79 comments

[ 2.9 ms ] story [ 154 ms ] thread
Hate to be that guy, but in About Us you have a minor typo; "Having one of your online accounts hacked and loosing all your.." should read; "Having one of your online accounts hacked and losing all your.."
Thanks. I'll fix it :-)
It could have been intentional, I think, in this context.

Very unlikely, of course, but I think it reads properly with "loosing."

Is it open source? How does it work?

This info is kind of important if you are posting on HN!

LogDog is not open source. It works by polling services periodically for information about user activity, establishing a baseline profile and then looking for usage anomalies.
Could you elaborate a bit on some of the things you're checking for as signs of "suspicious activity"?

I ask because I receive warning emails on occasion from Gmail ever since I started routing all of my data through a rotating-server VPN. I imagine LogDog might send similar emails, which is not necessarily a bad thing--I'm just curious exactly what else you're monitoring other than suspicious IP/geolocation.

LogDog monitors multiple parameters and will not send you alerts just because your VPN changes IPs. We establish a usage profile and only alert on significant anomalies.
And, again, what would be an example of an "anomaly", other than an IP address from India suddenly signing in?
Well... I think most people would agree that does seem like the kind of anomaly that would justify an alert. Just because they don't have some kind of cutting-edge AI to detect hackers doesn't mean that the service is useless.
A strange IP, signing in at early morning hours when you usually don't, using a different browser, different OS, different language config, different browser plugins, running through all your email folders... THAT would be suspicious all together, most of them are not by themselves.

I understand that URB doesn't want to reveal all they do. It's the same way AV companies do not reveal how the develop all their signatures.

Everyone crying "you should reveal all your secrets, otherwise you're doing security through obscurity" do not get it. It's not secret because of security concerns, but for competitive advantage against other companies in the field. Why aren't we asking FireEye, Mandiant, CloudFlare, Incapsula or any of the other supercool security company what are they parameters for behavioural detection? Do we feel we have a superior moral stance against LogDog because we don't know them?

So to protect myself I have to give out ALL my credentials to this new app? No thanks.
Your credentials stay on your phone (where you already have most of your passwords). They are never sent to LogDog servers.
Well that's reassuring. It's not obvious from scanning the first page that this is how it works and will potentially scare away users. So I guess then it only works if I have a reliable internet connection and my battery doesn't run out.

Do you know how battery/network heavy logdog is?

We keep battery consumption <1% and compress all data traffic.
>We keep battery consumption <1%

What does that even mean? 1% per hour? per day? 1% of your phone's battery? of my phone's battery?

Meaningless statements like the one quoted do not inspire confidence in you or your product.

Android settings -> General -> Battery. Power consumption divided by Android into percent per app
I don't know the situation with your wife's email... but if she had a poor enough password that it was easy enough to hack OR if she didn't update her password after heartbleed etc., then why do you think she will be proactive enough to use LogDog?

(Obviously she will, because she's your wife, but the question is if people aren't proactive to keep their accounts safe, will they be proactive enough to use your service?)

That's the thing... It's easier for people to download an app than to keep up-to-date on security events and proactively update to higher entropy passwords.
It's far, far more likely that she was phished or that she used the same password on a site that was compromised than that her email password was guessed or sniffed. (edit: of course, this is a general comment rather than any comment specific to OP's wife!)
I don't understand how it works or could possibly work. How is your app going to detect that someone is accessing one of my accounts from Israel, as indicated in your screenshot?

Do you have software running on google's servers so that it knows what IP addresses are accessing gmail/evernote/one of the other services and can geolocate? (Obviously not). So how is this supposed to work?

If you scroll to the bottom in Gmail you can see a "Last account activity: 1 hour ago: Details" link. If you click that you can see everyone who logged on.
As far as I know, there's no official API to access this data. And that data definitely isn't available for all the services regardless.
Good point. So they're repeatedly logging into your Gmail account and scraping the text from the page? Not a very elegant solution but I guess it works.
Sorry if I'm going to sound a little childish but...

What if my LogDog is hacked? What kind of thing will the attacker be able to do with whatever LogDog has about my accounts everywhere?

LogDog does not save account credentials. They are kept only on the device and are never sent to our servers. The servers only keep anonymous data. There is nothing to hack.
In another comment, you mentioned your system works by polling for user activity, creating "baseline" profiles and monitoring usage activity. That certainly does not appear to be anonymous data to me.

  Hundreds of parameters are used to identify unauthorized access to your accounts.
I would love to know how.

Seriously, no sarcasm here, I'm actually curious about those hundreds of parameters.

Obviously I can't go into too much detail, but we cross reference data from the different services we monitor and thus create a fairly robust usage profile.
Obviously I can't go into too much detail

That isn't obvious at all. Quite contrary, I'd say a refusal to go into detail puts the whole thing under a pretty dark cloud, making the entire thing sound entirely scammy.

Even if we assume that you have all of the data you need (as an external service, with the limited information the various services provide) to create such a usage profile, there is no credible reason why you can't detail the mechanisms.

There are various reasons why a cybersecurity company can't disclose the methods and mechanisms it uses in detail. We have our users' interest in mind.
There is also a reason why shysters and charlatans can't disclose their methods and mechanisms as well. This isn't to say that such is your tactic, but to be honest when I've heard your type of pitch before it has generally been because someone knows that one day they'll figure out how to make sense of the data, but for now they can just see potential so it's all kind of fuzzy.

We aren't an ignorant crowd. There is limited information that you can monitor.

Password reset emails. Sure. Access suddenly being revoked. Right. Weird posts at odd times of night. I guess.

Outside of that, there is little belief that you're circumventing any sort of mechanisms at any of these providers.

Generally, if it really works, then it should work even if all the details are known.
Reminds of all the people who keep their startups ideas 'steath' thinking that the idea is what makes a business. While missing out on tons of opportunities for early feedback, early customers, and potentially cofounders. This approach has been utterly destroyed over the years as a bad idea.

No-one is running to this website because they have a secret sauce of heuristics. Nor is it stop a motivated competitor from reversing it.

Lose-lose situation.

It isn't at all obvious to me why you can't reveal more information, unless your signals are something trivial a hacker could mimic. Please explain more.
Here's the unfortunate truth: a good majority of security companies out there are banking on the hope that the signals they are looking for are not known to hackers and so cannot be mimicked or evaded.

>unless your signals are something trivial a hacker could mimic

Name any security product out there, whether they make software tools or hardware appliances, and chances are there is a set of trivial signals a malicious actor can mimic to appear to be trusted by that product, or a set of trivial signals to avoid to prevent being considered malicious.

And yet those products can still provide tremendous value. There is serious value in a large team of intelligent, experienced, resourceful people spending 8-10 hours a day tracking fraud and crime patterns so they can detect suspicious activity and meticulously add to and update their signatures. Yes, if their list of signatures was published on a fraud forum, the fraudsters would see it and take advantage of it and the company would have more workload trying to detect the new pattern changes. But it's still a useful service for many people.

My only concern in OP's case is that neither he nor his company has any track record in the security industry. He's perfectly reasonable to not reveal the precise technical details of how they're detecting suspicious activity, though.

"Don't get hacked, get a LogDog"

From what I can tell this service does absolutely nothing to protect you from being hacked.

It's more like a "you might've been hacked" notification.

If you know something suspicious is happening you can change your password (from the app) and throw the hacker out. You can also avoid rolling-hacks (ex: when your email is used to reset passwords on other services)
I'm not saying the service has no potential value, rather that it doesn't fulfill the "don't get hacked" reprise by notifying you after the fact.

The notification could allow you to fix the problem once it has happened but any hacker with reasonable sophistication can download data and change passwords in an automated fashion long before you can finish reading the notification.

what if the hacker resets the password before you get a chance to?
Wouldn't a third party service repeatedly logging into my services from a LogDog IP raise some flag on it's own at the service's own intrusion detection?
Very good point. It took us a while to get around that :-)
Perhaps it's simply a poor choice of words on your part, but "get around that" raises red flags for me. It makes it sound like you've found a loophole in their intrusion detection systems, that will (hopefully) be closed when it is detected—which will become ever more likely if your system becomes more popular.
Are you working directly with the providers? If you are not you are basically saying you get around their intrusion detection system in some way?

I think that's a point you should be a bit more transparent about because I'm not sure there are a lot of people who want to risk their google account being locked because of your app. We are all aware of the customer support horror stories dealing with getting your accounts re-enabled after they've been flagged.

Are you keeping log of those services possible address as well? I am not sure what other way you can identify.
First Show HN where I've seen someone have a phone number listed. Not sure if smart, or brave.
Looks interesting. Does anyone else use Two-Factor authentication for their emails? I do.

I also use that SMS service for PayPal.

Does nobody else?

I use two-factor auth whenever it is available. I've also mandated it for all user accounts (on Google Apps) at my organization.

For a while, I was trying to encourage adoption by expounding on its benefits, but then one of our users (without two-factor auth) had her account hacked, and I was able to employ the panic around the office to justify making it mandatory for everyone. This caused some pain for a little while (when two-factor auth enforcement is enabled for a Google Apps domain, users without two-factor auth enabled must use a temporary code, which can only be retrieved by a domain admin), and I wouldn't recommend this approach for more than a dozen users or so.

Great idea. I am surprised so few use two-factor authentication. My bank requires it for logging in, sending money, even for going into the branch (thanks Barclays); RSA fobs or Quest Defender fobs were also used in a company I used to work for, for their VPN.

With Google, the list of massive passwords they provide for logging in via POP3 is a useful thing to print off and have secreted at your house somewhere in case your phone gets pinched.

And periodically/regularly tidying up old emails from your inbox (archiving them offline somewhere) is a way to keep the email account a bit safer, as there isn't any info in the mailbox.

I use it, but I have to admit I'm not much of a fan. All it has done is annoy me by forcing me to stop my flow and look-up a secondary field.

I think there should be a 3rd option of just having a second password. Better yet, add a few other options as well.

What additional security would be derived from a second password?
A second password is just another form of a second factor (in 2-factor authorization)
2 factor auth is "something I know" (password) and "something I have" (token/device to provide a one time password)

Two passwords you know is not 2 factor auth

No, it's one factor, twice.
Not even twice, just split in two fields :)
Does it run client-side (device), or server-side? I ask, because if you're without a net connection, will LogDog still monitor your accounts (if it's server-side, it will, I guess)?
Refusing to explain how LogDog works, how should you trust them with your precious accounts?
Do I have to believe the reddit-like story in the title? Looking at the website it looks way too professional to be something suddenly made out of the blue one day after your wife got hacked.
Yes. Also, you are required to believe eBay was founded to help Pierre Omidyar's fiancée collect Pez dispensers. And Sara Blakely got Spanx off the ground by dragging Bergdorf buyers into dressing rooms and demonstrating control-top girdle underwear. If you can't invent a believable meet-cute creation myth, how can you create a good company?

According to Wikipedia "The frequently repeated story that eBay was founded to help Omidyar's fiancée trade Pez candy dispensers was fabricated by a public relations manager in 1997 to interest the media. This was revealed in Adam Cohen's 2002 book,[14] and confirmed by eBay." http://en.wikipedia.org/wiki/Pierre_Omidyar

How does this protect me any more than 2FA does?
Seems that in the same way a house alarm protects you, loosely compared to your house keys.
Interesting. Potentially useful. Love it when people create new products. Very scary to put yourself out there like that. Especially in the security space.

From reading the site and URB's comments on this page, LogDog appears to be a host intrusion detection (HID) package that works first in "learning mode" to establish a baseline set of acceptable or normal behaviours for any given user then eventually moves into notification mode in which it signals to the user that unusual activity has taken place.

Unusual, in this context, means anything outside the thresholds established during learning mode. Presumably, learning mode continues over time and the system becomes more refined.

So far, so good.

What's not so good:

1. The basic premise is "trust us, we know what to look for, but won't tell you because we don't want the bad guys to know". This is security through obscurity and I'm afraid I can characterize this only as "charmingly naive". A) The bad guys already know, guaranteed. B) Unless you are truly expert in this area (see below), you don't and are only guessing. I don't want to harsh anyone's mellow, but you need to be able to back up your claims - especially when you claim your product will make someone's life more secure. We will consider believing your claims after we have read the research papers you are going to publish, the papers that provide enough information for thems of us who know this area to guess at your bona fides but not so much as to reveal all your secrets.

2. All data sent to servers is anonymized. So you say. I will take you at your word. But it means nothing, unless you have done the extremely hard work necessary to show that the data you maintain cannot in any way be used to establish identity after the fact, whether it be by patterns of behaviour or other means. This is an area of active security research and active attacks, and is not for the faint of heart. I invite you to research super cookies, click profiling, etc., etc.

3. Re #2: Your servers are now known to attackers who want that juicy high value data that they can probably do more with than you - unless you are as large and as well funded (they are both). Please describe, at least at a high level, how you are protecting this high value asset you have created. If you cannot, we cannot expect our data to be safe. Regardless of claims of anonymization. Convince us you understand defense in depth, prevent-detect-respond-recover, etc.

4. No offense, but this is a security product from someone with no documented (as far as we can tell) expertise or experience in this area. Everyone who has ever developed a security product from scratch has gotten the first release wrong. Every single time. This stuff is complex and complicated, it takes tremendous experience in the field to design a tool properly, let alone implement one, experience gained either from starting from scratch and surviving to release 4 or 5 or from working on other products developed by experts/survivors.

URB, you may find comments herein and on this page to be assertive, even aggressive. None of us will apologize for this. You are making BOLD claims and providing no reasons for anyone to believe you know what you are doing. You need to do that work before the security community will accept this product.

Try to get hold of Bruce Schneier or another well-known, respected commenter in the field. If you can convince a few such people by giving them a privileged, behind the scenes view (they won't sign your NDA, there is nothing for them in that), that will a) provide real marketing bumpf and b) go a long way to silencing many critics.

But note that you still need to address 2 and 3, even if you convince the best of the best of 1 and 4. Good luck, those are hard problems to solve.

> A) The bad guys already know, guaranteed

Such a tool would also be useful to prevent* "local hacking" - where your credentials have been hacked by someone in your trust circle. Sad, but it happens. However, luckily for the victims, such people aren't usually aware of the hints they may be leaving after they came.

I agree with your other points.

* Or, rather, retaliate after the deed has been done, but it's a good start.

Hi Peter,

Thank you for your comprehensive and insightful comments. We have a great team at LogDog and a product that can really help people. I agree that this is a complicated field and that the "bad guys" are really really smart. But you must agree with me that that is no reason not to push forward with ideas and technologies that can help people better protect themselves.

In the short time since we launched, our system has already made several confirmed catches - where we were able to warn users of unauthorized access to their accounts.

We put tremendous effort into securing the privacy of our users' data. We have undergone an external security audit and will continue to do so periodically.

We look forward to a fruitful discussion with the security community and to providing a service that we know to be both necessary and important.

I agree with you whole-heartedly, absolutely whole-heartedly - my concern is with pushing too far, too fast, out-pacing one's knowledge or capabilities, and making things worse.

My two greatest concerns reflect this: Without sufficient forethought, planning, and implementation, 1) your servers will be compromised and that anonymized data stolen and misused, and 2) users will have a false sense of security, especially the naive who have no reason to doubt the bold claims.

Think of the recent attacks on CurrentC systems after participating retailers disabled NFC to prevent use of Apple Pay: That brought them a lot of attention and that attention revealed that they were not ready for prime time, they simply did not grasp the enormity of the threat environment in which they hope to operate.

If you have the DevOps experience for defense-in-depth and PDRR, excellent! Hats off to you for attacking an interesting problem in an interesting manner.

OP, I'm in the infosec community. Welcome. I think someone just painted a big ivory tower for you and I'm not sure why. Congrats on getting it out the door!!
"No offense, but this is a security product from someone with no documented (as far as we can tell) expertise or experience in this area. "

This is my theory on why santoshi released bitcoin anonymously. ad hominem attacks like this are way too common in security. Often there's some justifications, but i'd prefer if conversations were about the content alone.

I'm not sure that this actually qualifies as an ad hominem attack. In cases such as this, a lack of experience and expertise is a serious concern.

True, there may well be outliers who, with little to no previous experience in a field, are able to master and advance it - but they are outliers.

As to specific comparison with Santoshi and Bitcoin, it doesn't stand, due to the relatively poor history and documentation for LogDog and the relatively greater history and documentation for Bitcoin: There is the 2008 research paper that built upon well-known and well-examined previous work on electronic cash, anonymous payments, etc., etc., and there is the subsequent open source client. No one ever said "trust us, this is cool". Instead, they wrote detailed papers and code and released those to the world - and we made up our own minds.

LogDog is, by comparison, sui generis, a thing of itself, that has sprung into being with neither preamble nor publicized foundations.

URB may be the outlier. Or not. Given the lack of documentation, the lack of openness, and the apparent lack of expertise, we are but wise to raise the questions.

So far, URB seems responsive and engaged, and not particulary evasive. Those are good things for that particular hominid.

This is not an ad hominem. Security is a notoriously difficult field, made worse by the fact that bad security is often very hard to tell from good security.

Asking for the credentials (and the research) of someone claiming to have a new security product is a shortcut to knowing how well acquainted they are with this difficult field. Yes, it's a shortcut, but it's also warranted. It doesn't mean they won't be heard, just that they will be heard with healthy skepticism.

"1 in 4 online accounts gets hacked."

I've got hundreds of online accounts and so far none have been hacked. Where you getting this number from?

I think for you to be successful in this venture you're going to have to be very transparent in how everything works, based on comments so far that's not the case.

So I prevent getting hacked by giving some random app the login details to all the services that could be used to fake my identity. Makes sense.
two comments -- 1. Since your app is free what's in it for you ? You mentioned in other comments that passwords are never shared with your app, however, you do continuous polling and create profile. Are you going to sell this data to advertising for behavior targeting and advertising ? Amount of information you know what a particular user is using and how they are using it ( due to continuous monitoring ) is way too much intruding in my opinion.

2. What if , my account gets hacked due to logdog ? You approach is not too convincing since you even did not answer other users question on what parameters you are monitoring. Sophisticated hackers might take advantage of your service and hack into my account. Do you assume liability and loss that would occur because of your service ? I don't want to sound rude but putting cheesy story in headline might get you temporary attention but this service is no better than saying "we will watch out who will rob your bank and then directly or indirectly responsible for lost money"