening you can change your password
(from the app) and throw the hacker out. You can also avoid rolling-hacks (ex:
when your email is used to reset passwords on other services)

~~~
nerdy
I'm not saying the service has no potential value, rather that it doesn't
fulfill the "don't get hacked" reprise by notifying you after the fact.

The notification could allow you to fix the problem once it has happened but
any hacker with reasonable sophistication can download data and change
passwords in an automated fashion long before you can finish reading the
notification.

------
Khao
So to protect myself I have to give out ALL my credentials to this new app? No
thanks.

~~~
urb
Your credentials stay on your phone (where you already have most of your
passwords). They are never sent to LogDog servers.

~~~
Khao
Well that's reassuring. It's not obvious from scanning the first page that
this is how it works and will potentially scare away users. So I guess then it
only works if I have a reliable internet connection and my battery doesn't run
out.

Do you know how battery/network heavy logdog is?

~~~
urb
We keep battery consumption <1% and compress all data traffic.

~~~
0xffff2
>We keep battery consumption <1%

What does that even mean? 1% per hour? per day? 1% of your phone's battery? of
my phone's battery?

Meaningless statements like the one quoted do not inspire confidence in you or
your product.

~~~
urb
Android settings -> General -> Battery. Power consumption divided by Android
into percent per app

------
talles
Sorry if I'm going to sound a little _childish_ but...

What if my LogDog is hacked? What kind of _thing_ will the attacker be able to
do with whatever LogDog has about my accounts everywhere?

~~~
urb
LogDog does not save account credentials. They are kept only on the device and
are never sent to our servers. The servers only keep anonymous data. There is
nothing to hack.

~~~
mtbcoder
In another comment, you mentioned your system works by polling for user
activity, creating "baseline" profiles and monitoring usage activity. That
certainly does not appear to be anonymous data to me.

------
dewey
Wouldn't a third party service repeatedly logging into my services from a
LogDog IP raise some flag on it's own at the service's own intrusion
detection?

~~~
urb
Very good point. It took us a while to get around that :-)

~~~
organsnyder
Perhaps it's simply a poor choice of words on your part, but "get around that"
raises red flags for me. It makes it sound like you've found a loophole in
their intrusion detection systems, that will (hopefully) be closed when it is
detected—which will become ever more likely if your system becomes more
popular.

------
jbob2000
I don't know the situation with your wife's email... but if she had a poor
enough password that it was easy enough to hack OR if she didn't update her
password after heartbleed etc., then why do you think she will be proactive
enough to use LogDog?

(Obviously she will, because she's your wife, but the question is if people
aren't proactive to keep their accounts safe, will they be proactive enough to
use your service?)

~~~
jeremysmyth
It's far, far more likely that she was phished or that she used the same
password on a site that was compromised than that her email password was
guessed or sniffed. (edit: of course, this is a general comment rather than
any comment specific to OP's wife!)

------
Derbasti
So I prevent getting hacked by giving some random app the login details to all
the services that could be used to fake my identity. Makes sense.

------
mralvar
First Show HN where I've seen someone have a phone number listed. Not sure if
smart, or brave.

------
tmikaeld
Is it open source? How does it work?

This info is kind of important if you are posting on HN!

~~~
urb
LogDog is not open source. It works by polling services periodically for
information about user activity, establishing a baseline profile and then
looking for usage anomalies.

------
MrQuincle
From what I can see he crawls the website as a user would do. He logs in to
Google just via
[https://accounts.google.com/ServiceLogin?service=mail&contin...](https://accounts.google.com/ServiceLogin?service=mail&continue=https://mail.google.com/mail/),
two-factor authentication might involve user interaction.

Session information (about other sessions) from for example Facebook can be
obtained through
[https://www.facebook.com/ajax/settings/security/sessions.php](https://www.facebook.com/ajax/settings/security/sessions.php)

------
ganga98
two comments -- 1\. Since your app is free what's in it for you ? You
mentioned in other comments that passwords are never shared with your app,
however, you do continuous polling and create profile. Are you going to sell
this data to advertising for behavior targeting and advertising ? Amount of
information you know what a particular user is using and how they are using it
( due to continuous monitoring ) is way too much intruding in my opinion.

2\. What if , my account gets hacked due to logdog ? You approach is not too
convincing since you even did not answer other users question on what
parameters you are monitoring. Sophisticated hackers might take advantage of
your service and hack into my account. Do you assume liability and loss that
would occur because of your service ? I don't want to sound rude but putting
cheesy story in headline might get you temporary attention but this service is
no better than saying "we will watch out who will rob your bank and then
directly or indirectly responsible for lost money"

------
ada1981
Your press kit was not accessible as of the time of this post via the link you
provide:

[https://getlogdog.com/wp-
content/uploads/2014/08/Logdog.zip](https://getlogdog.com/wp-
content/uploads/2014/08/Logdog.zip)

------
tomtoise
Hate to be that guy, but in About Us you have a minor typo; "Having one of
your online accounts hacked and loosing all your.." should read; "Having one
of your online accounts hacked and losing all your.."

~~~
mod
It could have been intentional, I think, in this context.

Very unlikely, of course, but I think it reads properly with "loosing."

------
discardorama
Does it run client-side (device), or server-side? I ask, because if you're
without a net connection, will LogDog still monitor your accounts (if it's
server-side, it will, I guess)?

------
64mb
How does this protect me any more than 2FA does?

~~~
mobiplayer
Seems that in the same way a house alarm protects you, loosely compared to
your house keys.

------
darkarmani
Typo:

> "loosing all your data"

------
jdalgetty
I love the skepticism!

