Security message from Google

On 27/11/2018 17:18, 😉 Good Guy 😉 wrote:
On 27/11/2018 11:22, Bill Ward wrote:
My wife does not have a computer at the moment

Get her a Linux junk.Â* For eMail, Facebook, Twitter and web browsing
this is all she needs.Â* Go to any Linux newsgroup and ask them if they
are looking for someone to takeaway their clunker.Â* They might even pay
you to take it away!!!




--
With over 950 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.
Windows is enough of a problem for her without trying to teach her new
tricks:-)
Bill.

On 27/11/2018 17:45, Neil wrote:
On 11/27/2018 6:22 AM, Bill Ward wrote:
My wife does not have a computer at the moment and I have added her
E-Mail address to my Outlook folder.
Why has this message came up for her ?
"Someone just used your password to try to sign in to your account
from a non-Google app. Google blocked them, but you should check what
happened. Review your account activity to make sure no one else has
access."
Bill.

This is a standard response that I get from GMail whenever the account
is accessed from a device presumably not included in its links. It even
does it when I access my GMail account from my laptop!

Google notion of "security" is one of the worst jokes running these days.

Noted !
Bill.

On 27/11/2018 18:04, Ralph Fox wrote:
On Tue, 27 Nov 2018 11:22:14 +0000, Bill Ward wrote:

My wife does not have a computer at the moment and I have added her
E-Mail address to my Outlook folder.
Why has this message came up for her ?
"Someone just used your password to try to sign in to your account from
a non-Google app. Google blocked them, but you should check what
happened. Review your account activity to make sure no one else has
access."

Google recognizes that the access was from a different computer.

Google does not know whether the different computer was authorised
by your wife or not. Hence the warning.



As I say it is the first time for the message after have her E-Mail
being on my PC for quite some time.
Bill.

On 27/11/2018 20:32, Bill Ward wrote:

Windows is enough of a problem for her without trying to teach her new
tricks:-)
Bill.

So you've married a pumpkin? This says something about you as well.
Were you desperate?


--
With over 950 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

Let Donald Trump eat your wife's feces,
then see if the message returns.

On Tue, 27 Nov 2018 12:36:16 -0600, Mark Lloyd wrote:

On 11/27/18 11:56 AM, Ralph Fox wrote:

[snip]

It is not IMAP that Google regards as insecure; it is any authentication
method other than OAuth2.


* FYI: Screen-shot of OAuth2 setting in TB: http://i.imgur.com/dPUg7N3.png

What else do you have to do to get that working?


Not much at all. Just #2 below.

1) When you change the Gmail account to OAuth2 in Thunderbird,
Thunderbird will pop up a window which asks for your Google
account username and password.

2) You enter your Google account username and password in this
pop-up window.

3) Thunderbird will then go off to Google and get an OAuth2
code to use for logging in to Gmail. The OAuth2 code is
automatically saved for future use, with your saved passwords
at "Tools Options Security Saved Passwords".


Just be aware Gmail only supports OAuth2 with IMAP and SMTP, not with POP.


--
Kind regards
Ralph

On Tue, 27 Nov 2018 20:36:13 +0000, Bill Ward wrote:

it is the first time for the message after have her E-Mail
being on my PC for quite some time.


You may now be connecting from either (a) a different IP address range,
or (b) a different ISP, or (c) a different geographic location. Gmail
doesn't know whether that is still you or a hacker trying to get into
your wife's Google account.



As I say

For the record I did not see a "for quite some time" in your original
post; but I did see an "at the moment".

"Ralph Fox" wrote

| It is not IMAP that Google regards as insecure; it is any authentication
| method other than OAuth2.
|

It sounds to me like it's about letting adware access
your personal info, not about security as such.:

"OAuth.....to grant websites or applications access to their information on
other websites but without giving them the passwords.[1] This mechanism is
used by companies such as Amazon,[2] Google, Facebook, Microsoft and Twitter
to permit the users to share information about their accounts with third
party applications or websites.
..... OAuth 2.0 provides specific authorization flows for web applications,
desktop applications, mobile phones, and smart devices."

In other words, "All your data are belong to us, but
we don't want Russian hackers to get it." The idea seems
to be aimed primarily at adware/datamining apps on phones
that need to get your permission to access/share your
data, then need to do that transparently in the future.

I don't see any aspect of increased security. Only
convenience. TBird goes to Google and gets a code.
How does it get the code? By sending your password.

This seems to be a public version of former attempts
at universal ID, like Microsoft's Passport, having become
more relevant as interactive, adware services on phones
need to deal with numerous permissions for varied personal
data. If Google wants it for email it's likely that they
want to confirm and track your activities more easily
across devices. Email is a very simple conversation with
the server:

"Hi, it's me. Here's my password. Got anything for me?"

"As a matter of fact we do. Here you go."

That's it. There are no extra, optional APIs or
"widgets" involved that might call for "an open
standard for API access delegation".

On 11/27/18 2:02 PM, Neil wrote:
On 11/27/2018 1:08 PM, Ralph Fox wrote:

[snip]

I use Firefox, not Thunderbird to access GMail.

Firefox does IMAP?

Ralph Fox wrote:
On Tue, 27 Nov 2018 20:36:13 +0000, Bill Ward wrote:

it is the first time for the message after have her E-Mail
being on my PC for quite some time.

You may now be connecting from either (a) a different IP address range,
or (b) a different ISP, or (c) a different geographic location. Gmail
doesn't know whether that is still you or a hacker trying to get into
your wife's Google account.

[(Of course) Not dumping on you (Ralf) or anybody else for that matter:]

Yeah, this 'security' is quite handy when you use your laptop for
doing exotic things, like on a mobile connection, a Wi-Fi hotspot, etc..
NOT!

If anyone can stomach all the dirt on this, have a look at the thread
"Google screwed up my Gmail acct in Thunderbird" of early September in
newsgroup alt.windows7.general.

The bottom lines from that thread a

- If you use IMAP, configure TB for OAuth2 authentication. See the
responses in *this* thread for details.

- If you use POP, you can configure an 'app password' in Google. See
Ralph's posting on the subject *that* thread.
(FWIW, I rather live with the annoyances than with the app password
'cure'.)

On 11/28/18 2:12 PM, Frank Slootweg wrote:

[snip]

- If you use IMAP, configure TB for OAuth2 authentication. See the
responses in *this* thread for details.

I tried it and found that OAuth2 requires Javascript, something I
disable (in Thunderbird) for security reasons.

[snip]

--
27 days until the winter celebration (Tue Dec 25, 2018 12:00:00 AM for 1
day).

Mark Lloyd
http://notstupid.us/

A "pay per" might be a coin-operated cat simulator.

On 11/28/2018 3:07 PM, notX wrote:
On 11/27/18 2:02 PM, Neil wrote:
On 11/27/2018 1:08 PM, Ralph Fox wrote:

[snip]

I use Firefox, not Thunderbird to access GMail.

Firefox does IMAP?

Whatever. I don't use it to access any other email accounts. It accesses
Gmail and I don't have to jump through any hoops beyond logging into its
horrendous user interface.

--
best regards,

Neil

On 28/11/2018 20:07, notX wrote:
On 11/27/18 2:02 PM, Neil wrote:
On 11/27/2018 1:08 PM, Ralph Fox wrote:

[snip]

I use Firefox, not Thunderbird to access GMail.

Firefox does IMAP?

Firefox does very good Web UI to access GMAIL. Why would anybody use TB
to access eMails when Web Interface is all you need to get the message.
Always keep your messages online for safety and easy access. Google
looks after your Email free of charge or if you have gSuite (like I do
by virtue of free give-away due to being a good customer!!) then make
use of the service you are paying for. I have 5 domains hosted on
Google all free of charge because I have been with them since they
started this. Now there isn't a free service unless you pay about £50
per year per user. Microsoft it is the same - NO FREE service for
custom domain.

--
With over 950 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

On Wed, 28 Nov 2018 14:17:02 -0600, Mark Lloyd wrote:

On 11/28/18 2:12 PM, Frank Slootweg wrote:

[snip]

- If you use IMAP, configure TB for OAuth2 authentication. See the
responses in *this* thread for details.

I tried it and found that OAuth2 requires Javascript, something I
disable (in Thunderbird) for security reasons.


If it needs JavaScript, it is only for the initial creation of an OAuth2
code when you first switch to OAuth2. That uses an embedded web browser
window in Thunderbird. Turn JavaScript on for that and turn it off again
immediately afterwards.

The ongoing OAuth2 authentication each time you get email does not use the
web. It uses SASL over IMAP or SMTP.


BTW JavaScript is always off for emails in Thunderbird. It would only be
on for an embedded web browser window.


--
Kind regards
Ralph

On 11/29/18 12:02 PM, Ralph Fox wrote:

[snip]

BTW JavaScript is always off for emails in Thunderbird. It would only be
on for an embedded web browser window.

IIRC, I don't need JS disabled in the browser window. I'll try turning
it back on.

--
24 days until the winter celebration (Tue Dec 25, 2018 12:00:00 AM for 1
day).

Mark Lloyd
http://notstupid.us/

"The government ought to stay out of the prayer business." -- Jimmy
Carter