Tuesday, September 14, 2010

After the hack: A disposable Google Identity

Aside from the tedious task of reviewing and upgrading a large number of passwords, the biggest change I've made after my Google account was hacked is that I no longer enter my important credentials on untrusted devices. That includes any machine that lives in the virus and Trojan infested world of the XP based American corporation.

This is a bit of a pain. It would be less of a pain if my iPhone had a keyboard [1] and could drive an external display, but that's a few years away.

For now I'm taking a two step approach when I work with devices I don't control (non-OS X/iOS).
  1. Using email as a transaction source.
  2. Creating a disposable alter ego - a full gmail identity with limited privileges.
There's a lot of typing work I can do using email to "secret" addresses. I can mail tasks to Toodledo which in turn sync to Appigo's ToDo.app on my iPhone. I can mail drafts or posts to Blogger. I can mail invitations to my Gmail address that will turn into Calendar invites. I can't (yet) mail to Reader Shared Notes, but there are workarounds [2].

Of course a keystroke logger will capture these addresses, but there's no money in abusing these and the damage potential is pretty small.

The second task will be much easier when Google finishes the big project of integrating Google App identities with the Gmail/Google Account infrastructure. When that's done it will be easy to create disposable identities with shared access to calendar and contacts. That's many months away however, and based on some early testing a standard Google App account isn't quite good enough.

So for now I created a full Gmail account to serve as a disposable identity. It will have access to our family calendars and will have read/write (but not admin) access to my blogs but minimal access to Contacts. If I lose control of that account, I'll remove its privileges and walk away.

Annoying new world!

[1] I'm hoping to buy a kb like the one I used to use with my Palm Vx ten years ago, but I get the sense manufacturers are waiting for iOS 4.2.
[2] I mail to buzz.kateva.org which I follow in Reader. I Google Reader share from their.


Anonymous said...

Here's a simple trick to mitigate the risk of entering passwords on untrusted devices.

As you're entering your password, in a couple places in the middle of your password, click outside the password box and type a few random chars. Then go back and continue typing your password. To a keylogger it will look like the entire string of chars (including the gibberish) is your password.

JGF said...

Nice trick! New to me.