quoted-printable
Content-Disposition: inline
<div>What about a scan of a government-issued ID (eg pass=
port/driver's license), and perhaps a quick Skype video call to prove tha=
t I actually had said document in my possession (as opposed to just havin=
g an image file which could have been)=3F</div><div><div><div><div>--&nbs=
p;<br>Aaron B. Russell<br></div><div>http://unadopted.co.uk</div><div>+44=
20 3137 4147</div></div></div></div>
=20
<p style=3D=22color: =23A0A0A8;=22>On Saturday, July 7, 2=
012 at 2:05pm, Andy Smith wrote:</p>
<blockquote type=3D=22cite=22 style=3D=22border-left-styl=
e:solid;border-width:1px;margin-left:0px;padding-left:10px;=22>
<span><div><div><div>Hello,</div><div><br></div><div>=
Today a customer popped up on IRC saying that they had broken their</div>=
<div>VPS and couldn't remember their account details in order to use the<=
/div><div>console / rescue VM.</div><div><br></div><div>Unfortunately the=
y had also at some point in the past disabled</div><div>email password re=
set, so they were unable to regain access.</div><div><br></div><div>My co=
ncern at that point was that since they had previously disabled</div><div=
>email password reset they were obviously security-conscious, so I</div><=
div>did not feel comfortable resetting their password and giving it out</=
div><div>to them over IRC.</div><div><br></div><div>Of course, I could se=
e that the customer's service was down as</div><div>claimed, which did le=
nd weight to the story and meant that I could</div><div>not just ignore t=
he issue.</div><div><br></div><div>In the end I asked the person on IRC t=
o send me a photo or scan of a</div><div>utility bill bearing their name =
and address as present in Bit=46olk's</div><div>customer database, and on=
receipt of that I did reset their</div><div>password.</div><div><br></di=
v><div>If it had been you in the customer's position would you have</div>=
<div>considered that reasonable=3F</div><div><br></div><div>If you have d=
isabled email password reset, are you comfortable with</div><div>this bei=
ng circumvented by someone who is able to present a</div><div>convincing =
image of a utility bill to <a href=3D=22mailto:support=40bitfolk.com=22>s=
upport=40bitfolk.com</a>=3F</div><div><br></div><div>Perhaps you can offe=
r some guidelines for how this should be dealt</div><div>with in future s=
o that there can be a consistent response.</div><div><br></div><div>Sugge=
stions revolving around the customer identifying themselves</div><div>usi=
ng public key crypto (PGP keys, SSH keys) are fine but do bear in</div><d=
iv>mind that most customers have not presented either a PGP nor SSH key</=
div><div>to me, and that would have to be done before it was actually nee=
ded.</div><div><br></div><div>I could require that an SSH and/or PGP key =
be uploaded to the panel</div><div>before the panel allows you to disable=
email password resets, though</div><div>there would still need to be a p=
lan in place for the inevitable case</div><div>where the customer claims =
to no longer have access to any of the</div><div>keys they have uploaded.=
</div><div><br></div><div>Cheers,</div><div>Andy</div><div><br></div><div=
>-- </div><div><a href=3D=22http://bitfolk.com=22>http://bitfolk.com</a>/=
-- No-nonsense VPS hosting</div></div><div><div>=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F</div><div>users mailing list</=
div><div><a href=3D=22mailto:users=40lists.bitfolk.com=22>users=40lists.b=
itfolk.com</a></div><div><a href=3D=22https://lists.bitfolk.com/mailman/l=
istinfo/users=22>https://lists.bitfolk.com/mailman/listinfo/users</a></di=
v></div></div></span>
=20
=20
=20
=20
</blockquote>
=20
<div>
<br>
</div>
--4ff8656c_b37e80a_8726--
From aaron@??? Sat Jul 07 16:44:50 2012
Received: from phoenixsupport.org ([2001:ba8:1f1:f1de::f5:c]
helo=server02.filesanctuary.
