> Yesterday google decided to lock my account (not the first time) even > though I used your described procedure (2) a while ago and hoped that > I should be fine now. >
What do you mean by "lock", exactly? I don't believe the policies changed recently, but I might be wrong as I no longer work on that system. Looking at your account history, I see a lot of logins that are being whitelisted by this policy along with an occasional login that gets sent to ID verification. Checking one, it's listed as an exit node now on torstatus.blutmagie.de but wasn't detected as such by the login system. Most likely, our exit node syncing is flaky, somehow not getting a complete list of all exit nodes, or your traffic was routed via that exit in the time window between it coming online and being synced to our system. I'll ask the relevant person to take a look at how accurate/fast our syncing process is and maybe it can be improved. Now for what happened after that. If you abandon ID verification that was triggered by a Tor login at any point, the system assumes there was a failed hijacking attempt and the account goes into a "red alert" state. At that point access via Tor is denied unless you have a second factor on the account (such as a phone number we can send a code to). Access is restricted in other ways, eg, the risk analysis becomes dramatically more aggressive. One way to clear this state is to change your password, another way is to wait a while until the red alert clears itself. But you already know this. So the action items are: 1) I will follow up internally and see if we can make exit node detection more reliable somehow. 2) You should ensure you can reliably pass ID verification, and, never abandon it! The easiest way to do (2) is to set up 2-step verification but with a device instead of a phone number. For instance any smartphone that can run the (open source) Google Authenticator app will do, but it doesn't even have to be that, as the Authenticator app just implements an open standard for OTP generation. We don't get any private data this way. Although having said that, I'm not sure if 2SV can be set up without a backup phone these days. Hopefully it can be. _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
