On Wed, Nov 27, 2024 at 11:56 AM Michael Niedermayer <mich...@niedermayer.cc> wrote:
> Hi Kieran > > On Wed, Nov 27, 2024 at 12:01:03AM +0000, Kieran Kunhya via ffmpeg-devel > wrote: > > On Tue, 26 Nov 2024, 23:32 Michael Niedermayer, <mich...@niedermayer.cc> > > wrote: > > > > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > > --- > > > doc/infra.txt | 6 +++--- > > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > > > diff --git a/doc/infra.txt b/doc/infra.txt > > > index 08dcf04c307..71ad7a7db02 100644 > > > --- a/doc/infra.txt > > > +++ b/doc/infra.txt > > > @@ -9,9 +9,9 @@ ffmpeg trademark registered in france by ffmpeg > creator. > > > Domain + NS: > > > ~~~~~~~~~~~~ > > > ffmpeg.org domain name > > > -ns1.avcodec.org Primary Name server (bulgaria) > > > -ns2.avcodec.org Replica Name server (hungary) > > > -ns3.avcodec.org Replica Name server (italy) > > > +ns1.avcodec.org Primary Name server (provided by Telepoint, hosted at > > > Telepoint in bulgaria) > > > +ns2.avcodec.org Replica Name server (provided by an ffmpeg developer, > > > hosted at Hetzer in germany) > > > +ns3.avcodec.org Replica Name server (provided by an ffmpeg developer, > > > hosted at Prometeus Cdlan in italy) > > > > > > Hi Michael, > > > > Can you add the owner of avcodec.org as this obviously matters too as > they > > could change the nameserver IPs if they wished. > > avcodec.org is owned by an ffmpeg developer. I belive many people know > who owns it. root should know it, jb definitly did know it. > > Theres no issue with making the name public in principle, its just > better for security, not to have a public document that an attacker > can go through and know exactly who owns what. > You are basically describing https://en.wikipedia.org/wiki/Security_through_obscurity which is frowned upon and a highly criticized practice. > From a name an attacker can often find a phone number and other things > Once an attacker has a phone number they can do a sim swap attack. > This depends on the carrier/phone company. But it did in the past > require only the phone number and had no defence with some. > > Also even when SMS is not used as 2FA, ownership of phone and email > can sometimes be enough to reset a password & 2FA > > This maybe doesnt work for any domain owner/phone company relevant for us. > But its still a non 0 risk, so i would prefer not to have a public list of > names for who owns what server. > Phone and SIM is not the only way to 2FA - you can install an authenticator app that offers protection against the scenario you describe. -- Vittorio _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
