
How to kill your Google account: Access it via Tor - dredmorbius
https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_kill_your_google_account_access_it_via_tor/
======
dredmorbius
A few quick observations:

⚫ Having all your eggs in one basket is a poor option. And by "your" I mean
"my".

⚫ IP-based reputation tracking's been useful. It's dead. Get over it. Thank
the NSA. And Google. And Verizon. And advertisers. Not necessarily in that
order.

⚫ If you're not offering me GPG/PGP based multi-factor authentication, fuck
you. Seriously. Just fuck you.

⚫ Have your CEO go through your account recovery process. Try not to piss them
off _or_ hand the keys to their castle to the wrong party. Like I'm supposed
to remember the month and year I signed up for your service? Not. Bloody.
Likely.

⚫ That and about a half-dozen other questions would have been impossible to
answer if I didn't have local archives of much of my data (thank you
OfflineIMAP). The cloud really sucks at times. Especially when your feet are
glued to the ground.

⚫ CAPTCHA's just about reached EOL as well. I might be able to solve about 1
in 5 these days. If that. Your goal isn't to absolutely prevent someone from
getting onto your system. It's to slow 'em down and raise attack costs.

⚫ If you're offering Internet-based services, start sorting out how you're
going to manage reputation with your Tor clients. Because you'll be having Tor
clients. FAUST and Fair Anonymity are two projects I'd uncovered in the not-
too-distant past, though both appear to be little more than research projects
at this point. I'm not aware of implementations of any Tor-related reputation
management.
[http://arxiv.org/pdf/1412.4707v1.pdf](http://arxiv.org/pdf/1412.4707v1.pdf)
[https://gnunet.org/node/1704](https://gnunet.org/node/1704)

⚫ You don't trust your users. With good reason. Your users don't trust you.
With good reason. And yet you live together on the Internet. Figure something
out.

⚫ No, Yahoo, I'm not giving _you_ my mobile number either.

⚫ There's a lot of money not to be made in offering free email service. But
I'd be happier if a few more folks were doing that. Or if we could figure out
a p2p direct messaging system that wouldn't instantly die under a blizzard of
spam. I think something involving clay tablets might work.

------
james-skemp
I'm sorry, but the top poster on Reddit is correct; you were asked three
things and couldn't answer any of them.

Wasn't there a snafu a while back where a security issue with how one company
accepted password resets lead in turn to a user losing access to another
account? (Someone's Twitter or hosting account?)

They have a way of getting into your account. If you prefer to not use/keep
active 2 of the 3 methods, then ...

And based on your fears of giving Google your phone number, I'm surprised you
even use Gmail.

Sorry, and best of luck. At least you have a backup! But still sucks :(

~~~
dredmorbius
_you were asked three things and couldn 't answer any of them._

Except that that is incorrect information.

I can answer a number of points directly: I have my account password. I can
(and have) accessed it from a non-Tor IP, the same that I've been using
recently, and from within the same IP range that I've been using for quite
some time (though now long I don't know -- the space is dynamic and subject to
change).

I can and did answer last login dates, questions about email contacts, and
general questions about email filters (none of which would be likely if I
didn't have local copies of email -- in other words, they're tough questions
to answer if you don't have access to at least _some_ of your account.

And there are numerous other questions that I _wasn 't_ asked that I could
answer. Including as I've noted, my PGP key to which I can sign or respond to
challenges. Multiple other accounts that I've referred to frequently in my G+
postings (including this one, also reddit, Ello, and Diaspora, among others).
Which, though Google isn't (or shouldn't be) in a position to check, all use
different (and difficult) passwords.

So: no, I can't answer _all_ the security questions. Then again, I'd challenge
you to go through account recovery procedures for your own online account(s),
and to see how far or successful you are with these.

Some time ago close friends lost access to their email account they'd had for
years with a very large Internet services provider. It turns out that the
password they'd been using was a poor choice -- I'll just say short, based on
a limited characterset, and based on personal demographic information that
could be pretty easily guessed at, or simply brute-forced.

Oh, and they'd been a paying customer for years before the system switched
over to free, which meant that there were both credit card numbers and I
suspect street addresses on file. But the CCs had long since expired and been
retired.

After a few months, it became apparent that there was simply no way to recover
the address.

Which means that any accounts that _weren't_ notified were still sending to it
(think financial services, etc., as well as friends and other services tied to
it). And that the account could be used to send spam.

I've got a few friends whose Yahoo, Hotmail, AOL, and other accounts appear to
have been similarly compromised.

As I state below, the question "who are you" is a really difficult one to
answer. Google's Eric Schmidt stated early on that G+ was designed to be "an
identity service". In the sense of "we're going to use this to identify
exactly who you are in meatspace and stick with you no matter what" I've got
no interest in that.

But in the sense of "we want to be able to consistently and correctly provide
access to the self-described entity who should and has been using a particular
account", well, yeah, you could say I'm down with that.

And on that count, at least for the moment, the company is failing
spectacularly.

~~~
Vendan
I've done account recovery for my gmail account a few times without any
issues, and it's the main email for all my other accounts, so I can recover
them with no issue. Then again, I actually keep my recovery information
updated, so it takes about 2 minutes to recover my gmail account.

~~~
dredmorbius
Using what method(s)?

------
dredmorbius
And for those curious about the follow-up: account recovered, though with the
intercession of a Googler I know through G+.

That said, a very deep thanks to Yonatan for helping to get this sorted. I've
beat him up a lot over disagreements on G+, he's always been the consummate
professional.

------
current_call
_Sorry, but you were accessing from a completely unknown IP address that they
cannot verify. What is to say the GPG private key hasn 't been compromised?_

Nothing, but with that attitude, why even use GPG at all?

