[feature-proposal] Forgot password improvements
"Aurélio A. Heckert"
aurelio at colivre.coop.br
Wed Nov 13 11:53:40 BRST 2013
Oh boy...
Please all, ceasefire.
I have technical concerns too... but have the thing done is better than
none.
There is some cultural variance and a meaning deviation about the
expressions in both.
That can make words to hurt, but, please, consider the good intention in
the other side.
Em 13-11-2013 10:41, Caio Tiago Oliveira escreveu:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/13/2013 10:13 AM, Ewout ter Haar wrote:
>> My problem and the reason for my disappointment is what happened
>> next. The affirmation of an opinion disguised as a technical
>> issue. Using terms as "brute force", "privacy destroying", "Nope"
>> (you wouldn't understand, leave the technical matters to us,
>> computer scientists), "No, it won't". Everybody so sure of
>> themselves...
> This list is called noosfero-dev for a reason. No, it is not related
> to any kind of meritocracy. If you don't understand something, it
> doesn't mean it is not relevant.
>
>> And then, when pressed to make explicit their thread model, it
>> turns out that it involves the generation of fake users, with a
>> very small probability of there even existing a vulnerable user!
> The only way to avoid fake users is to take some info which can be
> validated, such as NSN or CPF, and then validate it to match the
> person's name and other info, if available.
>
> To avoid an user changing some internal field, we ought to ask for a
> captcha for every change or implement something to ask for it after a
> few changes in a row.
>
> The rate limit is not much effective in the sense it won't avoid an
> brute force attack in this case, it will just make it slower. The user
> would have to be blocked.
>
> The CPF is something which require some brute force technique to be
> effective, but everything an user choose to make private, should stay
> private. We can't judge every field if they are going to be
> environment defined. We can just judge is that it is not impossible
> and some admin could make some poor choice.
>
> Sadly, most people would blame the software because it allowed the
> dumb admin to make dumb things.
>
>> This is the kind of debate I object to. I call this technical
>> intimidation. To dismiss this as bikeshedding is condoning the
>> behavior. And it is a pity, because privacy issues a so much
>> worthwhile discussing.
> Using some term which is taught on a first grade education, such as
> "intersection of sets", is that intimidation?
>
> Is using some term like "brute force" or "collision" a technical
> intimidation?
> Man, are we denied to use some basic terms in a technical list?
> The information is public out there.
>
> You may be upset due to dozens of usability issues, but adding
> security concerns will make up for that?
>
> Again, if someone doesn't understand something, is that intimidation?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSg4GXAAoJEMzgGcmGlt4Bi6cP/1hQWvx7ex+Oq+IT30rlZEbB
> oMcdieu85kdPYfjXcBAzrhTJlDacfy7aMHH1zLPMQ8o0GlIK+xzbX+uc1MrG9Zgz
> jkeY0HW8OdLMiLadgqvYd7wPy+dcTaiPVXz9lDNH5Dgx7RH5xcvOI4XZK2BQ6vQ6
> z5PGZgs/GZ8gbqFHzMQFnMDbRadmXf18YH9IaZtZrZauxsVpGWWzZnL7IzWDDSnz
> w4/03p9jNHyoG9ueTIWy87W30y5uWhxnJjhvdy825aq+5yc2wusRVyRbBZjn6gcF
> yWfaBUvMCGOAJKYBgl4EaZyMpZOAbFdXXKb9T/oDZit2GHs3ZEHFolYpGVkndEjZ
> FShuFdPSj7KlT/EyvducespDLR+doOZ8arwrnErZ0klYgHlKuRQQhBht8WVTKTZI
> As1va0xfqpWqn+tzcd0C76hyHm7KjIK9fUPG6gc8sgFwjNQcLDkUvnObw4LHbrrq
> fiWGA6W4BqT8A7nRX0SC5bV2WYpa4Gc79y1mZs8SmsT5j53YQNlSCbFPaGHlrZbB
> IW6oFJgDpM8/DBEndVKwfr0tEUR2oG1jME3xDfBMVilM1Rus13/0VX7LNzG0tZr5
> KE2U+O/QsgPX41Zct5Ajm5Ts9F05meyVKo0UHuNQ736M8ULjuVyvHTaTb6UVesDG
> Mscno5jWMpidRTrCaRMw
> =4Q1Q
> -----END PGP SIGNATURE-----
> _______________________________________________
> Noosfero-dev mailing list
> Noosfero-dev em listas.softwarelivre.org
> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/noosfero-dev
--
*Aurélio A. Heckert (aka Aurium)*
http://softwarelivre.org/aurium
*COLIVRE --- Coop. de Tecnologias Livres*
http://colivre.coop.br
*Inkscape* --- Desenhe Livremente
http://inkscapeBrasil.org
-------------- Pr?xima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20131113/fcdba047/attachment-0001.html>
-------------- Pr?xima Parte ----------
Um anexo n?o-texto foi limpo...
Nome: logoColivre_p.gif
Tipo: image/gif
Tamanho: 5576 bytes
Descri??o: n?o dispon?vel
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20131113/fcdba047/attachment-0001.gif>
More information about the Noosfero-dev
mailing list