93 thoughts on “Gmail team, you out there?

  1. @41, I completely agree with you. After trying this out myself to see what it would be like if I got hacked, I passed along similar sentiments as feedback.

    Kamal Jain, I don’t think David’s desire for a job at Google is a secret; he’s registered http://www.nextgoogleceo.com/
    to make his case. I certainly didn’t intend to convey anything other than that I’d submitted his resume on his behalf. BTW, if you’re a junkie for all things David Dalka, he’ll be doing a speech at eComXpo:
    http://daviddalka.com/createvalue/2006/10/17/my-speech-at-ecomxpo-now-has-a-contest/

    @42, but we should try pretty hard to handle the common cases. Forgetting a password is one, and having an account stolen is another. I personally think Google does pretty well on the former, but could improve on the latter.

  2. @41, I completely agree with you. After trying this out myself to see what it would be like if I got hacked, I passed along similar sentiments as feedback.

    Kamal Jain, I don’t think David’s desire for a job at Google is a secret; he’s registered http://www.nextgoogleceo.com/
    to make his case. I certainly didn’t intend to convey anything other than that I’d submitted his resume on his behalf. BTW, if you’re a junkie for all things David Dalka, he’ll be doing a speech at eComXpo:
    http://daviddalka.com/createvalue/2006/10/17/my-speech-at-ecomxpo-now-has-a-contest/

    @42, but we should try pretty hard to handle the common cases. Forgetting a password is one, and having an account stolen is another. I personally think Google does pretty well on the former, but could improve on the latter.

  3. Who watches the watchers.

    Passwords as a secure system are flawed by design.
    Even in secure systems, I have seen people laugh at the IT people trying to implement security through passwords. Users have shown me elaborate systems of passwords that must be changed every two weeks on several systems. The same people then proceeded to show me the cheat sheets with the passwords taped under desks or in books, sheets kept in wallets etc. etc. The IT people in an attempt to try to teach the folks a lesson would send out love notes/emails to the boss from unattended computers. Funny people.

    Even computer access cards do not work when the operator gets up to take a pee or when they go for coffee without logging off or pulling the card. The best system I have seen was a (FORD) laptop system, which required both a password and a prox key.

    An even better system would be a dual piece system that has a five to ten foot range. A two-piece system would allow you to walk away from your machine without locking the system down. Auto- lock would occur when you exceeded the range of the keys.

    Instead of constantly changing the passwords, the user would have a new key issued by the security managers at a frequency TBD by security.

    High security areas could also have blackout screens, which would be active whenever an unauthorized key enters a zone of higher-level security. The technology exists; it only needs to be addressed from the level of the user instead of the paranoid view of IT folks that are providing what is viewed by many as a false security system.

    Everyone wants a secure system. No one yet has been able to come up with a viable system.

    Email compromise can occur with shoulder peekers, etc. The old saying “locks only keep honest people honest” holds true for passwords. Real hackers/thieves can find ways around all systems.

    Just a thought.

  4. Who watches the watchers.

    Passwords as a secure system are flawed by design.
    Even in secure systems, I have seen people laugh at the IT people trying to implement security through passwords. Users have shown me elaborate systems of passwords that must be changed every two weeks on several systems. The same people then proceeded to show me the cheat sheets with the passwords taped under desks or in books, sheets kept in wallets etc. etc. The IT people in an attempt to try to teach the folks a lesson would send out love notes/emails to the boss from unattended computers. Funny people.

    Even computer access cards do not work when the operator gets up to take a pee or when they go for coffee without logging off or pulling the card. The best system I have seen was a (FORD) laptop system, which required both a password and a prox key.

    An even better system would be a dual piece system that has a five to ten foot range. A two-piece system would allow you to walk away from your machine without locking the system down. Auto- lock would occur when you exceeded the range of the keys.

    Instead of constantly changing the passwords, the user would have a new key issued by the security managers at a frequency TBD by security.

    High security areas could also have blackout screens, which would be active whenever an unauthorized key enters a zone of higher-level security. The technology exists; it only needs to be addressed from the level of the user instead of the paranoid view of IT folks that are providing what is viewed by many as a false security system.

    Everyone wants a secure system. No one yet has been able to come up with a viable system.

    Email compromise can occur with shoulder peekers, etc. The old saying “locks only keep honest people honest” holds true for passwords. Real hackers/thieves can find ways around all systems.

    Just a thought.

  5. Matt @39,

    And what use is setting an alternate email address, or a security question, if they can both be changed by anyone with access to the account? That may help the forgetful, but not those who have lost control of their accounts, like me.

    FWIW, eBay seems to so much the same thing, but keeps a record of all the alternate email addresses you have ever provided for the account, even if you change them. Seem reasonable to me…

  6. Matt @39,

    And what use is setting an alternate email address, or a security question, if they can both be changed by anyone with access to the account? That may help the forgetful, but not those who have lost control of their accounts, like me.

    FWIW, eBay seems to so much the same thing, but keeps a record of all the alternate email addresses you have ever provided for the account, even if you change them. Seem reasonable to me…

  7. Matt, is it common knowledge that David Dalka had been considered by Google recruiters who thought he was not a good enough match?

    I did not know this. Even if this is common knowledge, this has nothing to do with the discussion here. And I think such facts should be kept internal to Google and shared with the subject in private instead of publically disclosing them. This is private information and somebody’s dignity could be sensitive to it.

  8. Matt, is it common knowledge that David Dalka had been considered by Google recruiters who thought he was not a good enough match?

    I did not know this. Even if this is common knowledge, this has nothing to do with the discussion here. And I think such facts should be kept internal to Google and shared with the subject in private instead of publically disclosing them. This is private information and somebody’s dignity could be sensitive to it.

  9. @4, I agree that’s a different subject. I submitted your resume in our recruiting system; if the folks that handle hiring didn’t think you were a good match, then that’s their call.

    Looking into this, several people mention both their Gmail and Ebay/Paypal passwords being hacked at the same time. That sounds like phishing or a virus/trojan to me.

    Gmail provides the ability to set an alternate/backup email address; see here for how to do that:
    http://mail.google.com/support/bin/answer.py?answer=6566

    And you can choose a security question (or write your own). If someone doesn’t give either a backup email address or a security question, it is a harder issue to investigate whether someone is who they say they are.

  10. @4, I agree that’s a different subject. I submitted your resume in our recruiting system; if the folks that handle hiring didn’t think you were a good match, then that’s their call.

    Looking into this, several people mention both their Gmail and Ebay/Paypal passwords being hacked at the same time. That sounds like phishing or a virus/trojan to me.

    Gmail provides the ability to set an alternate/backup email address; see here for how to do that:
    http://mail.google.com/support/bin/answer.py?answer=6566

    And you can choose a security question (or write your own). If someone doesn’t give either a backup email address or a security question, it is a harder issue to investigate whether someone is who they say they are.

  11. Rebellin Woman had her PayPal account hacked, witch had the same password as Gmail. Google safety features were never breached. I appreciate everyone has too many accounts to use different passwords, but having a different one for your bank and for the place where you store everything, that sounds like the bare minimum to me.

    As they cannot look into your mail (for both legal and technical reason) there was no way to get out of there, except close the account: taking four days to make such a big decision, and to be sure the account was actually hacked and not just experiencing security issues, that doesn’t seem much to me.

    Now the question is: should a mail provider, offering life-long archive, keep an access to your mail?
    I’d rather not.

    Kamal: the problem I have seen the most is a computer completely stuck (hence no way to surf or mail) with a non-existent hotline. Those lucky to have a friend writing on behalf of them received a reply that they were not entitled to spend someone else’s assistance allowance.

  12. Rebellin Woman had her PayPal account hacked, witch had the same password as Gmail. Google safety features were never breached. I appreciate everyone has too many accounts to use different passwords, but having a different one for your bank and for the place where you store everything, that sounds like the bare minimum to me.

    As they cannot look into your mail (for both legal and technical reason) there was no way to get out of there, except close the account: taking four days to make such a big decision, and to be sure the account was actually hacked and not just experiencing security issues, that doesn’t seem much to me.

    Now the question is: should a mail provider, offering life-long archive, keep an access to your mail?
    I’d rather not.

    Kamal: the problem I have seen the most is a computer completely stuck (hence no way to surf or mail) with a non-existent hotline. Those lucky to have a friend writing on behalf of them received a reply that they were not entitled to spend someone else’s assistance allowance.

  13. Holy smokes, I made the Scobelizer blog?! WOW! Thanks for posting my issue. Google finally shut down my account after 4 days of no response, but said that they couldn’t verify my identity so I would not be allowed access to the account again. I still firmly believe that a 4 day response time is unacceptable when it comes the security of my personal data, AND, it is crap that they won’t give me a chance to prove my identity with official documentation. I understand they’re busy, but they shouldn’t have launched this product if they couldn’t support it. Yes, it’s free, but they’re selling ad space on our accounts!

    So now I’m wondering where I should set up my new primary email account. Any suggestions?

  14. Holy smokes, I made the Scobelizer blog?! WOW! Thanks for posting my issue. Google finally shut down my account after 4 days of no response, but said that they couldn’t verify my identity so I would not be allowed access to the account again. I still firmly believe that a 4 day response time is unacceptable when it comes the security of my personal data, AND, it is crap that they won’t give me a chance to prove my identity with official documentation. I understand they’re busy, but they shouldn’t have launched this product if they couldn’t support it. Yes, it’s free, but they’re selling ad space on our accounts!

    So now I’m wondering where I should set up my new primary email account. Any suggestions?

  15. bertilhatt,

    One of solutions I know can be ability for users to provide a PKI digital certificate to be used for login (or password recovery).
    So users who are using two-factor authentication (like eToken http://www.aladdin.com/eToken/default.asp or iKey http://www.safenet-inc.com/products/tokens/iKey1000.asp) can rely on it to keep their private information really private.

    With Google for Domains – there are expected to be more users then simply mams and dads sending “I miss you so much” emails. Stealing password domain administrator password can be huge disaster for entire company/campus.

  16. bertilhatt,

    One of solutions I know can be ability for users to provide a PKI digital certificate to be used for login (or password recovery).
    So users who are using two-factor authentication (like eToken http://www.aladdin.com/eToken/default.asp or iKey http://www.safenet-inc.com/products/tokens/iKey1000.asp) can rely on it to keep their private information really private.

    With Google for Domains – there are expected to be more users then simply mams and dads sending “I miss you so much” emails. Stealing password domain administrator password can be huge disaster for entire company/campus.

  17. bertilhatt @25. Your point is well taken. You would not find any special form on hotmail to report ID theft. I am not sure if there is any. ID theft is a big issue. Microsoft allows you to even contact for any customer service issue big or small. Follow the “help” button. You may get majority of problems solved there. If not then press “more help” button. It will take you to a form. That’s what my wife did and she got a human response shortly after auto response. BTW, do you know what the latest acquisition (Colloquis) of Microsoft does — it gives a platform to solve customer service issues more effectively.

    And why your friends and family do not find the same experience with Microsoft as I do? The reason is that Microsoft provides a much more complicated service (a general purpose computing environment rather than a special purpose service). But here we are talking about the business philosophy. Microsoft tries to cover users even if it is a user (or hacker) generated problem.

    An on line service is not be any more complicated than let us say serving coffee at starbucks. Both of them are atomic products. You have issue with starbucks coffee, I am sure starbucks would like to help instead of blaming your taste buds.

    If you try to create a little bit more complicated online service, then an offline analogous could be a fancy restaurant. You do not care at a restaurant whether the chef has PhD or not as long as you are getting a tasty food. In many restaurant if you have question about food quality, chef may even be willing to come and see you. Sure a restaurant has a small number of customers to deal with. But then a restaurant has only a small amount of resources too.

    Bottom line, an online service must work as a black-box for a customer. It should not matter whether it is human or automator on the other hand.

  18. bertilhatt @25. Your point is well taken. You would not find any special form on hotmail to report ID theft. I am not sure if there is any. ID theft is a big issue. Microsoft allows you to even contact for any customer service issue big or small. Follow the “help” button. You may get majority of problems solved there. If not then press “more help” button. It will take you to a form. That’s what my wife did and she got a human response shortly after auto response. BTW, do you know what the latest acquisition (Colloquis) of Microsoft does — it gives a platform to solve customer service issues more effectively.

    And why your friends and family do not find the same experience with Microsoft as I do? The reason is that Microsoft provides a much more complicated service (a general purpose computing environment rather than a special purpose service). But here we are talking about the business philosophy. Microsoft tries to cover users even if it is a user (or hacker) generated problem.

    An on line service is not be any more complicated than let us say serving coffee at starbucks. Both of them are atomic products. You have issue with starbucks coffee, I am sure starbucks would like to help instead of blaming your taste buds.

    If you try to create a little bit more complicated online service, then an offline analogous could be a fancy restaurant. You do not care at a restaurant whether the chef has PhD or not as long as you are getting a tasty food. In many restaurant if you have question about food quality, chef may even be willing to come and see you. Sure a restaurant has a small number of customers to deal with. But then a restaurant has only a small amount of resources too.

    Bottom line, an online service must work as a black-box for a customer. It should not matter whether it is human or automator on the other hand.

  19. I had the exact same experience in July of this year. I’m not convinced it was a hack, by the way. Google will lock down accounts that are accessed by multiple machines in a close time span, or if GMail notifier is running when Google Desktop is running, etc. In my case, I accessed GMail from a Cingular phone right before it was locked down. When they got around to responding, it was fixed right away.

    It seems like this starts happening right around the time that they roll out new stuff (like their spreadsheet/Writely combo).

    After I got it sorted out I created a second email box on another freemail service and set Gmail to send a copy all of my sent and received mail to it, because the most frustrating part of the whole experience was this: The information I needed to unlock the account was in my GMail account. Since I got GMail via a cellphone invitation, that code was long gone and so I couldn’t provide the information Google required to reset my password.

    DnW

  20. I had the exact same experience in July of this year. I’m not convinced it was a hack, by the way. Google will lock down accounts that are accessed by multiple machines in a close time span, or if GMail notifier is running when Google Desktop is running, etc. In my case, I accessed GMail from a Cingular phone right before it was locked down. When they got around to responding, it was fixed right away.

    It seems like this starts happening right around the time that they roll out new stuff (like their spreadsheet/Writely combo).

    After I got it sorted out I created a second email box on another freemail service and set Gmail to send a copy all of my sent and received mail to it, because the most frustrating part of the whole experience was this: The information I needed to unlock the account was in my GMail account. Since I got GMail via a cellphone invitation, that code was long gone and so I couldn’t provide the information Google required to reset my password.

    DnW

Comments are closed.