For one thing, if the tab with the malware-loaded page isn't on top, Chrome won't allow it to talk to the dongle. If there is some way to render a page that is not visible to the user but which Chrome considers sufficiently "open", that's a Chrome bug which should be fixed.

You should have stopped after the first sentence, because two channels doesn't help. If the machine you're using is compromised, it's no longer your machine, period. This is true regardless of the authentication method being used. That said, some authentication methods are susceptible to replay attacks... if I can compromise your machine and grab your credentials then I can log in as you from my machine. Security keys make that sort of attack very difficult, much harder than, for example, an out-of-band one-time-password. In that case, I just have to make sure I use the one-time password before you do, grabbing and submitting it before you click "Go". With a cryptographic challenge response protocol performed by a security key that's more difficult, because a secure channel is established between the authentication server (at Google) and the security key. It's still not impossible, but it's much harder.

These are devices that have really only been used for enterprise security. Low volume plus low price sensitivity equals high price. As use of security keys becomes more widespread, across more enterprises and businesses, and even to consumers, that will change.

There are other devices available now, including one that is $6. None of the others are as small as the NEO-n, so you'd have to "fumble for USB sticks" rather than leaving them plugged in all the time... but said "fumbling" really isn't that bad. Put it on your key ring, shove it in when needed.

The proper solution for that problem is for the conference room PC to have its own account, which is invited to the hangout, rather than logging in with some individual's account. From a security perspective, having a device that lots of people log into is a bad idea; it's an ideal target for compromise, regardless of whether or not you use 2FA.

FWIW (not much, I suppose, since it's not generally available), the way this works at Google is that conference rooms have their own accounts and calendars. Rooms are added to meetings in a manner very similar to adding guests. Each conference room PC has a small, connected tablet computer sitting on the table that shows the room's upcoming meetings. You tap the one you want and the room joins that hangout. If someone needs to present something from their computer they just join the meeting from their computer, generally with a different URL that only shares their screen and doesn't use their camera, microphone or speakers (or they can join the hangout normally, mute their speakers, disable their mic and then go into presentation mode). All of this also works for people without Google accounts; if they're invited to a meeting they get a URL that connects them to the hangout, and they can present if needed.

It's very slick. IMO, Google should package the solution and sell it, because it's far and away the best VC system I've seen.

And?

When government leaders act to help the voters you can argue they're doing it only because it affects their chances of staying in power, not because they are being altruistic.

This is called proper alignment of incentives, and it's a very, very good thing. At the end of the day, it's the only thing that keeps us moving forward. And it shouldn't be surprising that corporations like Facebook have an incentive to give users what they want, because in general profit motives are almost always closely aligned to the interests of their customers. Otherwise the customers leave -- and don't give me the crap about users being Facebook's product, not its customers. If users leave Facebook doesn't make money. The details of the mechanism are less important than that core fact.

We're often accustomed to thinking of government as a protection from corporate power, but there's no reason at all that the reverse can't be true. Arguably, government interests are aligned with what the people say they want, while corporate interests are aligned with what people really want, as evidenced by how they spend their money. Neither alignment is perfect because it gets filtered through intermediate mechanisms, and governments and corporations are both ultimately made up of people who have their own goals, beliefs and ideals, which further distorts things.

On that last point, I think it's important to recognize that because decisions are made ultimately by people, organizations -- government and corporate both -- actually can and do at times behave altruistically, sometimes even in opposition to the organization's stated goals(*). We should also keep in mind that organizational dynamics can and do distort or even override the goals of the individuals inside them, often resulting in a group policy which doesn't match any individual's preferences, and which may not even be logically consistent. My core point is that overly-simplified "government good/corps bad", "government bad/corps good", "The Man bad/people good" dichotomies are so inaccurate as to be completely worthless and misleading, as are beliefs that people or organizations can only do good things if they're doing them for the right reasons (or that good reasons justify bad actions, or...).

Reality is complicated. Deal with it as it is, not as you wish it were.

(*) Cue the pseudo-insightful but completely inaccurate post about how corporations have a legal obligation to maximize profit, which (a) isn't true in all cases and (b) doesn't matter in practice anyway because it's not enforced.

I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.

There's an obvious downside of leaving the key plugged into your laptop, of course. If someone steals your laptop they have your key. However, in order to make use of it they have to have (or guess) your password as well, so it's really only a risk if someone is specifically targeting you, in which case they could also steal your phone. Well, it's also a problem if you use a particularly lousy password, and if you don't notice that the laptop/key are gone soon enough that you can disable the key before the attacker guesses your password.

FWIW, Google switched to using security keys for corporate account authentication a while ago. Google's security operations team determined that the risk of theft of a security key is actually lower in practice than the risk that an employee's phone-based OTP might be phished. I would have thought that Google employees were too smart to be phished... but I suppose resistance to phishing attacks is as much about social intelligence as anything else, and Google hires a lot of socially inept people.

This is the core issue. When evaluating what should be done you have to consider available technology... and in this case your baseline is 10-20 years ago because old systems don't get replaced very often and for new systems backward compatibility is important, as is minimizing the number of distinct products you have to manage.

Exactly. The goal is to avoid being the easiest target around.

If bad guys wanted to work hard they'd just get a job. There are contexts in which the value of a target justifies expending a lot of effort, but they're the exception. In every case real security is all about correctly understanding the threat model and then applying adequate mitigation.

I was... and security was not successfully achieved by litigation, nor even by ITAR restrictions. I think I still have my DeCSS t-shirt somewhere, with the code printed on the back. At the time that t-shirt was arguably an illegal munition, which of course is why it existed and why I bought it.

That's your opinion, but it's not widely-held. I certainly don't agree with it, and I sincerely doubt that all of your downright genius acquaintances at Google stay out of mere inertia. It's much more plausible that they stay because they find it a better place to work than the available alternatives, for whatever combination of reasons. I do, and I've seen a lot of alternatives.

I do... because that's a few less milliseconds my CPU isn't idle, which reduces battery life.

Seriously, does anyone understand this benchmark? I see pairs of performance and battery life numbers which seem to have no real-world meaning, so it's not at all clear to me why it makes sense to compare them. In addition, it's common that for a given set of tasks, a device with better performance will use less power because it spends more time in an idle state. The notion that devices trade off performance against battery life makes little sense in the ARM world.

Maybe this actually does say something useful, but if so I'm too dense to see it.

The structure varies from device to device, yes. On the Nexus devices I'm most familiar with, which don't have SD card slots, there is no real sdcard partition. There is an /scdard, but it's a symlink. The advantage to not having a separate partition is not having to create a hard decision about how much to allocate to /data and how much to /scdard. This is one of the benefits of MTP over UMS that I mentioned, and it means that in terms of storage allocation you need only talk about /data, since it's the only r/w partitiion (except for actual SD cards, of course).

Given the other sub-thread asking about the conversion to Libraries of Congress, apparently it can be used to measure data content as well.

Yes, it was. The problem with UMS is that it's a block-level protocol, not a file-level protocol. This means that when storage is mounted via UMS, the host has no way to coordinate with the target device, which is a big problem if the target device is actually operating on the file system. Basically, it's not safe to have two operating system simultaneously using the same block device.

Because of that, when Android acted as a UMS target, it had to unmount the file system, which had all sorts of unpleasant effects on the system design. Among them, it forced the user-writable data to be partitioned into the portion that could be accessed via UMS and the portion that could not, which required guessing how large each should be. That enforced separation also added all sorts of subtle complexities to the OS, which had to take into account when /data was available and when it was not. SD cards have this same complexity, but core OS operational data isn't stored on them. Finally, it also forced the UMS-mountable data partition to be vFAT, which created many limitations around both functionality and (especially) security. /data could be ext3, or f2fs, or whatever, but MTP support is better across desktop OSes than support for random Linux file systems.

MTP is a file-level protocol. It leaves the Android Linux kernel in charge of managing the file system and just provides an API for browsing and manipulating the files, without exposing details of the file system representation.

UMS is like attaching your hard drive directly to another machine. MTP is like running an FTP server.

So, why don't they move, if they're underpaid and there isn't anything different about Google?

I don't think so, and I spent 15 years working in and around large banks. I've never seen a self-nomination/promo-committee process anything like Google's. I'm not saying Google's is especially good (though I do think it's better than many alternatives I've seen, especially the ones which depend mostly on your manager's political clout and the ones that are all about checking all the right boxes), but I don't think it's comparable to anything in the financial industry or anywhere else outside of Silicon Valley (most of Google's processes are modelled on Intel's).

Again, I don't see this. If that were true, all of my colleagues and I should be able to get a significant raise by moving, and as far as I can see that isn't the case. I've made a habit throughout my career of maintaining good ongoing relationships with a few headhunters and always being willing to talk about opportunities... and as soon as I tell them what I'd have to have to leave Google, they start talking about management positions, not individual contributor positions (what I am) or even team lead positions (what I've been and likely will be again soon). Granted that I'm not in SV; but Google would give me a raise if I agreed to move there, so I think I'd still be in more or less the same position.

Of course, I only have detailed knowledge of my own situation, but I don't see many (any, actually) colleagues leaving for better pay. In fact, everyone I know who has left has done it for personal reasons (location), or to go to a startup where they usually take a hefty short-term pay cut in exchange for heavy equity that they hope will someday explode. The latter happens mostly because Google pays so well, actually. After a few years of accumulating Google stock grants, most people can afford to take some financial risk, shooting for big rewards.