On 11/28/24 00:50, Vittorio Giovara wrote: > On Wed, Nov 27, 2024 at 4:20 PM Michael Niedermayer <mich...@niedermayer.cc> > wrote: > >> Hi Vittorio >> >> On Wed, Nov 27, 2024 at 03:56:05PM -0500, Vittorio Giovara wrote: >>> On Wed, Nov 27, 2024 at 11:56 AM Michael Niedermayer < >> mich...@niedermayer.cc> >>> wrote: >>> >>>> Hi Kieran >>>> >>>> On Wed, Nov 27, 2024 at 12:01:03AM +0000, Kieran Kunhya via >> ffmpeg-devel >>>> wrote: >>>>> On Tue, 26 Nov 2024, 23:32 Michael Niedermayer, < >> mich...@niedermayer.cc> >>>>> wrote: >>>>> >>>>>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >>>>>> --- >>>>>> doc/infra.txt | 6 +++--- >>>>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>>>> >>>>>> diff --git a/doc/infra.txt b/doc/infra.txt >>>>>> index 08dcf04c307..71ad7a7db02 100644 >>>>>> --- a/doc/infra.txt >>>>>> +++ b/doc/infra.txt >>>>>> @@ -9,9 +9,9 @@ ffmpeg trademark registered in france by ffmpeg >>>> creator. >>>>>> Domain + NS: >>>>>> ~~~~~~~~~~~~ >>>>>> ffmpeg.org domain name >>>>>> -ns1.avcodec.org Primary Name server (bulgaria) >>>>>> -ns2.avcodec.org Replica Name server (hungary) >>>>>> -ns3.avcodec.org Replica Name server (italy) >>>>>> +ns1.avcodec.org Primary Name server (provided by Telepoint, >> hosted at >>>>>> Telepoint in bulgaria) >>>>>> +ns2.avcodec.org Replica Name server (provided by an ffmpeg >> developer, >>>>>> hosted at Hetzer in germany) >>>>>> +ns3.avcodec.org Replica Name server (provided by an ffmpeg >> developer, >>>>>> hosted at Prometeus Cdlan in italy) >>>>> >>>>> >>>>> Hi Michael, >>>>> >>>>> Can you add the owner of avcodec.org as this obviously matters too >> as >>>> they >>>>> could change the nameserver IPs if they wished. >>>> >>>> avcodec.org is owned by an ffmpeg developer. I belive many people know >>>> who owns it. root should know it, jb definitly did know it. >>>> >>>> Theres no issue with making the name public in principle, its just >>>> better for security, not to have a public document that an attacker >>>> can go through and know exactly who owns what. >>>> >>> >>> You are basically describing >>> https://en.wikipedia.org/wiki/Security_through_obscurity which is >> frowned >>> upon and a highly criticized practice. >> >> no, this reference is not correct here. >> not listing someone name is not "Obscurity" >> >> >>> >>> >>>> From a name an attacker can often find a phone number and other things >>>> Once an attacker has a phone number they can do a sim swap attack. >>>> This depends on the carrier/phone company. But it did in the past >>>> require only the phone number and had no defence with some. >>>> >>>> Also even when SMS is not used as 2FA, ownership of phone and email >>>> can sometimes be enough to reset a password & 2FA >>>> >>>> This maybe doesnt work for any domain owner/phone company relevant for >> us. >>>> But its still a non 0 risk, so i would prefer not to have a public >> list of >>>> names for who owns what server. >>>> >>> >>> Phone and SIM is not the only way to 2FA - you can install an >> authenticator >>> app >> >> yes, that was assumed in my mail >> >> >>> that offers protection against the scenario you describe. >> >> did you see this part of my mail: >> >> >>>> Also even when SMS is not used as 2FA, ownership of phone and email >>>> can sometimes be enough to reset a password & 2FA >> >> i did actually look into this a few months ago >> and the authenticator often isnt helping you. Some providers will >> reset your password if you proof possesion of the associated >> phone and email. And claim you lost the phone with the authenticator >> >> The alternative for the provider is to not give you your account back >> if you loose the phone with the authenticator on it. Some do, yes >> but some will reset your password if you proof possession of some >> other 2nd factor like your phone even if thats not enabled as 2FA. >> >> Iam not 100% sure but i think paypal is one where this can be done >> >> Some email providers also have options with many warnings not to use >> them that allows you to actually disallow recovery with phone + email >> this shows more so that this path is real and "normal" in todays world >> > > I just don't know how you think going off a tangent over potential threat > vectors is more relevant than the fact that a CTO of a random media company > [0] I never heard of has access to ffmpeg servers. And it took three weeks > of drama on the mailing list to obtain this information. And you think this > is not obscurity. > > I've already said it, and I'll say it again, I feel like I'm taking crazy > pills here. [1]
Hi Vittorio, Let me clarify a few facts. I help out with administrating the infrastructure. My appearance should not come as a surprise since I've been mentioned in a few threads already. I decided to clarify a few questions people apparently have about the physical access and Telepoint. - me having access has never been "hidden", there have been emails on this list years ago when I offered my services to help migrate and administrate FFmpeg infrastructure, you can also find my name in the admins section in the MAINTAINERS file - I sent the offer on behalf of Telepoint when new infrastructure was being discussed years ago, this is also documented in the mailing list archives and should not come as a surprise to anyone, note that I'm in no way affiliated with them, but my company is their customer (we rent racks, Internet services, peerings etc) - I am an active contributor to multiple open source projects, mostly related to the Linux kernel and its networking subsystem where I'm a maintainer of a few subsystems, you can find me in the Linux kernel's MAINTAINERS file as well, I'm saying this to highlight that I'm not just some random person, maybe in the context of ffmpeg-devel people don't know me but I've been helping out to keep the infrastructure running smoothly for the past few years and I have 0 skin in this so to speak, when I have time - I help. I won't even comment the random company excerpt, that is well beyond the scope of anything discussed here and has no bearing to the answers of the questions. I'd like to make this very clear - if people have issues with me having access I'd gladly remove myself and leave the work to the other root administrators. Also I'm available on IRC (nickname Raz-) or via email if you have any questions or just want to chat. :) Cheers, Nik _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
