Profile cover photo
Profile photo
Dirk Balfanz

Post has attachment
Getting Rid of Passwords in More Places

Two years ago, Google announced the deprecation of the ClientLogin API (see This used to be the main protocol developers used to let their applications access Google services on behalf of their users, and it was strictly password-based. The replacement, of course, has been OAuth 2, which works with any form of user authentication (not just passwords).

Google is now urging developers to stop using passwords in other protocols as well (such as XMPP, SMTP, or IMAP) when accessing Google services, pointing out that OAuth 2-based alternatives exist for those protocols.
Add a comment...

Do you work in computer security? If so, please participate in a Google survey to help users stay safe online: Thanks!
Add a comment...

Post has shared content

Post has attachment

Update on iOS Google Authenticator

On September 4th, we released a new version of the Google Authenticator app for iOS. Shortly after the update went live in the App Store, we learned that it contained a flaw that makes the app unable to read the account data stored in the previous version. We pulled the app from the App Store as soon as we could.

If your Google Account is affected by this problem, you can use your backup phone number to sign into your account. If you have affected non-Google accounts, please contact support from those providers to get back into your account.

The Google Authenticator team is deeply sorry for the inconvenience and is working to release a fixed version on the iOS App Store as soon as possible.
Add a comment...

Post has shared content
San Francisco's famous fog. There's an English intro once you click through.
Der Nebel gehört als Wahrzeichen ebenso zu San Francisco wie die Golden Gate Bridge. Zwei Jahre lang hat der Fotograf Simon Christen die Bay Area in den Morgenstunden mit seiner Kamera beobachtet und zu diesem spektakulären Film zusammengefügt. Wir wünschen einen schönen Abend.
Add a comment...

Post has shared content
This looks interesting. I might have to try it...
Gluten Free Pizza Crust
I was checking out whether Pizza Hut has gluten-free options in case I want to enroll my kids in the Book-It program, when I got highly distracted by this recipe. I will be making this.

#gfree   #recipe   #glutenfreerecipes   #pizza  

Post has attachment
Password Minder

I love Ellen, but here she makes fun of something that is not, in fact, a Bad Idea. Yes, some people face threats from "locals" (distrustful spouses, spying parents, etc.), and those folks shouldn't use the Password Minder.

But the overwhelming majority of users instead face threats from remote attackers who benefit from people's inability to remember lots of different passwords. If you re-use the same password everywhere, the bad guys just have to break into one web site, steal your password, and then use it to impersonate you to all the other web sites.

So you need lots of different passwords. And writing down your passwords is one way to help you keep track of them. Of course, it doesn't have to be the Password Minder. Something slightly less conspicuous or perhaps smaller (so it can fit in your wallet) might be better. There are also more high-tech solutions out there like +1Password or +LastPass.

But you could do much worse than using pen and paper to keep track of your online passwords.
Add a comment...

Post has shared content
A new funding opportunity for privacy and security researchers --

Request For Proposals:
Google Privacy & Security Focused Research Program

Google is creating a focused research grant program to explore privacy & security research.  

We envision research projects using quantitative or mixed methods to identify and answer the following questions, including but not limited to:

Privacy Topics

The definition of a well founded valuation model for "offering personal data" to a Web service provider. How can we model the valuation of personal data? What factors determine value and what market enforcements drive adjustments to that value? Are there incentives that need to be in place in a personal data market to ensure a fair equilibria is reached? What are the security and privacy risks and how can they be represented in the model?

Principled approaches to privacy measurement. Build on the substantial literature in differential privacy and statistical privacy to develop new methods for measuring privacy in a more rigorous mathematical way. Significant challenges remain both in making existing statistical techniques more "long-lived" and data utility preserving, and in dealing with issues like user expectation, comprehension and the dynamic aspect of privacy attitudes over time.

Improve communication of Privacy and Security Policies. Privacy and Security Policies are hard to understand. Can we simplify them for the users while keeping them valid, accurate and legally useful or is it better to aim for "in context" notifications, which likely means providing less Privacy and Security information overall?  Are there design principles to inform the goal of making detailed information easily accessible by those who want it?

Intelligent defaults for Privacy and Security settings. What are good "defaults" for Privacy settings and what research techniques help us best identify such defaults for new products/features? What behavioral archetypes exist in terms of private-public practices? How do we measure user expectations for the actual products and services they use and how should these expectations inform defaults?

Security Topics:

What are alternative authentication methods in the post-password world? We are especially interested in radical new ideas.
Studies on platform hardening and OS design from the hardware level all the way up to the application level.  Incremental defense mechanisms have made our systems more vulnerable due to the complexity and attack surface the solutions expose.
Persistent pseudonyms and trusted networks
Seamless identity experience across multi-screen environments
Study of the economic models that drive non-targeted abuse.
Busting black-markets for online identity theft and fraud
Enabling trusted, anonymous, distributed speech

These are one-time awards ranging from US $100,000 to $300,000, where the award spans a period of two years.  We expect most awards to be in the middle of that range, and we may fund proposals at a lower amount than requested. Awards are structured as unrestricted gifts to the universities, so we do not allow overhead or indirect costs.  Where appropriate, we expect award recipients to make their software, utilities, data sets, or similar artifacts freely available for others to use via open source license, publication, etc.

We are requesting proposals in this area from select researchers and faculty members, and we would be delighted with your participation. We expect to make several awards under this program, and welcome proposals that include investigators from multiple organizations where appropriate, though all PIs must be full-time faculty members at accredited universities.

Proposals that share government funding or resources with other efforts are also welcome, as long as other funding sources don’t run counter to this program’s mission.  If you have suggestions for others who should be invited to participate in this call, we would be happy to consider your ideas.

You should include the following in your proposal:
• Proposal Title
• Principal Investigator (PI) full name, contact information (postal address, e-mail, phone),
affiliation (university, school, college and/or department)
• Collaborators within and outside your organization
• Research objectives and expected results
• Connection to Google teams who might benefit from the research and the name(s) of these potential Google contacts
• Benefit to the research community
• Budget Summary: Please briefly list only high-level line items like students, study costs, travel, etc.  Google may offer help in hosting data, providing Google App Engine computational credits, or other engagement as appropriate, so please specify if you have ideas about using Google platforms.

Please be concise but clear. As guidance, we'd prefer the body of the proposal to be five pages maximum.  You might refer to this guide for some specific writing advice [1]. At the end of the proposal, please attach a two-page summary CV that includes a list of 5-10 examples of past publications done by the PI and collaborators.

To submit your proposal, please fill out this form [2] and then email your PDF proposal to The title section of your PDF proposal should include the email address of the primary PI.

The deadline for submissions is April 30, 2013. We expect to make final decisions by the end of June.  

Add a comment...

Post has shared content
If you build mobile or web apps, and if any of your users also use Google, you'll want to check this out.  I'm excited to see what you all build on this!
Add a comment...
Wait while more posts are being loaded