--opU1cLy5W6t5oyvs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi Steven,
On Sat, Jul 07, 2012 at 04:45:47PM -0300, Steven Walker wrote:
> Could you ask them to add a simple message to their home directory via
> ssh thus proving they have access to the account?
This is for people who have lost access to their VPS.
Cheers,
Andy
--=20
http://bitfolk.com/ -- No-nonsense VPS hosting
--opU1cLy5W6t5oyvs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAk/4knQACgkQIJm2TL8VSQubqQCglnGanwcA+InkoJr51herPaAq
0UMAoLuGqjzvA/KYMD8R5MMJ2fGHV7Bm
=LtIG
-----END PGP SIGNATURE-----
--opU1cLy5W6t5oyvs--
From andy@??? Sat Jul 07 19:58:12 2012
Received: from andy by mail.bitfolk.com with local (Exim 4.72)
(envelope-from <andy@???>) id 1Snb8u-0000Eb-G4
for users@???; Sat, 07 Jul 2012 19:58:12 +0000
Date: Sat, 7 Jul 2012 19:58:12 +0000
From: Andy Smith <andy@???>
To: users@???
Message-ID: <20120707195812.GE11695@???>
References: <20120707130537.GA11695@???>
<4FF88D44.2010008@???>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="Jaerp9zHWz52Eeko"
Content-Disposition: inline
In-Reply-To: <4FF88D44.2010008@???>
OpenPGP: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
X-URL: http://strugglers.net/wiki/User:Andy
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Sat,
07 Jul 2012 19:58:12 +0000
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: andy@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd0.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN:
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RELAYS shortcircuit=no
autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] Proving that you are you
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2012 19:58:12 -0000
--Jaerp9zHWz52Eeko
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
On Sat, Jul 07, 2012 at 10:25:56PM +0300, G. Miliotis wrote:
> I would consider the method you used insecure and prone to social
> engineering attacks. Anyone can forge any document sent over email or
> fax, including a utility bill. Proof of address is not enough to
> verify identity, in my book.
Okay, this won't be done again. I'm glad now that I brought this up
because it's important that we have the same expectations.
Anyone who has disabled the password resets by email should take a
moment now to consider whether they really want that, as there may
not be another way to contact them and they may have to endure
lengthy delays in getting their service working again in future.
In the mean time I will contact all those who have disabled it and
we will work out a procedure that suits as many as possible.
> Brainstorm:
> 1. Make a 1 GBP charge to the customer's bank account (if known) with
> a code, then request the code (a la paypal): requires you to know
> bank account, is SLOW to work
> 2. Demand mobile phone, send verification code via SMS that must be
> input to disable email auth, from then on, demand sms code -
> insecure, might need an extra verification method
> 3. Use voice recognition - customer calls you, you use voice
> recognition software - might need an extra verification method
> 4. Use the "memorable phrase" method (a la msn live)
> 5. Mail the customer a password - might need an extra verification
> method - impractical, easily intercepted
> 6. Use lawyers (a la CACert verification) - very slow, costly, impractical
> 7. Trust buddy - A customer designates another customer as a "trusted
> buddy", where they can access the VPS using their own credentials.
> This could be allowed only during emergency situations or more
> generally - not practical since I imagine most customers don't have
> buddies in bitfolk customer base
> 8. OAuth - Use external authentication (yahoo, etc). Customers links
> account, can then log on via 
