k.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2012 13:05:39 -0000
--jmkJtp15SxLq1SbD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
Today a customer popped up on IRC saying that they had broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
Unfortunately they had also at some point in the past disabled
email password reset, so they were unable to regain access.
My concern at that point was that since they had previously disabled
email password reset they were obviously security-conscious, so I
did not feel comfortable resetting their password and giving it out
to them over IRC.
Of course, I could see that the customer's service was down as
claimed, which did lend weight to the story and meant that I could
not just ignore the issue.
In the end I asked the person on IRC to send me a photo or scan of a
utility bill bearing their name and address as present in BitFolk's
customer database, and on receipt of that I did reset their
password.
If it had been you in the customer's position would you have
considered that reasonable?
If you have disabled email password reset, are you comfortable with
this being circumvented by someone who is able to present a
convincing image of a utility bill to support@????
Perhaps you can offer some guidelines for how this should be dealt
with in future so that there can be a consistent response.
Suggestions revolving around the customer identifying themselves
using public key crypto (PGP keys, SSH keys) are fine but do bear in
mind that most customers have not presented either a PGP nor SSH key
to me, and that would have to be done before it was actually needed.
I could require that an SSH and/or PGP key be uploaded to the panel
before the panel allows you to disable email password resets, though
there would still need to be a plan in place for the inevitable case
where the customer claims to no longer have access to any of the
keys they have uploaded.
Cheers,
Andy
--=20
http://bitfolk.com/ -- No-nonsense VPS hosting
--jmkJtp15SxLq1SbD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAk/4NCAACgkQIJm2TL8VSQu0/QCeI76ypJ/1egQpi5G2NJ38Sl4x
6+IAn2Zkstx4Ch31S5lVpfvD20v2Wtml
=aw0F
-----END PGP SIGNATURE-----
--jmkJtp15SxLq1SbD--
From aaron@??? Sat Jul 07 16:44:50 2012
Received: from phoenixsupport.org ([2001:ba8:1f1:f1de::f5:c]
helo=server02.filesanctuary.net)
by mail.bitfolk.com with esmtp (Exim 4.72)
(envelope-from <aaron@???>) id 1SnY7m-0007qQ-Ci
for users@???; Sat, 07 Jul 2012 16:44:50 +0000
Received: from [192.168.0.10]
(cpc1-stkn14-2-0-cust232.11-2.cable.virginmedia.com [86.30.8.233])
by server02.filesanctuary.net (Postfix) with ESMTPSA id F142D8A300;
Sat, 7 Jul 2012 17:35:56 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=unadopted.co.uk;
s=2012; t=1341678957;
bh=uyA70jitnDBGYUfLQs/yiIxS2uibHdIbI3hWX6ECbhQ=;
h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject:
MIME-Version:Content-Type;
b=lxGOqAZdEDOp+xBmfVL09qUC1HVwpGV+57+aWlKiVUMeuuTNXtz761i6COm0meSJd
Lji1fIswZMMyiaMgCq28jTvL8wfUSP00DYoYKwogSMjXrrmKadY02Ml0WbtewON6TZ
6eBSbZTgmM3OjfWQXfxPzzVXlJdL3tp/vmdA/eVg=
Date: Sat, 7 Jul 2012 17:35:56 +0100
From: "Aaron B. Russell" <aaron@???>
To: Andy Smith <andy@???>
Message-ID: <ECAE67DBAB7C44C2BA99DA232CC6E395@???>
In-Reply-To: <20120707130537.GA11695@???>
References: <20120707130537.GA11695@???>
X-Mailer: sparrow 1.6.1 (build 1081.52)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="4ff8656c_b37e80a_8726"
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Sat,
07 Jul 2012 16:44:50 +0000
X-SA-Exim-Connect-IP: 2001:ba8:1f1:f1de::f5:c
X-SA-Exim-Mail-From: aaron@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd0.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN:
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
shortcircuit=ham autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 SHORTCIRCUIT Not all rules were run,
due to a shortcircuited rule
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Cc: users@???
Subject: Re: [bitfolk] Proving that you are you
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2012 16:44:51 -0000
--4ff8656c_b37e80a_8726
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
What about a scan of a government-issued ID (eg passport/driver's license), and perhaps a quick Skype video call to prove that I actually had said document in my possession (as opposed to just having an image file which could have been)?
--
Aaron B. Russell
http://unadopted.co.uk
+44 20 3137 4147
On Saturday, July 7, 2012 at 2:05pm, Andy Smith wrote:
> Hello,
>
> Today a customer popped up on IRC saying that they had broken their
> VPS and couldn't remember their account details in order to use the
> console / rescue VM.
>
> Unfortunately they had also at some point in the past disabled
> email password reset, so they were unable to regain access.
>
> My concern at that point was that since they had previously disabled
> email password reset they were obviously security-conscious, so I
> did not feel comfortable resetting their password and giving it out
> to them over IRC.
>
> Of course, I could see that the customer's service was down as
> claimed, which did lend weight to the story and meant that I could
> not just ignore the issue.
>
> In the end I asked the person on IRC to send me a photo or scan of a
> utility bill bearing their name and address as present in BitFolk's
> customer database, and on receipt of that I did reset their
> password.
>
> If it had been you in the customer's position would you have
> considered that reasonable?
>
> If you have disabled email password reset, are you comfortable with
> this being circumvented by someone who is able to present a
> convincing image of a utility bill to support@??? (mailto:support@bitfolk.com)?
>
> Perhaps you can offer some guidelines f
