78 comments

[ 3.1 ms ] story [ 160 ms ] thread
Duh. If everyone encrypted their mail then Google wouldn't be able to personalise their ads to mailbox content, and they'd lose a huge commercial advantage over other ad networks. Advocating end-to-end encryption would be Turkeys voting for Christmas.
Have no worries ... full email encryption is two years away. Also has been that way for the last couple of decades.
Does this surprise anyone? Google has contradictory interests when it comes to encryption and privacy.

It has been at the forefront of pushing SMTP to SMTP encryption and HTTPS everywhere. Google has to spread (and perhaps seriously believes in) the idea that they transfer data securely, unreadable by the Five Eyes. Because the perception that Google is in bed with the NSA et al. is seriously undermining their reputation (especially in Europe).

On the other hand, scanning content for ads requires that they have unfettered access to user data. If by implementing good end-to-end encryption e-mail would not be visible to them anymore, their abilities to do user profiling of those on and not on GMail would be impeded seriously.

If you want real privacy, you should move out of the Google ecosystem. Their terms of use are too far-reaching and their interest in your data too large to assume that they would go all-in with complete end to end encryption of everything.

Unfortunately their services are too convenient. I use them for almost everything I can, my reason being that they already know enough about me from my google searches, so I might as well use every other service they have.

Plus they're encrypted so only they know it. Also, I'm not from the US so MY government doesn't have access to their data.

If you are fine with giving your life to Google, another thing to consider are others. Anyone who wants to communicate with you via e-mail also surrenders their private communication to you to Google.
> my reason being that they already know enough about me from my google searches

You could.. you know... change that.. https://duckduckgo.com

> Also, I'm not from the US so MY government doesn't have access to their data

Because the US doesn't have any allies that participate in data sharing, and definitely doesn't intercept data in transit over the greater internet and on Google's internal network...

Oh wait..

Same here. But I also pay Google for various services, and the lack of privacy bothers me enough that I would readily pay Google the relatively small amount I'm worth to them as a data source in order to get privacy.

THAT's where Google's position, or at least this Google spokesman's position is wrong: I'll give up both some convenience and some money to get more privacy.

But that's exactly the conflict: Google doesn't want your money, they want your data.

Paying for more privacy is not and probabably will never be an option.

Ehhhhh. "Google, would you trade ad revenue for the same or larger subscription revenue?" I think the answer would be yes.
Most companies, yes. Google, no.

It's completely against their current models. They're basically telling advertisers: You know that product we were selling you, that made us billions of dollars together? We're not selling it to you anymore, but it's still making us money.

Google's approach makes sense if you assume that it's trying to sell more seats for its g-things-for-business suite. End-to-end encryption hobbles the search function, which makes gmail-for-business less useful. Transport encryption bothers eavesdroppers while leaving search intact.

FWIW, Wikipedia says Google has five million customers for the gmail-for-business product, each of which pays $50-60 per year per user. If you assume an average of two employees per customer that's a half-billion dollars per year. If you believe the numbers in e.g. http://www.quora.com/How-much-does-Google-earn-from-ads-per-... the ad-supported gmail revenue must be peanuts by comparison.

I care about privacy but with some restrictions I still use Google, Twitter, and Facebook.

I did switch off of gmail for general use, but I forward some emails to my old gmail account for experimenting with Google Now on my Android phone. For example, I will forward emails confirming airline reservations and car rentals so that information ends up in Google Calender and Google Now. For the same reason I sometimes will turn on location services on my phone.

I use Firefox for my web browsing, but use Chrome when visiting Google, Facebook, and Twitter web properties. I check cookies set in Firefox to make sure I have not enabled tracking.

I am making some real compromises in privacy and convenience, but for now this 'middle road' works for me.

Towards the Perfect Coin Flip: The NIST Randomness Beacon 71 Comments

    by: Elliot Williams 
December 19, 2014

Since early evening on September 5th, 2013 the US National Institute of Standards and Technology (NIST) has been publishing a 512-bit, full-entropy random number every minute of every day. What’s more, each number is cryptographically signed so that you can easily verify that it was generated by the NIST. A date stamp is included in the process, so that you can tell when the random values were created. And finally, all of the values are linked to the previous value in a chain so that you can detect if any of the past numbers in the series have been altered after the next number is published. This is quite an extensive list of features for a list of random values, and we’ll get into the rationale, methods, and uses behind this scheme in the next section, so stick around.

But first, before those of you who’ve got crypto on the brain start thinking crazy thoughts, note that the NIST has a banner stating the obvious in all caps: “WARNING: DO NOT USE BEACON GENERATED VALUES AS SECRET CRYPTOGRAPHIC KEYS.” Why not? Cryptographically speaking, they’re phenomenal random numbers; they’re just not secret at all! In contrast, they’re publicly available to everyone and archived for all time. The aim of the Randomness Beacon is to provide a random number standard, not to generate secrets. This distinction between secrecy and randomness is important in order to realize what the NIST is up to, so put your secrecy on the shelf for now. We’re talking randomness here. The Perfect Coin Flip

A random variable, says the statistician, is a function that produces a value that is unknown before a given point in time, but is constant thereafter. This instant when the value is realized is crucial to understanding randomness. It’s the instant that separates the past, a period of time when the outcome has a probability distribution around its possible values, from the present in which the outcome is a simple constant number.

Before you roll that twenty-sided die, any number from one to twenty could come up. After the die comes to a stop, it’s absolutely certain that you just rolled a seventeen, and that fact is never going to change. You just rolled a seventeen, and only a seventeen, with certainty and forevermore. The probability distribution has collapsed to a point, which is exactly why we roll dice or flip coins if you think about it. Keep these concepts of uncertainty and timing in your mind as I tell you a brief, entirely fictional, story.

My wife and I are going out to a restaurant, but we can’t decide whether to get Italian or Thai. For the past year, we’ve been deciding restaurants with a coin flip, but that hasn’t worked since she got suspicious and discovered that the “random” coin flip isn’t random at all, and that I’d been using a two-headed coin. She’s not going to accept a dice roll either, for the same reason that we don’t play craps together anymore. What we need is a perfect coin flip: some future random event with an outcome that’s currently totally unpredictable, impossible for either of us to influence, but then easily verifiable after the event so there’s no room for argument.

Note what’s going on here. If either of us knew what the future random value would be, it wouldn’t be random. But we require something even stronger, that we can’t even make useful predictions about the outcome — that the coin is a fair coin. And since she doesn’t trust me anymore, the only way we’re going to go out to dinner is if neither of us can possibly influence the future value. Burned by a year of eating Thai food, she’s not going to trust me to read the result out to her either, she’ll need to see the results herself.

nist-randomness-beacon-screenshotThis is exactly what is provided by the NIST Randomness Beacon. To pick a restaurant, we agree to look at the NIST’s webpage at 7:00 pm and if the first digit is even, we go Thai. If i...

I say it is.

Who's right?

20 years of history at least provides evidence for you being wrong.
Paper envelopes dating back to 2300 years ago in China at least provides evidence for you being wrong.

User-unfriendliness ≠ "not meant for"

Fine. End-to-end crypto requires key authentication. This means that users must have some way of authenticating a key.

For the majority of people, this is too much. People should not be expected to spend time manually checking the signatures on a key, and should likewise not be expected to get signatures for their key. They should not have to worry about key revocation. If a solution is not as easy as email is at the moment, it's not a solution.

So, the problems that need to be solved in an automated manner:

Finding a public key, verifying it to be authentic beyond all reasonable doubt, making it so that a new user can be trusted. Revoking the key if the device is compromised.

These problems are not new - they've been around since PGP was invented. Yet, there is seemingly no compelling answer to them that doesn't involve bringing your passport to a key signing party.

All of the end-to-end encryption systems I've seen either have some complicated handshake process before one can communicate with another, or are unauthenticated.

So, anyone who argues for widespread end-to-end encrypted communication must provide evidence that such a system can actually be produced in a way that is totally transparent to the user.

Google's doing well with this software - they're massively reducing the barrier to entry for PGP; I just don't see why people are complaining about their preaching of security gospel.

> Yet, there is seemingly no compelling answer to them that doesn't involve bringing your passport to a key signing party.

The only reason I trust the source of an email by its "from" address is because of the history of correspondence with that person from that address. Yes, if it is compromised, I may not realize it right away, or I may (see: phishing emails from virus/malware infestations), but by and large it works as advertised.

Same thing with usernames in forums. There's a certain cred that is eventually attached to a username over time.

If I use the same public key to represent myself in all my communication "for a while", then there's implicit trust that it's me there, for the same reasons.

Key revocation is admittedly not as simple, if I want to continue to maintain my "trust balance" somehow. What happens if I switch email addresses? "Hi guys, this is my new email address." What if I was compromised and someone else did that? (Well, how often does that happen in real life?)

Perhaps you could keep one key super secret (and offline) and sign all new day-to-day keys with it. I don't know.

What I'm saying is- Treat it like email. Forget trying to centralize who owns what key. Forget trying to exercise absolute control over trust in a given key. The key(s) I use "most of the time" is "me". If I need to revoke it, I will suffer some in the short term, but I will quickly build my cred back up by using a new one.

If it was more widespread then perhaps we could centralize SOME third-party signing. Say I could go to a bank and they could sign my key saying "this key definitely belongs to lectrick", and it would work because the bank's public key is known-trusted.

I'm afraid that fundamentally doesn't work (though at first glance it does). Email is not a forum - it's person to person. When someone emails me, I might not know anyone else who has also had a conversation with them.

In order for anyone to trust your key at all you need to make it available out of band.

This is because otherwise, your email provider could simply man-in-the-middle you (or them); and they have no way of working out.

The first time they email you, their key is already compromised. You then build up your trust for them; but you've trusted an attacker. The system is worse than useless.

This is worse than (say) TLS because TLS, you generally do not connect through a single access point. Email is far more centralised.

So, they need to get your key from outside the communication system, somehow.

I remember end-to-end vs. point-to-point from my crypto class back in the Pleistocene, so I thought I'd share the analogy my professor used just because I loved it:

In WW2, the Allied Navies faced two main naval code strategies: Germany's and Japan's. Roughly, the Japanese Navy sent their routing information in plaintext, while the Kriegsmarin sent it in ciphertext. Because the German routing instructions were encrypted, each node had to be able to decrypt universally. Capture one U-boat, and, well, we all saw the movie.

In contrast, the Japanese navy sent the routing information in the clear, so transceiving stations only had to read the routing information and transmit the ciphertext verbatim: capture a Japanese sub and you can only decode messages sent to that sub. However, because the routing information was visible in all transmissions, a lot of sideband avenues were opened up (you may not know what Yamamoto was sending to the Coral Sea fleet, but you're damn sure interested in the fact that he was talking to them at 2am this morning, particularly since you can then watch what they do.)

Anyways, not directly relevant to the article but a cool example of how far back this question goes.

Why not encrypt the routing separately?
I simplified. They did encrypt the routing separately but it was essentially a known plaintext attack because you could see which ships moved after which transmission.
Remember that those were different times. Computer science itself was born by trying to break that crypto, and modern cryptography wasn't available.

A different key for each vessel would mean several passes through the encryption machine, key tables distributed through several places, and the requirement of specialized workforce where otherwise just typing stuff in a machine would do. And all the errors that come with manually dealing with that, all during a major war.

Computer science itself was born by trying to break that crypto, and modern cryptography wasn't available.

^^^ That.

If I need to translate using Google Translate, copy & paste will do. I don't need to do this directly in Gmail.
"Because translation."

If they really said that, that's amazingly weak and clumsy.

I would have been impressed if they had openly said it's because they can't analyze your email for ads and targeting.

In fact I'd be very impressed if they said up front, briefly and not implied in a ToS book, that the reason you get free email is so they can read your email.

If they really believe in their business plan, they should admit their real motives; dissembling with such a weak excuse just gives Google that "shady used car salesman" look.

The fact that they went with a dodge suggests they know that they risk a lot of blowback if people started to learn about their actual business plan.

From my perspective, what I miss with decryption only in the client (where the mail database is stored encrypted) is search. That's also the primary value of Google Apps for me. Easy encryption across the Internet would be more valuable to me than encrypted storage, but the option to have encrypted storage for things that are really private would make sense. I tend to opt for alternate channels with no storage in those cases though.
> what I miss with decryption only in the client ... is search

Yet another casualty of "software as a service". There could be better search tools on the client, but the fad for the last decade has been to push vendor lock-in and data mining instead of installable client apps. So now the full consequences of those choices are starting to be recognized.

I dunno. Thunderbird has pretty decent global search now.
Installable client apps just don't work from me. I need to access the same email database from 4 different devices, including some I don't own and don't want the data on.
Then your requirements are in conflict with security. You cannot trust the network to do your encryption for you, and you can't trust a a computer you don't own to handle your private key.

You may want to reconsider either dedicating some sort of portable device to be your email that you carry with you, a multi-account system the separates private email from the the email you can access remotely, or resigning yourself and those communicate with to sending using only postcards (non-end-to-end-encrypted email).

Nothing is technically preventing the client to retrieve indexes built client-side beforehand when reading the email. The main problem is everything is currently made to make the client dumb and the server the ultimate source of truth.
More convincing than translation would be spam filtering. I think end-to-end encryption would make spam filtering a lot more difficult.
Signed messages give you a much easier way to weed out "unknown" sender accounts (=keys). Encryption with signing makes it easier to recognize legit email. You need to go back to decentralized filtering though. Or maybe publicly verifiable signatures (=no sender anonymity) on encrypted content would be an option.
Proof of work. Every email the spammer sends out would need to be properly encrypted (or else the target wouldn't see your ads). This would actually put a lot of control in the hands of the user - set the amount of work required to mail you through key strength. Spammers would absolutely hate this, it would be like the USPS requiring bulk mailers to prove they aren't spamming by including the recipient name (not "Current resident" or "Our friend at").
I don't need the extra security provided by end-to-end encryption for the vast majority of emails I receive and send. I value that ability to search/filter these emails far more than I value the security.

For the few emails I send where the value of the security provided exceeds the lost value due to being unable to search I can, using their extension, enable end-to-end encryption.

This system suits my needs perfectly, I appreciate that others may want all the emails they send to be encrypted but why should Google cater to this - they cannot make any money from encrypted emails.

Agreed. The question is. Can you perfectly, always and with regard for potential future changes to what may be sensitive information decide which ones to encrypt?

One email sent the wrong way when tired. One change in legislation (to e.g. retrospectively criminalise an activity or legalise a certain type of snooping). Now your company's IP is compromised. Or now your in jail. Or now you can be blackmailed.

Furthermore the idea that you will be encrypting the mail may cause tired future you to write something you wouldn't put on a post card.

So unless you are perfect and never ever click in the wrong place good luck in this brave world of ours.

What insane law system makes an action retrospectively criminal ? Does the US law system allows this ?
I think you can start investigating Joe for an email he sent 10 years ago and that your scanning algorithm picked up from the archive only now. Maybe you're searching for matches with different keywords (the X in "war on X" changed). That email and the actions could have been lawful at the time and now, but Joe could be marked as suspicious and all sort of unpleasant things can happen to him and his friends.
If it was legal when the actions occurred, you cannot be tried. Similarly, if you committed a crime before the law was changed to allow it, then you have still broken the law.
The point here is that you can be placed on certain watchlists with no due process. No trial is required to be placed on the US no fly list or any countries terror watchlists.
At least in the US, 'ex post facto' laws are specifically forbidden by the Constitution: http://en.wikipedia.org/wiki/Ex_post_facto_law
The original poster is called "abritishguy". Assuming this translates to information about his location then his country according to that article (and according to it's lack of formal Constitution) has no such protection.
True, but the US government doesn't even pretend to follow the Constitution anymore.

Also, the Constitution can be amended. We can't guarantee that ex post facto laws will remain unconstitutional for the duration of your lifetime.

Also, states are technically not obliged to abide by the US constitution.

The first and last paragraphs are incorrect; you may disagree that the federal government actually follows the Constitution, but that's a different issue. And while many provisions of the Constitution address only the federal government, States are still bound by it to the extent it addresses them, as it does, among other places, in the 14th Amendment.
The first paragraph is correct because I clearly meant it in figurative language, not literal language. Regardless, my point is this: the US government does not obey the US constitution.

The last paragraph is correct in context. Specifically, with regards to encryption, states are allowed to do whatever they want because the Constitution doesn't mention encryption and because of the 10th amendment, which states:

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

The last paragraph is also correct because the ex post facto law clause of the Constitution only applies to Congress, not the states [1]

[1] https://en.wikipedia.org/wiki/Article_One_of_the_United_Stat...

The US system is protected by a strong constitution. Others around the world are not so lucky.

The point is that these email records are permanent not ephemeral. And therefore they have to be viewed in a more nuanced light.

For example something does not have to be a crime to come back and bite you. This could be a job losing issue, an issue that prevents you from running for public office, or even a blackmail issue. For example (and I'm not stating my position on this issue) opposing gay marriage used to in the US be an acceptable moral stance. According to what happened to Brenden Eich this is no longer the case and emails on the topic someone sent 10 years ago might come back to hurt them today.

Jurisdictions change.

"Ukraine’s Parliament Votes To Open Soviet-Era KGB Archives To Public" http://www.ibtimes.com/ukraines-parliament-votes-open-soviet...

In "The Internet With a Human Face", Maciej Cegłowski asks:

"What happens if Facebook goes out of business, like so many of the social networks that came before it? Or if Facebook gets acquired by a credit agency? How about if it gets acquired by Rupert Murdoch, or taken private by a hedge fund?

"What happens to all that data?"

http://idlewords.com/bt14.htm

That's just one of the problems we're facing.

"(Search- and filterability) or end-to-end encryption" is a false dichotomy. You should have both. If you can't get both, then there is something wrong with your setup.
Searching and filtering your emails is pretty easy to do locally.
Actually, yes you do. Unless encryption is everyday and used for mundane messages, it becomes a label that says: "Target this guy and his encrypted traffic."
Would you share your mails with us then?
I am so tired of this response.

Claiming that I don't personally feel the need for a fully enclosed, solid steel cubicle to get changed in doesn't mean I'm happy to get naked in public. I feel that whilst the changing cubicle you find at a public swimming pool wouldn't prevent a determined actor from invading your privacy it provides adequate privacy for me.

Yes, servers at Google can read my email - I'm willing to accept the risk of a Googler committing a fireable offence and going through my emails.

It's not just Googlers who might do that.

Google's been attacked by national intelligence agents. Notably from China, targeting emails of Tibetian activists. With potentially life-ending condequences.

Hackers and theives. Corporate takeovers. The NSA, or GRU, or Mossad, or MI6, ore any of the other various state intelligence agencies throughout the world. Drugs gangs throughout Central and South America. Rogue contractors have been known to walk out of Google with gigabytes of highly secure information. Oh, my error, that was the fucking National Security Agency.

If Google can read your email, anyone can. The only question is how the dice roll.

Anyone who says that PGP is not meant for common use has 20+ years of history clearly proving them right. Moxie doesn't believe it in[1], even PGP's own creator doesn't use it any more[2]. OP is trying to make news out of nothing.

[1] http://www.thoughtcrime.org/blog/gpg-and-me/

[2] http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-bi...

Intended for common use vs. effective in that role are not the same thing.
Actually, I suspect PGP usage is increasing right now. It's very commonly used in darknet markets, and they are growing very quickly and will probably continue to do so.
https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

In case anybody hasn't read it yet, Philip Zimmermann's essay on why he wrote PGP is very relevant to this discussion. Google is effectively saying envelopes are not meant for common use.

Did you send everything by postcard back in the snail-mail days, only using an envelope when the contents was very-important? If someone saw you mailing an envelope, did they suspiciously ask what was so important that you needed to hide it? No, wrapping your mail in an envelope was commonplace.

This is what we need to do for digital messages: wrap them in an envelope (encryption). More importantly, we need a culture that sees sending encryption as normal. You may not be sending anything important at the moment, but other people are, and if encryption is only used for "important" things, it invites suspicion.

If Google has a problem with this, I suggest they find a new business plan.

Totally agree. The fact we happily send so much data around :/ clear text has always irked me. The only layer of protection is that there's probably no one interested enough to look
"No one" assumes a human. I'd use a COTS textural analyzer and social graph and process all your (and your associates) content in one fell swoop.

And then sell that to the highest bidder.

Not really a valid comparison. Encrypting a message is more like sending your letter in a titanium safe.
It isn't so bad. Tampering with mail is a federal crime.
Well we don't do that because of economics, but if you could have a cheap envelope that only the receiver could open, who wouldn't opt for the secure envelope?
Sadly, they're not wrong. End-to-end encryption products are written for expert use and hard to set up by mere mortals.
Are you sure this isn't just another way of saying that decentralized authentication is too hard? ;)
I wish there was a real quote here, because I find it hard to believe his only example of a Google value add is translation. Personally I'm happy to use Gmail for insecure communication as long as I can keep search - it'd be utterly unusable without.
I tried to use PGP (gnupg) but it doesn't seem to be simple even for an advanced user. Since I use Debian already it means that I implicitly trust Debian maintainers. So I explicitly trusted one Debian maintainer in gnupg. From there I thought that verifying other keys would be a breeze since I have a trusted guy in the strong set. While there are online tools (at least one) to find trust paths between IDs I didn't find a tool that does this automatically and verify signatures through this. This should be seamless without manually tracking down trust paths, manually importing keys that I don't want just to verify an ID 2-4 hops away.

Here is my concern with the WOT: it's not clear what signatures mean. It could mean "This guy can give out valid signatures" or "I verified that this guy's name is John Doe" or "This is the key used to sign Debian isos", but these are all implicit. Typically it's the first two which makes it hard to use PGP with pseudonyms. When you verify a signature in PGP you want the following chain:

o--I trust this guy's signatures-->o--I trust this guy's signatures-->o--I know this guy-->o

Other concerns: any way to rotate the master key would be nice. I wouldn't assume that my master key won't be compromised in the next 50 years .Then I would have to rebuild my whole WOT and revoke my previous master key (If I can). Key distributon should be decentralized.

Maybe I'm missing something, but this is my takeaway and I really tried to like PGP and gnupg. Maybe Google will solve some of these concerns on their interface but I wouldn't bet on it. I'm not surprised that PGP isn't widely used. I would really like a safe end-to-end encryption implementation that is easy to use.

How's Tutanota any better? "End to end" but client side JS where you plop your key into the form they serve up. It's only as good as their TLS/server security, and your trust in them. In face of real opponents, it breaks down just as much as gmail-to-gmail emails.
Just brainstorming here. Here are a few ways in which you can get in trouble with the law because of unencrypted online communications (these are ordered from most likely to occur within 1 human lifetime to least likely to occur within 1 human lifetime, IMO):

1. You could travel to another country where they arrest you for something unencrypted you did online in a country where it was legal. This has already happened. [1]

2. Your communications could become evidence in court that you "always had radical leanings." So while you're not convicted for what you did online, it still becomes evidence against you. I suspect this has already happened.

3. You could travel to another country where retroactive laws are allowed, and get caught because of something you said in the past in the US.

4. The US could eventually allow retroactive laws, and catch you for something you did before retroactive laws were allowed.

Note: these are just ways you could get in trouble with the law; not mentioned are things like your reputation being destroyed, death threats, identity theft, or malware due to lack of encryption. I also have not mentioned ways in which your friends could get in trouble because of something unencrypted you did online.

[1] http://www.cnn.com/2015/03/05/middleeast/american-arrested-i...

Is Google's Eric Grosse familiar with anonymous authentication techniques over Tor?

Because there are at least two projects which address this: FAUST and Fair Anonymity:

http://arxiv.org/pdf/1412.4707v1.pdf

https://gnunet.org/node/1704

I very strongly encourage Eric to have his team look at these, or other options, and back the motherluving frell out of whatever seems viable.

Listening to his Re:publica conversation with EFF's Jillian York, the topic comes up, but best I can tell he doesn't know of these.

At 17m 50s in the presentation, the question of using Google services over Tor is raised.

That's ... an issue I've had some experience with:

"How to kill your Google account: Access it via Tor"

https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_...

First off, I totally get the abuse angle. Most of my specific complaint with my own experience wasn't over Google's challenge process to my attempted Tor access. Rather, it was over the company's policies and procedures for account recovery. Multi-factor auth is well and good, but I've yet to find a way to activate an option other than phone-based auth without providing Google with a phone number. Which for a number of valid reasons I cannot or will not do.

(Grosse states that "you should not even have to give us a phone number", and that there are internal debates on the subject. Yay.)

More specifically, the problem is that the question "Who are you?" is proving to be the most expensive operation in all of computing. Because you're fucked either way you get it wrong. Lock someone out when you should let 'em in, and you're fucked. Let someone in when you should've locked 'em out, and you're fucked. And all you get to look at is 1s and 0s on the wire.

I detail that in more length in this comment to my dreddit post:

https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_...

(I'll also note that Grosse specifically notes that PKI works great, ahem, Yonatan Zunger....)

So: first, Google's really got to revise and fix its account recovery processes.

But that identity thing: Grosse goes on at length noting that Tor exit nodes aggregate a lot of traffic activity, and that Google effectively relies strongly on IP address as an indicator of identity.

The fair, and anonymous, reputation systems mentioned above are specifically intended to work over Tor. Which is to say, people are tackling the problem. Nothing in Grosse's presentation gave any indication that he's aware of this fact. For sheer technical competence reasons, he should be.