Re: Yahoo recommends you write down account information

[mis () seiden com]

[previous commentary on the wisdom of printing out 
account recovery details deleted]


On Thu, Mar 16, 2006 at 12:20:07AM -0500, Valdis.Kletnieks () vt edu wrote:
> On Wed, 15 Mar 2006 21:02:17 PST, bigdaddyzeroday () hush ai said:
> > So break into house steal print out then reset password?  Go take 
> > school kid.
>
> Well... that's basically what the FBI did to Scarfo.  Although it was
> quite a bit more complicated black-bag job than system_outage is talking about.
>
> http://www.epic.org/crypto/scarfo.html

not exactly.  but after all that trouble what did they find out was the wiseguy's
pgp passphrase?

his father's federal prison number.   not exactly a secret either.

if the govt wanted the contents of your yahoo account, they have to
produce the right piece of paper, but it isn't this one.

because this piece of paper is not equivalent to KNOWING the password,
as it only gives you the power to access the account by CHANGING the
password (and the zipcode).

which definitely clues in the true account owner that
they can no longer use (and possibly recover) their account.

(with the actual password, you can use the account without the true
account owner's knowledge).

the real reason they suggest printing it is for people's
convenience, not to deliberately reduce their security.

a certain number of people lie about their birthdate and zipcode, or
they forget just what they lied about, or move from place to
place and forgot where they lived when they registered, 
and they don't have a working alternate email address.

so when they finally forget their password, they can't recover their
account (easily anyway).  

another problem is people who get phished (or their accounts
brute-forced) thinking "oh, i must have lied about something when i
registered".  that piece of paper actually helps them realize they
must have had their account taken over.

so maybe the advice on the registration acknowledgement should say:

        "many ordinary people may find it convenient to print this screen
        to help you remember what you told us in case you lose your password
        or someone takes over your account.

        particularly if you lied about anything shown here!

        but depending on 
        - how much you think people are out to get you
        - what you think the value of your yahoo-resident information will be some
        indefinite time in the future 
        - if you live in a sod hut in the north of england or a paper-walled
        house in kyoto,
        - whether you'll be able to find the piece of paper in the distant future

        you might take additional precautions like 
        - locking this piece of paper in a bank vault or 
        - printing it to pdf and pgp encrypting it 

        or 
        - not printing it in the first place."

of course, n3td3v is certain he KNOWS what the right level of security
is for ALL of the hundreds of millions of yahoo users because printing
stuff on paper is ALWAYS bad.  (unless you're a librarian, of course).

sigh.







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/