I'd pay for that service.
I can imagine paying for a 'cloud watch' service that keeps an eye on all my online accounts and tells me if something odd is happening.
Agreed, this is another problem. However, I think that it also depends on who you think might be targeting you. I know that a few years ago, plenty of everyday non-technical folks "hacked" their ex-girlfriend or boyfriends' accounts by doing a password reset with known details.
If the aim is to get notified of similar issues (e.g. my home laptop accessing during office hours), such a service could have merit.
Which is another reason why the IP-based approach works better.
An IP based check won't help you there. This canary would.
Suppose he uses http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu... and has it remember the second authentication for 30 days (available from a checkbox). Then someone who has compromised his machine and has installed a keylogger can find it password, and log back in as him from that machine when he is not there. Two-factor has not saved you. Nor has the IP check.
And yes, you're right. If someone owns your personal machine you have a whole lot of other problems. This fact makes discovering that someone owns your machine more important, not less.
If any of the tools you mention were readily doable today, I fear we'd be so deep in trouble, no canary would help.
Seriously, most online security works only because the competent people have better things to do.
I wasted _days_ recently trying to track down code bugs that weren't there - a piece of Cisco gear that was in the clients network was running a standard configuration called SMTP Fixup which was deep packet inspecting and rewriting the "250-STARTTLS" capability responses and passing them on as "250-XXXXXXXA" on the fly. It took me way longer than it should have to debug, partly 'cause I started looking in the wrong place, but largely because most of the testing we did was with mail clients that were perfectly happy to transfer mail unencrypted when the STARTTLS capability wasn't announced.
Anybody MITMing you in Starbucks could easily do the same.
A little bit of thinking with my "evil hat" on leads me to believe a similar protocol aware packet inspection/modification tool could easily rewrite webpages on the fly, looking for links to common service login forms and rewrite appropriate links and form actions to be http instead of https...
Maybe an appropriately paranoid way to set up this sort of canary is to have all your mobile (ie, non-fixed ip address) devices use a vpn into a trusted and well secured host?
That already exists in the form of sslstrip: http://www.thoughtcrime.org/software/sslstrip/
1) Rummage through your emails with image loading turned on
2) At least at a minimum be behind a service such as tor..
so uhhh, i guess this is a good idea for alerting you, if that is you are un/lucky enough to get 'hacked' by those that ignore the previous two points.
It sounds too much like the No True Scotsman Fallacy for me to take it too seriously.
Initial hack->Gains credentials->Pull down everything imap/pop->Load that shit into thunderbird on a dedicated vm->And we're away
You pulled a statement about behaviour out of thin air, and it wont hold up to scrutiny. Now its being scrutinised, you are dodging it.
1) What percentage of all hackers count as "hackers with a brain"?
2) How do you know most or all "hackers with a brain" would not be caught by this, without generalising from your example of one (you)?
3) Since both of the above are unknown, how can you use those as arguments to justify this being an ineffective precaution?
Why does the most obvious and logical course of events require justification? "Most hackers breathe constantly." "Do you have data to support that?"
Maybe you're right. Maybe this "canary" is extremely effective. Maybe everyone who makes a living by breaking security also happens to be dumb enough that they fail to take the most basic precautions to protect themselves.
Even if that's true, there are still more effective solutions that should be used instead of this "canary".
Obviously because what you've written is non-obvious ;)
Enough people "hack" by using simple password-reset forms. Whilst I have no doubt that there are plenty of worringly-competent hackers out there, I'd bet that there are also lots of less competent hackers. Taking this through to its logical conclusion: I'd rather know about some of them than give up and know about none of them.
It doesn't. Your claim does.
The easiest way to "hack" is to install a script and run it, e.g. a traffic sniffer, a wifi encryption breaker, Firesheep, or any one of many vulnerability scan/exploiters. Or to look over someone's shoulder as they type a password in, or to walk up when they step away from their computer for a moment. None of that needs any hacking chops or brains. Most exploits by volume are going to be like these because these are easiest.
The next most easy way is to do phishing scams, it needs some chops to fake login forms and bulk email, but it's not massively complex.
The hardest way is to understand and find flaws in a system and then exploit them. This is likely to be most successful, but due to the knowledge, effort and skill and sustained interest required, to be the least common by volume.
And then above that, people who do the last one "for a living".
A canary that squawks against "I made a mistake and some opportunist got into my email" is more likely to go off, and more likely to be useful, than a canary that squawks against "a skilled hacker targetted me and got through Google's security".
Metalfrog's claim is that it is more likely that a real hacker would get in, be taking precautions against honeypots, and the canary would be useless. I think it much more likely that an opportunist would be getting in and a skilled hacker targetting something more important instead, and that the canary stands a slim chance of being useful instead of zero chance.
Well, I don't doubt that.
I'm just wondering how well "what I would do" generalizes, here.
2. is not quite relevant. I'd say the idea is to know that someone has accessed the email. Not who. As long as you can be sure that it's not yourself, something bad is happening anyway.
Not so sure that would work. You'd have to first get the guy who stole your email account to install a custom browser extension.
Edit: "If you've lost access to both your primary and backup phones, you can use one of your recorded backup codes in place of your verification code." from http://www.google.com/support/accounts/bin/static.py?page=gu...
Many toolkits exist (no, I'm not going to link to them) where you just feed in a list of usernames and passwords for popular email systems and they go harvesting, usually via IMAP.
It also decreased friction in the sign up process - no need to enter a name, email adddress, etc. Was built before Facebook allowed application to access a phone number, or I would have added that too.
Or if you don't want the overhead of a browser, a somewhat more tricky way is to do it once yourself and record the traffic using a plugin, and repeat that in a script... (but this might require some reverse engineering work on the clientside JS if there are fields like one-time tokens)
That would be really inconvenient if you wanted to check it from elsewhere...
Let's say I get an alert on my iPhone but I'm 30 mins from getting to my laptop.
How would you stop them from recovering your DropBox or VPS console password?
I have thought about the security issues with gmail, especially for mobile devices (they can be easily stolen).
It would be really REALLY great if Google offered several account access levels - I could use a 'read only' account for my mobile device, which could also only give me access to the last 1 hour of emails for example. and seperate account access for use with 3rd party services (facebook, gtalk apps etc)
I would DEFINATELY use a feature like this.
EDIT: I'm wrong as pointed out by others in the replies below.
I suppose an attacker could bypass this method by turning off images in their browser though.
His canary is a mail that has already been opened, so the attacker assumes he can look at it harmlessly.
Something like SpamBayes put trained for account related emails from the popular services and banks.
I operate on the opposite principle: there is nothing sensitive in my email account. When it arrives, it is actioned and disposed of (properly) immediately.
I am not sentimental and do not keep every email "just in case" as I do not remember 99.9% of telephone conversations I've had.
What about "important" emails in your inbox that you have not yet had a chance to take action on? Can you be taking action on your email 24 hours a day?
I use Vim Outliner for task management.
I automate everything.
My mail comes directly into a Debian box running postfix on the end of my ADSL line.
new-alias: Echoes the alias onto the end of /etc/aliases, then runs newaliases.
kill-alias: Use sed to remove the line that matches the alias and run newaliases.
Nice thing about this system is that I can immediately tell where spammers got my email address and shut it off. Also, any email that comes in that doesn't contain a SECRETKEY gets ignored, so I don't have to worry about spammers sending to email@example.com and firstname.lastname@example.org.