Hacker News new | comments | show | ask | jobs | submit login

I love how Google's response is akin to "well, if the password is compromised...anything is possible" logic and tagged as won't fix. Facebook and Linkedin of all people immediately triaged and started fixing the issue.

Unacceptable response from a company promoting its services as identity and communication platforms.

That's a backwards and false reading.

1. Google said that if your telco is insecure, you are insecure. If you knowingly choose to use an insecure telco for sensitive communications, you can't expect every system to refuse to communicate with you.

2. From the article, Google already offers a secure 2FA, in fact Google invented and open sourced it! Do FB and LI even offer a secure 2FA at all?

> disable 2FA on Google via texts or phone calls, and enable Google Authenticator based 2FA

Yes, you can use 2FA with Facebook... via Google Authenticator. :) They also support SMS but you should really use Authenticator or equivalent.

Well they didn't exactly invent the secure 2FA it has been an RFC for a while.

Agreed. Google is usually very good with security fixes, so it's surprising that they're basically filing this as a non-issue.

They're right that it isn't exactly a flaw in their systems, but they still have a relatively simple way of mitigating attacks against the telcos' security.

Like that one time when Google discovered and fixed the Heartbleed bug before anyone else did:


We did not file this as a non-issue. We clearly replied we filed a bug internally and are investigating defense options... Also see https://news.ycombinator.com/item?id=7761372

I disagree, it is a flaw in their system, because they make the assumption that an aspect of the telephone system is secure when it's not.

The user makes that assumption. Google offers and promotes Authenticator for users who want a secure connection.

I submit that a negligible proportion of users is aware that voicemail may be used as a factor, so they're not actively making that assumption. I would say it's Google's responsibility to protect users from the many insecure voicemail systems of telcos, since extra security is the whole point of enabling 2FA.

Google is gradually becoming the kind of company they used to say they were not.

Becoming? They're support always have been terrible; it always felt like a «we have one genius engineer per two millions of the likes of you, do you really think we're gonna bother?» mentality.

This is not customer-facing "read this script" support, though. This is "serious bug/security flaw" respond-to-this-so-your-customers-don't-get-screwed triage. They definitely used to respond to this type of thing a lot better.

The have been that company for a long, long time.

I've always thought that the "Don't be Evil" mantra/motto/whatever is akin to people in denial telling themselves that they are "good people".

If you need a rule to tell you not to be evil, you're definitely not good people.

I don't agree with that. It's a statement that sets the company's policy. While obvious that people should not be "evil", a company motto setting it explicitly to be good is a welcome thing. Of course, Google is no longer that company, and they removed that policy statement after it became a mocking tool for critics.

Google is and always has been downright hostile to anything that comes from outside Google.

What a pathetic response (from Google)

This crappy reaction to any form of customer communications will be the eventual ruin of Google.

Their customer support may be bad, but their developer support is far worse.

If your application is ever suspended from Google Play, you will be greeted with a message directing you to an appeal form which lets you enter a maximum of 1000 characters to make your case. This is without having an exact idea of the reason your application was suspended in the first place. You are also advised that you may not ask any questions about why you have been suspended, or else they will not reply to your appeal.

A few hours later you will invariably receive the following email:


    We have reviewed your appeal and will not be reinstating
    your app. This decision is final and we will not be
    responding to any additional emails regarding this removal.

    If your account is still in good standing and the nature of
    your app allows for republishing you may consider releasing
    a new, policy compliant version of your app to Google Play
    under a new package name. We are unable to comment further
    on the specific policy basis for this removal or provide
    guidance on bringing future versions of your app into policy
    compliance. Instead, please reference the REASON FOR REMOVAL
    in the initial notification email from Google Play.
    Please note that additional violations may result in a
    suspension of your Google Play Developer account.


* http://www.bytesinarow.com/2014/04/skyrim-alchemy-advisor-pr...

* http://blog.hutber.com/how-my-google-devlopers-account-got-t...

* http://arduinodroid.blogspot.de/2014/03/arduinodroid-is-temp...


AdWords customers like me (spending at some point several 100.000 Euro/year) are eternally grateful that they actually bothered to implement an appeal form after many years. We got locked out for more than a year with no way to contact anyone responsible (in good tradition of other Google services I presume) and thus no way to appeal, once the form got added, we got the lock removed within days ... What are you Android developers complaining about! </cynical>

Thanks for sharing. So screw the Play Store then.

I wonder how long this can continue. At some point, one of those big walled garden providers will run head-on into EU law with this kind of behaviour. If you hold control over a significant part of a market, the law will eventually ( and hopefully) step in and prevent you from playing God.

The Play Store is not a walled garden - you can easily install apps on your phone without it (unlike the Apple Store, which is, and where you can't).

I wonder if the app store or play store will ever be considered to have control over a significant part though. I imagine Apple would argue nope on the grounds of smaller market share/install base, Google on the grounds of a smaller revenue share.

With Google you're lucky to get any reaction at all. Security issues are one of the few things where you can actually still get a response from a human being.

It feels like he got someone who didn't understand the full implications of the issue. Or did understand but didn't understand why it would be such an issue.

It seems the bigger the company the more likely that you will get a front line response that doesn't really grasp what you are raising.

The article says 'hence the best solution to fix this temporaily is to disable 2FA on Google via texts or phone calls, and enable Google Authenticator based 2FA, if you think your telco may be vulnerable.' I suppose you would also need to remove any 'backup' ohone numbers or the attacker could request a 2F code to them?

Actually, I find it amazing that people still consider phone calls and SMS messages as trusted channels.

I fought long and hard with my bank to avoid using SMS one-time codes to confirm transactions, and I lost (stayed on paper lists of one-time codes as long as I could).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact