Saturday, August 20, 2011

Google, WTF?

I use Google for my online life, which as of lately has been growing significantly over my conventional desktop-based computing.  Unfortunately of late I have been getting more nervous regarding my online security and beginning to think twice about relying so much on Google specifically.

Last year, close to the middle of August, I took my laptop with me to a wedding in Maine and used it once on the last (full) day we were there to make sure I received the link for wedding pictures.  I did this from the motel's wireless and tried to make sure it was all done with HTTPS.  It was as short as possible on-and-off.

That week, I got a message that my account has been locked due to "suspicious activity" and spamming.  Yeah, I thought that motel was the culrpirt too.  

Within the year since then, my account was locked again due to suspicious activity! Argh! On the plus side I found out about Google's 2-step authentication, which uses your cell phone for receiving the verification code, and immediately signed up.  While it is a pain considering I have 2 browsers on my main (stable) systems and am constantly refreshing the laptop with different or new Linux distributions (each time, connecting via browser to my account requires this verification code).

So, I thought I was safe. Little did I know that just this past week I would be locked out of my account again.  The browse would not accept my password for whatever reason!  It's easy enough to get by with the secret questions AND the verificaton code sent to my cell phone.  It would have been a lot sooner, too, if I hadn't forgotten my cell phone at home!

Getting back in was easy enough, and I reset my password to the same one it was before.  While I was looking in my email through the browser, I get a message that I have been logged out because somebody else was logged in!  WTF? So I went through getting access to my account again and this time changed the password immediately.  I haven't been kicked out since, but that is still scary and annoying!

I thought this 2-step verification system was to help prevent people from getting in!  Especially if when I went in, it should have booted them out just like I got booted out.  I admit, getting booted out was in part my fault for not changing the password to something new.

Now I am keeping in mind when and how I am connecting to the internet when away from home (probably should see what I can do about beefing up my home security as well). What is beginning to worry me is trying to figure out what programs installed on my systems are automatically sending my credentials over Wi-Fi to look for updates and/or run in the background.  I can understand Dropbox and UbuntuOne running when you log in to find out whether there are any updates, which requires credentials to pass. 

What about ChromeOS though, which relies so much on Google for logging in, email, documents, synchronizing extensions and apps, Google talk and whatever else?  And in using Apps, does it really use HTTPS or just HTTP to connect?  I use Secure Login Helper extension which supposedly tries HTTPS first for sites, but does this work for Apps?  Plus I removed as many extensions as I can and keep primarily Apps which are just glorified bookmarks and bookmark those that aren't direct links and removing them.

The internet is not some place for the Paranoid, but I didn't think I was so lax in security to warrant getting compromised 3 times in one year. Hearing there are security issues with Androids is making me cuatiously watching Google's reaction to all of this.  Hopefully it is just a "growing-pain".

Anybody else get their account compromised lately?