Profile

Cover photo
Verified name
Dirk Balfanz
Works at Google
Lives in San Francisco Bay Area
5,105 followers|674,370 views
AboutPostsPhotosReviews

Stream

Dirk Balfanz

Shared publicly  - 
 
Getting Rid of Passwords in More Places

Two years ago, Google announced the deprecation of the ClientLogin API (see https://plus.google.com/+DirkBalfanz/posts/Azg5LvkX4pJ). This used to be the main protocol developers used to let their applications access Google services on behalf of their users, and it was strictly password-based. The replacement, of course, has been OAuth 2, which works with any form of user authentication (not just passwords).

Google is now urging developers to stop using passwords in other protocols as well (such as XMPP, SMTP, or IMAP) when accessing Google services, pointing out that OAuth 2-based alternatives exist for those protocols.
Wednesday, April 23, 2014 10:00 AM. Posted by Antonio Fuentes, Product Manager, Google Identity Team There is nothing more important than making sure our users and their information stay safe online. Doing that means providing security features at the user-level like 2-Step Verification and ...
16
10
Jan P. Monsch's profile photoradi v's profile photo
Add a comment...

Dirk Balfanz

Shared publicly  - 
 
 
Anyone working on web security is likely to find this blog post by Adam Langley very interesting:

http://googleonlinesecurity.blogspot.com/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html
Thursday, November 14, 2013 7:26 AM. Posted by Adam Langley, Software Engineer SSL/TLS combines a number of choices about cryptographic primitives, including the choice of cipher, into a collection that it calls a “cipher suite.” A list of cipher suites is maintained by the Internet Assigned ...
5
Add a comment...

Dirk Balfanz

Shared publicly  - 
 
Update on iOS Google Authenticator

On September 4th, we released a new version of the Google Authenticator app for iOS. Shortly after the update went live in the App Store, we learned that it contained a flaw that makes the app unable to read the account data stored in the previous version. We pulled the app from the App Store as soon as we could.

If your Google Account is affected by this problem, you can use your backup phone number to sign into your account. If you have affected non-Google accounts, please contact support from those providers to get back into your account.

The Google Authenticator team is deeply sorry for the inconvenience and is working to release a fixed version on the iOS App Store as soon as possible.
3
3
Nikos Leoutsarakos's profile photoamir herzberg's profile photoNikita Borisov's profile photoHuy Tran's profile photo
2 comments
 
Dirk....I was demonstrated a great idea for login the other day...is there a way, a process, to bring it to your or Google's attention? 
Add a comment...

Dirk Balfanz
moderator

Recipes  - 
 
This looks interesting. I might have to try it...
 
Gluten Free Pizza Crust
I was checking out whether Pizza Hut has gluten-free options in case I want to enroll my kids in the Book-It program, when I got highly distracted by this recipe. I will be making this.

#gfree   #recipe   #glutenfreerecipes   #pizza  
1
Add a comment...

Dirk Balfanz

Shared publicly  - 
 
 
A new funding opportunity for privacy and security researchers --

Request For Proposals:
Google Privacy & Security Focused Research Program

Google is creating a focused research grant program to explore privacy & security research.  

We envision research projects using quantitative or mixed methods to identify and answer the following questions, including but not limited to:

Privacy Topics

The definition of a well founded valuation model for "offering personal data" to a Web service provider. How can we model the valuation of personal data? What factors determine value and what market enforcements drive adjustments to that value? Are there incentives that need to be in place in a personal data market to ensure a fair equilibria is reached? What are the security and privacy risks and how can they be represented in the model?

Principled approaches to privacy measurement. Build on the substantial literature in differential privacy and statistical privacy to develop new methods for measuring privacy in a more rigorous mathematical way. Significant challenges remain both in making existing statistical techniques more "long-lived" and data utility preserving, and in dealing with issues like user expectation, comprehension and the dynamic aspect of privacy attitudes over time.

Improve communication of Privacy and Security Policies. Privacy and Security Policies are hard to understand. Can we simplify them for the users while keeping them valid, accurate and legally useful or is it better to aim for "in context" notifications, which likely means providing less Privacy and Security information overall?  Are there design principles to inform the goal of making detailed information easily accessible by those who want it?

Intelligent defaults for Privacy and Security settings. What are good "defaults" for Privacy settings and what research techniques help us best identify such defaults for new products/features? What behavioral archetypes exist in terms of private-public practices? How do we measure user expectations for the actual products and services they use and how should these expectations inform defaults?

Security Topics:

What are alternative authentication methods in the post-password world? We are especially interested in radical new ideas.
Studies on platform hardening and OS design from the hardware level all the way up to the application level.  Incremental defense mechanisms have made our systems more vulnerable due to the complexity and attack surface the solutions expose.
Persistent pseudonyms and trusted networks
Seamless identity experience across multi-screen environments
Study of the economic models that drive non-targeted abuse.
Busting black-markets for online identity theft and fraud
Enabling trusted, anonymous, distributed speech

These are one-time awards ranging from US $100,000 to $300,000, where the award spans a period of two years.  We expect most awards to be in the middle of that range, and we may fund proposals at a lower amount than requested. Awards are structured as unrestricted gifts to the universities, so we do not allow overhead or indirect costs.  Where appropriate, we expect award recipients to make their software, utilities, data sets, or similar artifacts freely available for others to use via open source license, publication, etc.

We are requesting proposals in this area from select researchers and faculty members, and we would be delighted with your participation. We expect to make several awards under this program, and welcome proposals that include investigators from multiple organizations where appropriate, though all PIs must be full-time faculty members at accredited universities.

Proposals that share government funding or resources with other efforts are also welcome, as long as other funding sources don’t run counter to this program’s mission.  If you have suggestions for others who should be invited to participate in this call, we would be happy to consider your ideas.

You should include the following in your proposal:
• Proposal Title
• Principal Investigator (PI) full name, contact information (postal address, e-mail, phone),
affiliation (university, school, college and/or department)
• Collaborators within and outside your organization
• Research objectives and expected results
• Connection to Google teams who might benefit from the research and the name(s) of these potential Google contacts
• Benefit to the research community
• Budget Summary: Please briefly list only high-level line items like students, study costs, travel, etc.  Google may offer help in hosting data, providing Google App Engine computational credits, or other engagement as appropriate, so please specify if you have ideas about using Google platforms.

Please be concise but clear. As guidance, we'd prefer the body of the proposal to be five pages maximum.  You might refer to this guide for some specific writing advice [1]. At the end of the proposal, please attach a two-page summary CV that includes a list of 5-10 examples of past publications done by the PI and collaborators.

To submit your proposal, please fill out this form [2] and then email your PDF proposal to ps-focused-program@google.com. The title section of your PDF proposal should include the email address of the primary PI.

The deadline for submissions is April 30, 2013. We expect to make final decisions by the end of June.  

[1] http://research.google.com/university/relations/proposal_advice.html
[2] https://docs.google.com/spreadsheet/viewform?formkey=dDJaX2RJYVZMaEl2SGQ1TjhGdnotaVE6MA
Proposal Advice. Open advice to Google Faculty Research Awards proposal writers. As a part of the group of engineers that review proposals for this program, we read a lot of proposals. We'd like to re...
1
3
Úlfar Erlingsson's profile photoSara Sinclair Brody's profile photo
Add a comment...

Dirk Balfanz

Shared publicly  - 
 
 
If you build mobile or web apps, and if any of your users also use Google, you'll want to check this out.  I'm excited to see what you all build on this!
2
Add a comment...

Dirk Balfanz
moderator

Discussion  - 
 
Gluten Test Kits

Has anyone ever tried one of these? Do they work? Are they worth the money? Can you recommend any?
The EZ Gluten® Test is an easy to use kit that will quickly detect the presence of gluten in foods and beverages. It is sensitive enough to detect levels of gluten as low as 10 ppm. This simple test i...
1
Armin Schon's profile photo
 
Yes, I did, see:
https://plus.google.com/u/0/107434775721491487167/posts/8fhG9dF457P
Actually I use the test mostly when friends/family bring self-made gluten free cookies, cake etc. Since we can not know what really went in there and how clean the process was - despite the best intentions it is so easy to make mistakes - I usually do a test before allowing our daugther to eat it.
Add a comment...
Have him in circles
5,105 people
Emerson Ferreira's profile photo
Patrick Moore's profile photo
Blaine Cook's profile photo
sagar allamdas's profile photo
Vejvy CZ's profile photo
Petar Nikov's profile photo
Sick Bird's profile photo
Micha Vogel's profile photo
daud faraizy's profile photo

Dirk Balfanz

Shared publicly  - 
 
Do you work in computer security? If so, please participate in a Google survey to help users stay safe online: http://goo.gl/F4fJ59. Thanks!
5
7
Iulia Ion's profile photoKevin Jones's profile photo
Add a comment...

Dirk Balfanz

Shared publicly  - 
 
Workshop on Usable Security

Time to get your papers ready for USEC'14. It's in February in San Diego, need I say more?
New at USEC'14. Reports of replicating previously published studies and experiments; Reports of failed or negative usable security studies or experiments, with the focus on the lessons learned from such experience. Reports on deploying usable security & privacy technology in industry ...
3
3
Sara Sinclair Brody's profile photoRick Wash's profile photo
Add a comment...

Dirk Balfanz

Shared publicly  - 
 
San Francisco's famous fog. There's an English intro once you click through.
 
Der Nebel gehört als Wahrzeichen ebenso zu San Francisco wie die Golden Gate Bridge. Zwei Jahre lang hat der Fotograf Simon Christen die Bay Area in den Morgenstunden mit seiner Kamera beobachtet und zu diesem spektakulären Film zusammengefügt. Wir wünschen einen schönen Abend.
 ·  Translate
2
1
David Huska's profile photo
Add a comment...

Dirk Balfanz

Shared publicly  - 
 
Password Minder

I love Ellen, but here she makes fun of something that is not, in fact, a Bad Idea. Yes, some people face threats from "locals" (distrustful spouses, spying parents, etc.), and those folks shouldn't use the Password Minder.

But the overwhelming majority of users instead face threats from remote attackers who benefit from people's inability to remember lots of different passwords. If you re-use the same password everywhere, the bad guys just have to break into one web site, steal your password, and then use it to impersonate you to all the other web sites.

So you need lots of different passwords. And writing down your passwords is one way to help you keep track of them. Of course, it doesn't have to be the Password Minder. Something slightly less conspicuous or perhaps smaller (so it can fit in your wallet) might be better. There are also more high-tech solutions out there like +1Password or +LastPass.

But you could do much worse than using pen and paper to keep track of your online passwords.
7
2
Mugdha Bendre Myers's profile photoRajesh Gandhi's profile photoReinhard Knopf's profile photoXiaoyong Zhou's profile photo
3 comments
 
Dashlane is better
Add a comment...

Dirk Balfanz

Shared publicly  - 
14
5
Douglas Brown's profile photoMatt Spear (Batz)'s profile photoChris Foote (anakette)'s profile photoi Bog's profile photo
4 comments
 
If I remember correctly the SMS "push" is the default method when you first sign up for the 2-Step Verification. You cannot just use the Google Authenticator app, you have to use text or voice call at least once. Afterwards you can (and should) turn them off but I don't know how many people do so.

Granting your operator access to your Google account is such a bad idea when anyone can call the customer support and get your data with the simplest social engineering. In Finland it's common for the CS to authenticate the caller by asking the street address. After that you could ask a password reset for the web interface of the plan and control everything from there.
Add a comment...
People
Have him in circles
5,105 people
Emerson Ferreira's profile photo
Patrick Moore's profile photo
Blaine Cook's profile photo
sagar allamdas's profile photo
Vejvy CZ's profile photo
Petar Nikov's profile photo
Sick Bird's profile photo
Micha Vogel's profile photo
daud faraizy's profile photo
Work
Employment
  • Google
    2007 - present
  • PARC
    2000 - 2007
Basic Information
Gender
Male
Story
Introduction
Software. Security. Identity. Auth.
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
San Francisco Bay Area
Previously
Berlin, Germany - Princeton, NJ - Edinburgh, UK
Links
Public - a year ago
reviewed a year ago
Food: ExcellentDecor: Very GoodService: Excellent
Public - 3 years ago
reviewed 3 years ago
Public - 4 years ago
reviewed 4 years ago
5 reviews
Map
Map
Map
Public - 4 years ago
reviewed 4 years ago
Public - 4 years ago
reviewed 4 years ago