7 Jul
2012
7 Jul
'12
1:05 p.m.
Hello,
Today a customer popped up on IRC saying that they had broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
Unfortunately they had also at some point in the past disabled
email password reset, so they were unable to regain access.
My concern at that point was that since they had previously disabled
email password reset they were obviously security-conscious, so I
did not feel comfortable resetting their password and giving it out
to them over IRC.
Of course, I could see that the customer's service was down as
claimed, which did lend weight to the story and meant that I could
not just ignore the issue.
In the end I asked the person on IRC to send me a photo or scan of a
utility bill bearing their name and address as present in BitFolk's
customer database, and on receipt of that I did reset their
password.
If it had been you in the customer's position would you have
considered that reasonable?
If you have disabled email password reset, are you comfortable with
this being circumvented by someone who is able to present a
convincing image of a utility bill to support(a)bitfolk.com?
Perhaps you can offer some guidelines for how this should be dealt
with in future so that there can be a consistent response.
Suggestions revolving around the customer identifying themselves
using public key crypto (PGP keys, SSH keys) are fine but do bear in
mind that most customers have not presented either a PGP nor SSH key
to me, and that would have to be done before it was actually needed.
I could require that an SSH and/or PGP key be uploaded to the panel
before the panel allows you to disable email password resets, though
there would still need to be a plan in place for the inevitable case
where the customer claims to no longer have access to any of the
keys they have uploaded.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
7 Jul
7 Jul
4:35 p.m.
What about a scan of a government-issued ID (eg passport/driver's license), and
perhaps a quick Skype video call to prove that I actually had said document in my
possession (as opposed to just having an image file which could have been)?
--
Aaron B. Russell
http://unadopted.co.uk
+44 20 3137 4147
On Saturday, July 7, 2012 at 2:05pm, Andy Smith wrote:
Hello,
Today a customer popped up on IRC saying that they had broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
Unfortunately they had also at some point in the past disabled
email password reset, so they were unable to regain access.
My concern at that point was that since they had previously disabled
email password reset they were obviously security-conscious, so I
did not feel comfortable resetting their password and giving it out
to them over IRC.
Of course, I could see that the customer's service was down as
claimed, which did lend weight to the story and meant that I could
not just ignore the issue.
In the end I asked the person on IRC to send me a photo or scan of a
utility bill bearing their name and address as present in BitFolk's
customer database, and on receipt of that I did reset their
password.
If it had been you in the customer's position would you have
considered that reasonable?
If you have disabled email password reset, are you comfortable with
this being circumvented by someone who is able to present a
convincing image of a utility bill to support(a)bitfolk.com (mailto:support@bitfolk.com)?
Perhaps you can offer some guidelines for how this should be dealt
with in future so that there can be a consistent response.
Suggestions revolving around the customer identifying themselves
using public key crypto (PGP keys, SSH keys) are fine but do bear in
mind that most customers have not presented either a PGP nor SSH key
to me, and that would have to be done before it was actually needed.
I could require that an SSH and/or PGP key be uploaded to the panel
before the panel allows you to disable email password resets, though
there would still need to be a plan in place for the inevitable case
where the customer claims to no longer have access to any of the
keys they have uploaded.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
users mailing list
users(a)lists.bitfolk.com (mailto:users@lists.bitfolk.com)
https://lists.bitfolk.com/mailman/listinfo/users
4:38 p.m.
Oops, hit send too quickly. :) That was supposed to say "as opposed to just having an
image file which could easily be duplicated".
Rationale: you'd have a copy of that image file once I'd sent it to you, and
chances are a few other people may have access to that image file, so verifying I actually
had the real document would be somewhat important (though of course depending on the video
quality this may not be a great solution as you might not be able to verify the document
is the same one as in the image…)
--
Aaron B. Russell
http://unadopted.co.uk
+44 20 3137 4147
On Saturday, July 7, 2012 at 5:35pm, Aaron B. Russell wrote:
(as opposed to just having an image file which could
have been)?
5:07 p.m.
Hi Aaron,
On Sat, Jul 07, 2012 at 05:38:13PM +0100, Aaron B. Russell wrote:
Rationale: you'd have a copy of that image file
once I'd sent it to you, and chances are a few other people may have access to that
image file, so verifying I actually had the real document would be somewhat important
(though of course depending on the video quality this may not be a great solution as you
might not be able to verify the document is the same one as in the image…)
So are you saying that if
- YOU had disabled the password reset, and
- YOUR service were down, and
- you were communicating with me via email (possibly from a
different email address to the one in our database)
YOU would not want me to reset your account password based on an
image of a utility bill, but would insist upon a government ID that
I recognise?
Also what would be your suggestion regarding government IDs that I
don't recognise (not all customers are from the UK)?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
5:13 p.m.
So are you saying that if
- YOU had disabled the password reset, and
- YOUR service were down, and
- you were communicating with me via email (possibly from a
different email address to the one in our database)
YOU would not want me to reset your account password based on an
image of a utility bill, but would insist upon a government ID that
I recognise?
Well my concern with a utility bill is that they're reasonably easily faked… it's
not hard to do a Google Image Search for "gas bill", then edit the relevant
parts in your favourite image editor.
Also what would be your suggestion regarding
government IDs that I
don't recognise (not all customers are from the UK)?
I have to admit I'd not considered the non-UK side of things. That would definitely be
a problem with the approach I'd suggested, as it'd be unreasonable to expect you
to have an encyclopaedic knowledge of every possible government ID out there!
Perhaps if, at the time of disabling password resets, a customer was required to send in
an image of a government ID that you could keep on file and validate against, in case they
ever did lock themselves out? I'm not sure how happy people would be to do that,
though.
--
Aaron B. Russell
http://unadopted.co.uk
+44 20 3137 4147
5:25 p.m.
So are you saying that if
- YOU had disabled the password reset, and
- YOUR service were down, and
- you were communicating with me via email (possibly from a
different email address to the one in our database)
YOU would not want me to reset your account password based on an
image of a utility bill, but would insist upon a government ID that
I recognise?
To clarify: if there is a better solution than a government ID image, then let's
explore those options. But being able to gain access to my account by supplying a
potentially 'shopped utility bill seems risky to me.
--
Aaron B. Russell
http://unadopted.co.uk
+44 20 3137 4147
5:30 p.m.
Hi Aaron,
On Sat, Jul 07, 2012 at 06:13:53PM +0100, Aaron B. Russell wrote:
Perhaps if, at the time of disabling password resets,
a customer was required to send in an image of a government ID that you could keep on file
and validate against, in case they ever did lock themselves out? I'm not sure how
happy people would be to do that, though.
I like this option far less than my suggestion that anyone who
wanted to disable password resets would have to upload a PGP or SSH
key first.
Most people can't be bothered with public key crypto, but if someone
is going to disable the one way they have to getting access when locked
out then perhaps they could be forced to bother.
Maybe I should just ask this question (off-list) of the few
customers who have disabled password reset and see what they
consider an appropriate level of security should the worst happen.
It doesn't affect the majority of you and I think people have
difficulty putting themselves into such a hypothetical situation.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
5:38 p.m.
I like this option far less than my suggestion that
anyone who
wanted to disable password resets would have to upload a PGP or SSH
key first.
I suppose if people are so concerned about disabling password resets, then it isn't
really unreasonable to expect them to send public keys to you instead. You do need a solid
way of identifying them somehow, and this is inherently more secure than relying on human
verification of potentially faked image data.
It also removes a lot of the risk involved in the verification process… either a key
matches or it doesn't, but visually verifying images is a much more fuzzy situation.
--
Aaron B. Russell
http://unadopted.co.uk
+44 20 3137 4147
12 Jul
12 Jul
7:39 p.m.
On 2012-07-07 7:30 PM, Andy Smith wrote:
Hi Aaron,
On Sat, Jul 07, 2012 at 06:13:53PM +0100, Aaron B. Russell wrote:
I would be happy to upload an ssh key and pgp key in this situation. I
will not be happy to provide a copy of my ID or drivers license, which
can be stolen and used for other purposes, to _any_ company.
Perhaps if, at the time of disabling password
resets, a customer was required to send in an image of a government ID that you could keep
on file and validate against, in case they ever did lock themselves out? I'm not sure
how happy people would be to do that, though.
I like this option far less than my suggestion that anyone who
wanted to disable password resets would have to upload a PGP or SSH
key first. Most people can't be bothered with public key
crypto, but if someone
is going to disable the one way they have to getting access when locked
out then perhaps they could be forced to bother.
Make that an option. You must have one of:
- password reset
- ssh key
- pgp key
- some Pre-Shared-Key (?)
- some Pre-Shared Token (i.e password)
You can't select 'none'. You need one of them. I'd be cautious to use
ssh keys, I have lost some private keys in various situations.
Maybe I should just ask this question (off-list) of the few
customers who have disabled password reset and see what they
consider an appropriate level of security should the worst happen.
It doesn't affect the majority of you and I think people have
difficulty putting themselves into such a hypothetical situation.
I'll think about it while I can't sleep tonight. Might come up with
something.
7:35 p.m.
On 2012-07-07 7:07 PM, Andy Smith wrote:
Hi Aaron,
On Sat, Jul 07, 2012 at 05:38:13PM +0100, Aaron B. Russell wrote:
That makes sense, yes, however:
Rationale: you'd have a copy of that image
file once I'd sent it to you, and chances are a few other people may have access to
that image file, so verifying I actually had the real document would be somewhat important
(though of course depending on the video quality this may not be a great solution as you
might not be able to verify the document is the same one as in the image…)
So are you saying that if
- YOU had disabled the password reset, and
- YOUR service were down, and
- you were communicating with me via email (possibly from a
different email address to the one in our database)
YOU would not want me to reset your account password based on an
image of a utility bill, but would insist upon a government ID that
I recognise? Also what would be your suggestion regarding
government IDs that I
don't recognise (not all customers are from the UK)?
I don't think you'd know a real South African ID document or drivers
license from a fake one. How many other customers from how many other
countries do you have?
7 Jul
7 Jul
5:03 p.m.
On 7 July 2012 17:35, Aaron B. Russell <aaron(a)unadopted.co.uk> wrote:
What about a scan of a government-issued ID (eg
passport/driver's license),
and perhaps a quick Skype video call to prove that I actually had said
document in my possession (as opposed to just having an image file which
could have been)?
I much prefer the idea ofd a passport (with skype call) to a scan of a
utility bill.
Anyone who knows someones name and address can probably forge a scan
of a utility bill fairly easily.
--
Phil Hunt, <cabalamat(a)gmail.com>
5:19 p.m.
Hi Philip,
On Sat, Jul 07, 2012 at 06:03:18PM +0100, Philip Hunt wrote:
On 7 July 2012 17:35, Aaron B. Russell
<aaron(a)unadopted.co.uk> wrote:
Sorry, I'm not doing skype or any kind of video chat. We will have
to agree on something else.
What about a scan of a government-issued ID (eg
passport/driver's license),
and perhaps a quick Skype video call to prove that I actually had said
document in my possession (as opposed to just having an image file which
could have been)?
I much prefer the idea ofd a passport (with skype call) to a scan of a
utility bill. Anyone who knows someones name and address can
probably forge a scan
of a utility bill fairly easily.
I would have thought that it is not very much harder for someone
with a UK passport to photoshop an image of it with any name they
like on it, good enough for a scan or video chat. I don't know what
most customers look like. I don't know what most non-UK passports
look like.
But just to be clear, are you saying that if YOU had disabled
password resets and then needed it reset, you would want me to not
accept anything other than a image of a passport that claims to be
yours?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
8 Jul
8 Jul
6:07 a.m.
On 7 July 2012 18:19, Andy Smith <andy(a)bitfolk.com> wrote:
But just to be clear, are you saying that if YOU had disabled
password resets
That's not something I would do, so the premise doesn't apply.
and then needed it reset, you would want me to not
accept anything other than a image of a passport that claims to be
yours?
Actually I'd prefer it if you accepted a phone call from the same
phone number I used when I set up the account. But you probably don't
have that number. So a small Visa transfer from the same bank account
would verify who I was.
--
Phil Hunt, <cabalamat(a)gmail.com>
7 Jul
7 Jul
5:05 p.m.
And what about situation when customer doesn't have goverment-issued ID with his name
in latin alphabet?(such things can be solved by checking customer's country..)
My is just ask permission to charge small (<10 GBP) amount of money from last used card
and ask customer exact amount(after verification just credit money to customer)
(if your billing system allow that)
07.07.2012, в 23:35, Aaron B. Russell написал(а):
What about a scan of a government-issued ID (eg
passport/driver's license), and perhaps a quick Skype video call to prove that I
actually had said document in my possession (as opposed to just having an image file which
could have been)?
--
Aaron B. Russell
http://unadopted.co.uk
5:40 p.m.
Hi Dmitriy,
On Sun, Jul 08, 2012 at 12:05:51AM +0700, Dmitriy Kazimirov wrote:
My is just ask permission to charge small (<10 GBP)
amount of money from last used card and ask customer exact amount(after verification just
credit money to customer)
(if your billing system allow that)
Unfortunately at the moment most payment methods involve sending a
payment request to an email address, so for identity purposes
they're only about as secure as the customer's email is. If the
customer considers their email to be secure then they wouldn't have
disabled emailed password resets. In theory.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
5:43 p.m.
Hi,
in this case... _I_ would used followign crazy idea:
- ask custom for at least N alternate contact points(NOT e-mails, if customer things they
are unsecure). skype, linkedin account, EVE Online(or WoW) char name and use that for
secondary verification
08.07.2012, в 0:40, Andy Smith написал(а):
Hi Dmitriy,
On Sun, Jul 08, 2012 at 12:05:51AM +0700, Dmitriy Kazimirov wrote:
My is just ask permission to charge small (<10
GBP) amount of money from last used card and ask customer exact amount(after verification
just credit money to customer)
(if your billing system allow that)
Unfortunately at the moment most payment methods involve sending a
payment request to an email address, so for identity purposes
they're only about as secure as the customer's email is. If the
customer considers their email to be secure then they wouldn't have
disabled emailed password resets. In theory.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users 
4:56 p.m.
Brain fart: An advance payment from the customer with a matching name
might prove identity in this last resort scenario.
When the payment is made, like a UK bank transfer, you should
hopefully see some identifying from string I'm thinking.
5:25 p.m.
Hi Kai,
On Sat, Jul 07, 2012 at 06:56:35PM +0200, Kai Hendry wrote:
Brain fart: An advance payment from the customer with
a matching name
might prove identity in this last resort scenario.
So just to be clear, if YOU had disabled password reset and YOUR
service was down, you would not regard a scan of a utility bill as
sufficient, and would want me to tell you to make a payment by the
same means that you usually do before giving you a new password?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
7:25 p.m.
On 7/7/2012 4:05 μμ, Andy Smith wrote:
Hello,
Today a customer popped up on IRC saying that they had broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
Unfortunately they had also at some point in the past disabled
email password reset, so they were unable to regain access.
I believe that
disabling password reset should only be available if
another method of authentication is configured. A means of identifying
oneself should always be active.
I would consider the method you used insecure and prone to social
engineering attacks. Anyone can forge any document sent over email or
fax, including a utility bill. Proof of address is not enough to verify
identity, in my book.
If you have disabled email password reset, are you
comfortable with
this being circumvented by someone who is able to present a
convincing image of a utility bill to support(a)bitfolk.com?
I am not comfortable
with that. Many people know my address, so this is
insecure.
Perhaps you can offer some guidelines for how this
should be dealt
with in future so that there can be a consistent response.
Suggestions revolving around the customer identifying themselves
using public key crypto (PGP keys, SSH keys) are fine but do bear in
mind that most customers have not presented either a PGP nor SSH key
to me, and that would have to be done before it was actually needed.
I could require that an SSH and/or PGP key be uploaded to the panel
before the panel allows you to disable email password resets, though
there would still need to be a plan in place for the inevitable case
where the customer claims to no longer have access to any of the
keys they have uploaded.
I would not only accept but in fact appreciate you more if
you
implemented SSH/PGP uploading as a requirement.
SSH keys could be automatically taken from root account in server if
they exist - if root account is compromised and hacker put ssh keys
there, there's nothing to lose.. it's already rooted.
Brainstorm:
1. Make a 1 GBP charge to the customer's bank account (if known) with a
code, then request the code (a la paypal): requires you to know bank
account, is SLOW to work
2. Demand mobile phone, send verification code via SMS that must be
input to disable email auth, from then on, demand sms code - insecure,
might need an extra verification method
3. Use voice recognition - customer calls you, you use voice recognition
software - might need an extra verification method
4. Use the "memorable phrase" method (a la msn live)
5. Mail the customer a password - might need an extra verification
method - impractical, easily intercepted
6. Use lawyers (a la CACert verification) - very slow, costly, impractical
7. Trust buddy - A customer designates another customer as a "trusted
buddy", where they can access the VPS using their own credentials. This
could be allowed only during emergency situations or more generally -
not practical since I imagine most customers don't have buddies in
bitfolk customer base
8. OAuth - Use external authentication (yahoo, etc). Customers links
account, can then log on via those accounts in future ONLY to change
password. Forgetting both credentials would be rather rare....
Also, you should not reveal an active alternative authentication method
in a customer's account to alleged customer, as extra layer of security.
The customer should offer the authentication keys without social
engineering you.
--G
7:58 p.m.
Hi,
On Sat, Jul 07, 2012 at 10:25:56PM +0300, G. Miliotis wrote:
I would consider the method you used insecure and
prone to social
engineering attacks. Anyone can forge any document sent over email or
fax, including a utility bill. Proof of address is not enough to
verify identity, in my book.
Okay, this won't be done again. I'm glad now that I brought this up
because it's important that we have the same expectations.
Anyone who has disabled the password resets by email should take a
moment now to consider whether they really want that, as there may
not be another way to contact them and they may have to endure
lengthy delays in getting their service working again in future.
In the mean time I will contact all those who have disabled it and
we will work out a procedure that suits as many as possible.
Brainstorm:
1. Make a 1 GBP charge to the customer's bank account (if known) with
a code, then request the code (a la paypal): requires you to know
bank account, is SLOW to work
2. Demand mobile phone, send verification code via SMS that must be
input to disable email auth, from then on, demand sms code -
insecure, might need an extra verification method
3. Use voice recognition - customer calls you, you use voice
recognition software - might need an extra verification method
4. Use the "memorable phrase" method (a la msn live)
5. Mail the customer a password - might need an extra verification
method - impractical, easily intercepted
6. Use lawyers (a la CACert verification) - very slow, costly, impractical
7. Trust buddy - A customer designates another customer as a "trusted
buddy", where they can access the VPS using their own credentials.
This could be allowed only during emergency situations or more
generally - not practical since I imagine most customers don't have
buddies in bitfolk customer base
8. OAuth - Use external authentication (yahoo, etc). Customers links
account, can then log on via those accounts in future ONLY to change
password. Forgetting both credentials would be rather rare....
There are some good ideas here and I will bring them up again when I
talk to those of you who have disabled password resets.
Thanks for the input,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
8 Jul
8 Jul
11:58 a.m.
Hi Andy,
On Sat, July 7, 2012 2:05 pm, Andy Smith wrote:
Today a customer popped up on IRC saying that they had
broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
Unfortunately they had also at some point in the past disabled
email password reset, so they were unable to regain access.
My e-mail is hosted on my VPS so if it's down then the e-mail password
reset function would be no good to me anyway.
Of course, that's not your fault so I make sure that I don't forget my
access credentials. If, for whatever reason, that doesn't work out I would
be happy for you ask questions about personal details you hold about me in
order to verify my identity.
I suppose the issue with this approach is that currently you might not
hold all that much info, and that that info might be easily discoverable
by a third party (e.g. address) so perhaps the control panel could allow
users to enter a question and answer that only they could know? I'm
thinking along the lines of 'What make was your first computer' type of
thing but this bit is key: let the user decide the question so they can
make it as secure (private/obscure) as they like as some of the stock
questions often asked are usually quite weak (e.g. mother's maiden name).
For what it's worth, I'm not keen on the methods suggested that could take
time to complete and carry other restrictions e.g. coded bank payments,
Skype calls, scanned utility bills etc and would prefer following the KISS
principle as much as possible.
Regards,
Mathew
1:46 p.m.
On 08/07/2012 12:58, Mathew Newton wrote:
<snip> so perhaps the control panel could allow
users to enter a question and answer that only they could know? I'm
thinking along the lines of 'What make was your first computer' type of
thing but this bit is key: let the user decide the question so they can
make it as secure (private/obscure) as they like as some of the stock
questions often asked are usually quite weak (e.g. mother's maiden name).
I like this idea and second the not using stock questions. The number
of websites where I have had to put my mother's maiden name and name of
first pet, I don't consider them to be secure any more (not that
mother's maiden name is secure against a targeted hack - it's a public
record). I had issues when completing the answers to some of the set
questions when configuring the password reset mechanism for my account
at work as many of the questions were not something I could give a
single definitive answer to.
For what it's worth, I'm not keen on the
methods suggested that could take
time to complete and carry other restrictions e.g. coded bank payments,
Skype calls, scanned utility bills etc and would prefer following the KISS
principle as much as possible.
While I think that the use of bank payments could still be a useful
method in conjunction with some other identification, I agree that
scanned images of bills and/or passport/driving licence are easily
edited or faked (at least as far as could be verified by Andy). A
previous suggestion (from Andy?) about needing to upload a PGP/SSH key
in order to disable the password reset email option sounds sensible to me.
Gavin
12:01 p.m.
I find this subject intensely interesting.
I know Andy has already taken a load on board but here's my thoughts anyway.
If someone has decided they don't trust email to perform account resets
then yes, they should be considered security-conscious and unlikely to
want to have a less secure method to be used in case of emergency.
Given that I think it is reasonable to expect people who turn it off to
perform some extra work to ensure they can be authenticated if the worst
happens and they lose private keys, forget pass-phrases etc.
I do like the idea of asking the customer to send you a set amount using
the account they last used to pay for the service itself.
I also like the idea of using some form of web of trust here...please
ensure you have nominated someone else who has a publicly signed key
that can be used to verify that you are making the request, even if that
key cannot be used to actually access the service directly.
Right, off to get wet in the summer sun...
n
On 07/07/12 14:05, Andy Smith wrote:
Hello,
Today a customer popped up on IRC saying that they had broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
Unfortunately they had also at some point in the past disabled
email password reset, so they were unable to regain access.
My concern at that point was that since they had previously disabled
email password reset they were obviously security-conscious, so I
did not feel comfortable resetting their password and giving it out
to them over IRC.
Of course, I could see that the customer's service was down as
claimed, which did lend weight to the story and meant that I could
not just ignore the issue.
In the end I asked the person on IRC to send me a photo or scan of a
utility bill bearing their name and address as present in BitFolk's
customer database, and on receipt of that I did reset their
password.
If it had been you in the customer's position would you have
considered that reasonable?
If you have disabled email password reset, are you comfortable with
this being circumvented by someone who is able to present a
convincing image of a utility bill to support(a)bitfolk.com?
Perhaps you can offer some guidelines for how this should be dealt
with in future so that there can be a consistent response.
Suggestions revolving around the customer identifying themselves
using public key crypto (PGP keys, SSH keys) are fine but do bear in
mind that most customers have not presented either a PGP nor SSH key
to me, and that would have to be done before it was actually needed.
I could require that an SSH and/or PGP key be uploaded to the panel
before the panel allows you to disable email password resets, though
there would still need to be a plan in place for the inevitable case
where the customer claims to no longer have access to any of the
keys they have uploaded.
Cheers,
Andy
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
3:45 p.m.
On Saturday 07 Jul 2012 14:05:37 Andy Smith wrote:
Suggestions revolving around the customer identifying
themselves
using public key crypto (PGP keys, SSH keys) are fine but do bear in
mind that most customers have not presented either a PGP nor SSH key
to me, and that would have to be done before it was actually needed.
I could require that an SSH and/or PGP key be uploaded to the panel
before the panel allows you to disable email password resets, though
there would still need to be a plan in place for the inevitable case
where the customer claims to no longer have access to any of the
keys they have uploaded.
I think this is the best suggestion. Require a GPG key off everyone.
If, the VPS owner has chosen to disable password reset (which for a security
sensitive site, they almost certainly should -- emails aren't secure), then
it is their duty to supply a public-key method of verifying their identity.
If they haven't done that then I don't think it's unreasonable for you to
require any level of:
- Birth certificate
- Utility bill
- Passport
- Freshly made photo of them holding today's paper with a secret phrase of
your choice written on it.
- An unlocking payment from the same source as the original VPS purchase
In short: paranoia. Disabling password reset implies a level of security
that should be maintained. It's saying "I take full responsibility for the
password to this VPS, and if I lose it, I accept that I may never get access
again".
The alternative is that social engineering will get an attacker access; and
that's often considerably easier brute forcing problem than a password.
Andy
--
Dr Andy Parkins
andyparkins(a)gmail.com
9 Jul
9 Jul
1:06 p.m.
Hi,
On Sat, 7 Jul 2012, Andy Smith wrote:
Today a customer popped up on IRC saying that they had
broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
[…]
As some others have replied, I'd be unhappy with the use of utility
bills.
An interface to upload allowed OpenPGP keys seems the best option so
far (multiple keys as a possibility).
On Sun, 8 Jul 2012, Mathew Newton wrote:
My e-mail is hosted on my VPS so if it's down then
the e-mail password
reset function would be no good to me anyway.
Same for me. But I could use a random other email account and sign using
a pre-arranged crypto key.
On Sun, 8 Jul 2012, Nigel Rantor wrote:
Given that I think it is reasonable to expect people
who turn it off to
perform some extra work to ensure they can be authenticated if the worst
happens and they lose private keys, forget pass-phrases etc.
Ultimately, it is possible to lose access to most credentials (e.g., lost
VPS, normal email out of action, lost private keys / passphrases).
Re-identification is hard, and I guess the question is really one of how
much is required, or if the user is willing for it to happen at all.
I do like the idea of asking the customer to send you
a set amount using the
account they last used to pay for the service itself.
But only if they haven't moved accounts (okay, it's been some years since
I moved banks, but I know some who change every year or two).
On Sun, 8 Jul 2012, Gavin Westwood wrote:
I like this idea and second the not using stock
questions. The number
of websites where I have had to put my mother's maiden name and name of
[...]
I can never remember what I wrote for most of these question-answer
combinations… I find them relatively useless as a recovery mechanism.
On Sun, 8 Jul 2012, Andy Parkins wrote:
In short: paranoia. Disabling password reset implies
a level of security
that should be maintained. It's saying "I take full responsibility for the
password to this VPS, and if I lose it, I accept that I may never get access
again".
Perhaps the control panel could offer a range of options covering
different tastes/tolerances from indifferent to very paranoid. But
that makes it all very complicated.
So my end suggestion is:
- Hold a list of OpenPGP keys that are authorised for
resets/recovery, via the panel.
- As well as the "Allow password reset" switch, add two more, one for
reset via OpenPGP keys, and a final one so that the user can state
that they never want any other mechanism using (i.e., if they lose
their password, etc they "accept that I may never get access
again"). Probably need to make that last one jump through some
confirmation hoops....
For those who are prepared to accept other reidentification, a
combination of government ID combined with fresh photos plus some form
of bank transaction would be reasonable. Stick it on the policy page
and link it against that last switch.
(Aside: Has Bitfolk had any instances of customers being
incapacitated (or dying) and relatives needing to recover access to
the VPS? E.g., if it's used for domestic email?)
Cheers,
Phil.
--
Phil Brooke OpenPGP key: 0x2F0EC78A
3:10 p.m.
Hi Phil,
On Mon, Jul 09, 2012 at 02:06:18PM +0100, Phil Brooke wrote:
On Sat, 7 Jul 2012, Andy Smith wrote:
Yeah as I already said I've taken that on board and won't be doing
it again. Which means that everyone who has currently disabled email
password resets needs to be really sure about that.
Today a customer popped up on IRC saying that they
had broken their
VPS and couldn't remember their account details in order to use the
console / rescue VM.
[…]
As some others have replied, I'd be unhappy with the use of utility
bills. Perhaps the control panel could offer a range of
options covering
different tastes/tolerances from indifferent to very paranoid. But
that makes it all very complicated.
What I am going to do is talk to just the customers who have
disabled email password resets and come up with some process that
suits the majority of them.
I don't mind discussing things amongst the wider customer base but I
feel like we are getting mired down in suggested processes which
will only ever apply to hypothetical other people. On this, I'd
rather consult with the people it is more likely to affect.
The chances of just one method being suitable for everyone are
small, so I imagine there's going to have to be several levels and
an incredibly tedious fallback strategy for a customer who claims to
have lost ability to satisfy any of the other checks.
(Aside: Has Bitfolk had any instances of customers
being
incapacitated (or dying) and relatives needing to recover access to
the VPS? E.g., if it's used for domestic email?)
Yes. A customer died, so I took legal advice and came up with a
policy.
In the UK, if there is a will then the matter has to be dealt with
by an executor of the deceased's estate, and I need to see an
original copy of the death certificate.
If there is no will then a photocopy of the death certificate is
acceptable.
From the death certificate I am able to confirm (by phoning the
registrar) that the individual actually has died, there is or isn't
a will, and next of kin is as claimed.
Assuming no will, I can then hand over the deceased's property to
the next of kin. If there is a will I am not 100% sure what happens
but I imagine it requires the executor to tell me if the contents of
the VPS are mentioned or not, and then do what they say.
This is roughly the same process that UK banks follow when an
account holder dies. I didn't really feel like it was worth
documenting that on the web site as it seemed a bit morbid, but
policy exists.
I don't know what the process would be if an overseas customer died
because I don't know the relevant laws, what their death
certificates look like, who I contact, etc. I'm happy enough to wait
until that happens and find out then.
Note that if the deceased's VPS continues to run or if I can boot it
and make it run, then there is no reason why it can't keep running
as long as someone pays for it. I don't really need to care who is
paying for it as long as they do. It's mainly giving access to the
data inside the VPS that is the issue.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
5:16 p.m.
Hi Andy,
On Mon, July 9, 2012 4:10 pm, Andy Smith wrote:
What I am going to do is talk to just the customers
who have
disabled email password resets and come up with some process that
suits the majority of them.
I don't mind discussing things amongst the wider customer base but I
feel like we are getting mired down in suggested processes which
will only ever apply to hypothetical other people. On this, I'd
rather consult with the people it is more likely to affect.
Those whose e-mail resides on their VPS may be equally effected given the
potential that e-mail password reset may not be viable but would fall
outside of your scope if you take it off-list.
As mitigation against this particular circumstance I would welcome the
inclusion of a secondary e-mail address within the control panel such that
e-mail password reset could still be an option should the worst happen.
Mathew
11 Jul
11 Jul
9:20 a.m.
Take the customers' mobile phone number at sign up time and send them
their details by SMS.
Although apparently Google are incredible 'Evil' for doing this sort
of thing. Um, really?
9:29 a.m.
On 11/07/12 19:20, Philip Veale wrote:
Take the customers' mobile phone number at sign up
time and send them
their details by SMS.
If there is enough 'value' in stealing accounts, the phone numbers get
hijacked before requesting the reset.
Also not everyone is in the UK, yes I know you can do cheap SMS over the
net, but those services can have problems sending to all networks.
Although apparently Google are incredible
'Evil' for doing this sort
of thing. Um, really?
Google's evil because they won't stop there, they try to add all the
various pieces of your life to try and predict what will make you more
likely to buy stuff.
12:06 p.m.
On Wed, 11 Jul 2012 10:20:17 +0100
Philip Veale <email(a)philipveale.com> wrote:
Take the customers' mobile phone number at sign up
time and send them
their details by SMS.
That assumes everyone has a mobile phone.
OK! most people geeky enough to want to run a VPS _will_ have one.
I actually have one but rarely use it and it is the most basic nokia
pay as you go phone I could get. It will send text messages but thats
about the extent of its 'advanced' features.
I only got a mobile phone as I needed a way of contacting emergency
services and the like whilst out in the wilds on my mountain bike.
If I'd not had that need I'd probably still not have a mobile phone.
--
John Lewis
Debian & the GeneWeb genealogical data server
12:23 p.m.
Hello,
On Wed, Jul 11, 2012 at 01:06:27PM +0100, john lewis wrote:
On Wed, 11 Jul 2012 10:20:17 +0100
Philip Veale <email(a)philipveale.com> wrote:
Do bear in mind that for any possible single solution you can come
up with, there will be someone who can't cope with it, or thought
they could but for whatever reason when it comes down to when it's
needed, find they cannot. :)
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Take the customers' mobile phone number at
sign up time and send them
their details by SMS.
That assumes everyone has a mobile phone.
12 Jul
12 Jul
7:58 p.m.
On 2012-07-11 2:23 PM, Andy Smith wrote:
Do bear in mind that for any possible single solution
you can come
up with, there will be someone who can't cope with it, or thought
they could but for whatever reason when it comes down to when it's
needed, find they cannot. :)
Oh how true that is. I've got it a slightly different way (I'm a
programmer):
For every system you make idiot-proof, the universe comes and generates
an even bigger idiot that _will_ break it.
7:50 p.m.
On 2012-07-08 5:45 PM, Andy Parkins wrote:
If, the VPS owner has chosen to disable password reset
(which for a security
sensitive site, they almost certainly should -- emails aren't secure), then
it is their duty to supply a public-key method of verifying their identity.
If they haven't done that then I don't think it's unreasonable for you to
require any level of:
- Birth certificate
- Utility bill
- Passport
- Freshly made photo of them holding today's paper with a secret phrase of
your choice written on it.
- An unlocking payment from the same source as the original VPS purchase
Imagine this. Someone walks into my house, grabs my ID document, a
utility bill and scans it (have no passport). These are all on my desk.
The photo is also easy (using macbook pro's camera). They have already
hacked into my e-mail, so sending the payment is not an issue (they have
my mac password, e-mail password, paypal/google pay password, which are
all of course the same[1]. Bingo.
[1] I have seperate passwords for everything. All in 1-Password. Secured
with a 18-character password. Won't happen here, but can at other places
I'm sure.
In short: paranoia. Disabling password reset implies
a level of security
that should be maintained. It's saying "I take full responsibility for the
password to this VPS, and if I lose it, I accept that I may never get access
again".
Put a note on the site. "If you disable password reset you take full
responsibility for not losing your access details. You also confirm that
bitfolk will be unable to help you with access to your vps if you lose
your PGP key and/or SSH key".
The alternative is that social engineering will get an
attacker access; and
that's often considerably easier brute forcing problem than a password.
9 Jul
9 Jul
8:24 a.m.
On 07/07/2012 14:05, Andy Smith wrote:
In the end I asked the person on IRC to send me a photo or scan of a
utility bill bearing their name and address as present in BitFolk's
customer database, and on receipt of that I did reset their
password.
If it had been you in the customer's position would you have
considered that reasonable?
Assuming I have already convinced you by correctly answering questions
about my account that are not so easily discovered as a name and address
(e.g. account name and service type; on which server the VPS is running;
the method, frequency and amount of payments, etc.) then, yes, I would
consider that reasonable. If someone has gone to the effort of mining
enough of my information that they can convincingly pose as me, then I
don't think it would cause them any trouble to fake a more secure form
of ID -- bearing in mind that you won't see it in person.
If you want to increase security, you could borrow a couple of tricks
from the banking world:
1. send a one-time code to a registered mobile by SMS; and/or
2. reset the password and send it via snail mail to the registered address.
In general I'm against this modern trend of requiring government-issued
photo ID every time I want to buy a packet of crisps. In most cases it
is unnecessary and ridiculous.
Out of curiosity, if you call out a locksmith because you've lost your
house keys, how do they satisfy themselves that you are indeed the
owner/occupant of the house?
Chris
--
Chris Smith <cjs94(a)zepler.net>
12 Jul
12 Jul
2:38 p.m.
On 09/07/12 09:24, Chris Smith wrote:
On 07/07/2012 14:05, Andy Smith wrote:
Out of curiosity, if you call out a
locksmith because you've lost your
house keys, how do they satisfy themselves that you are indeed the
owner/occupant of the house?
Family photographs often help, it's also likely you'll have a passport
or other ID within the house that identifies you and matches the ID in
your wallet (assuming you still have that and only lost your keys).
n
2:57 p.m.
Hi,
"The Real Hustle" exposed a trick where you post your wallet through
someone else's letterbox and then use it to prove that it's your house.
Regards,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF
Out of
curiosity, if you call out a locksmith because you've lost your
house keys, how do they satisfy themselves that you are indeed the
owner/occupant of the house?
Family photographs often help, it's also likely you'll have a passport
or other ID within the house that identifies you and matches the ID in
your wallet (assuming you still have that and only lost your keys).
6:03 p.m.
On 9 July 2012 09:24, Chris Smith <cjs94(a)zepler.net> wrote:
Out of curiosity, if you call out a locksmith because you've lost your
house keys, how do they satisfy themselves that you are indeed the
owner/occupant of the house?
In my experience they don't.
--
Phil Hunt, <cabalamat(a)gmail.com>
6:41 p.m.
On Thu, Jul 12, 2012, at 07:03 PM, Philip Hunt wrote:
We've called out two locksmiths (once lost keys, once the lock itself
broke), and I don't remember being asked for any proof. Perhaps they
just figure that if we are burglars, the real owners won't know who
let them in!
Nowadays it's not a problem as we have toddlers and a cat flap :)
--
Richard Dignall
richard(a)dignall.co.uk
www.bebackedup.co.uk
Out of
curiosity, if you call out a locksmith because you've lost
your house keys, how do they satisfy themselves that you are indeed
the owner/occupant of the house?
In my experience they don't. 
9:18 p.m.
Hi all,
What about a secondary authentication system, such as OpenID, which users
could link into their accounts? Maybe it could be integrated into RT?
Jamie Stallwood
4578
days inactive
4583
days old
39 comments
19 participants
participants (19)
-
Aaron B. Russell -
Andy Bennett -
Andy Parkins -
Andy Smith -
Chris Smith -
Dmitriy Kazimirov -
Duane -
G. Miliotis -
Gavin Westwood -
Jamie Stallwood -
john lewis -
Kai Hendry -
Mathew Newton -
Nigel Rantor -
Peet Grobler -
Phil Brooke -
Philip Hunt -
Philip Veale -
Richard Dignall