Thoughts on securing against the attacks on Google

The recent attempt to hack into Google mirrors other successful attacks, like the Twitter attack and the one against Salesforce.com a few years ago. Roughly, the attacker either guesses the victim's password or sends email to the victim that either phishes passwords or installs spyware which can then steal passwords or other information.

I find it incredible that here we are in 2010 and we still mostly use passwords to authenticate ourselves to websites, file servers and whatnot. We've been doing much better with ATMs since the 1970s by requiring a card AND a password (as well as having a camera that in theory can be used to assess blame after thefts). There are those little dongles from RSA that solve this, but they're an incredible pain to use and most things don't work out of the box with them. I don't know that this is a problem someone is going to make money solving, but it sure seems like an important problem to solve.

I touched on the second half of the solution in a prior blog post about how I'd like to see a more Apple App Store-like model of application control brought to consumer computers. There's no reason for my laptop to be running unknown code that got injected through some web page I just visited.