Hi On Mon, Nov 11, 2024 at 05:00:42PM +0000, Derek Buitenhuis wrote: > On 11/11/2024 4:42 PM, Michael Niedermayer wrote: > > Publically listing which developer provides which part of the DNS infra > > makes it easier to attack not harder. > > That said, i suspect who provides what was mentioned in the past already > > It is already publically available info to anyone who can look up an IP.
Then what is this discussion about? (If all peoples names can be found easily) > > > If an attacker doesnt know who provides a server then the attacker can only > > attack the server directly via its name and IP. > > If an attacker knows who owns the server then he can perform a wide > > range of additional attacks. For example > > Impersonating that developer towards the server hoster, or if the attacker > > can figure out the phone number of the developer then sim swaping becomes > > possible. From that various other accounts can then be taken over and > > Once an attacker is in control of phone and email of someone further > > account compromises become increasingly easy. > > > > I do not think we would be doing FFmpeg a service or improve security > > by listing everyones names in a public file. Even if most of this > > probably was said publically already, having it in one single place > > makes it even easier for an attacker > > This only convinces me further that it this whole setup ins't for for purpose, > and is being run by people who have no concept of actual security. This is > totally insane. So "publically listing every admins and server owner (where its not the company) name" is the normal and sane thing and not listing them publically is totally insane ? Do i understand this correctly? If so, then iam sure that every security related company lists these publically? Likewise the FBI, financial institutions, and so forth. These are organisations where security is very important, but none of them lists server owners and admins publically. And iam not even sure what they would do if you called them and asked, but they probably would ask you for your name, intend and at least internally report this without awnsering your question. But lets go back the original question 1. what exact information do you ask for ? 2. why ? 3. what do you intend to do with this information ? 4. The names of the developers providing the infra have been provided before, did you look through past discussion? 5. Do you ask these questions to every project or just FFmpeg ? (i have been told these questions only happen toward FFmpeg, can you explain why ?) Last years i tried to simply awnser all the questions, but that didnt make anyone happy. I must be missing something. I mean we can go through the whole again if people want but I really think most developers would prefer to work on the code and project instead. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Modern terrorism, a quick summary: Need oil, start war with country that has oil, kill hundread thousand in war. Let country fall into chaos, be surprised about raise of fundamantalists. Drop more bombs, kill more people, be surprised about them taking revenge and drop even more bombs and strip your own citizens of their rights and freedoms. to be continued
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
