[FFmpeg-devel] [PATCH] doc/infra: List at what companies the name servers are hosted and who provides the servers

Michael Niedermayer michael at niedermayer.cc
Wed Nov 27 23:20:07 EET 2024 

Hi Vittorio

On Wed, Nov 27, 2024 at 03:56:05PM -0500, Vittorio Giovara wrote:
> On Wed, Nov 27, 2024 at 11:56 AM Michael Niedermayer <michael at niedermayer.cc>
> wrote:
> 
> > Hi Kieran
> >
> > On Wed, Nov 27, 2024 at 12:01:03AM +0000, Kieran Kunhya via ffmpeg-devel
> > wrote:
> > > On Tue, 26 Nov 2024, 23:32 Michael Niedermayer, <michael at niedermayer.cc>
> > > wrote:
> > >
> > > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > ---
> > > >  doc/infra.txt | 6 +++---
> > > >  1 file changed, 3 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/doc/infra.txt b/doc/infra.txt
> > > > index 08dcf04c307..71ad7a7db02 100644
> > > > --- a/doc/infra.txt
> > > > +++ b/doc/infra.txt
> > > > @@ -9,9 +9,9 @@ ffmpeg trademark registered in france by ffmpeg
> > creator.
> > > >  Domain + NS:
> > > >  ~~~~~~~~~~~~
> > > >  ffmpeg.org domain name
> > > > -ns1.avcodec.org Primary Name server (bulgaria)
> > > > -ns2.avcodec.org Replica Name server (hungary)
> > > > -ns3.avcodec.org Replica Name server (italy)
> > > > +ns1.avcodec.org Primary Name server (provided by Telepoint, hosted at
> > > > Telepoint in bulgaria)
> > > > +ns2.avcodec.org Replica Name server (provided by an ffmpeg developer,
> > > > hosted at Hetzer in germany)
> > > > +ns3.avcodec.org Replica Name server (provided by an ffmpeg developer,
> > > > hosted at Prometeus Cdlan in italy)
> > >
> > >
> > > Hi Michael,
> > >
> > > Can you add the owner of avcodec.org as this obviously matters too as
> > they
> > > could change the nameserver IPs if they wished.
> >
> > avcodec.org is owned by an ffmpeg developer. I belive many people know
> > who owns it. root should know it, jb definitly did know it.
> >
> > Theres no issue with making the name public in principle, its just
> > better for security, not to have a public document that an attacker
> > can go through and know exactly who owns what.
> >
> 
> You are basically describing
> https://en.wikipedia.org/wiki/Security_through_obscurity which is frowned
> upon and a highly criticized practice.

no, this reference is not correct here.
not listing someone name is not "Obscurity"


> 
> 
> > From a name an attacker can often find a phone number and other things
> > Once an attacker has a phone number they can do a sim swap attack.
> > This depends on the carrier/phone company. But it did in the past
> > require only the phone number and had no defence with some.
> >
> > Also even when SMS is not used as 2FA, ownership of phone and email
> > can sometimes be enough to reset a password & 2FA
> >
> > This maybe doesnt work for any domain owner/phone company relevant for us.
> > But its still a non 0 risk, so i would prefer not to have a public list of
> > names for who owns what server.
> >
> 
> Phone and SIM is not the only way to 2FA - you can install an authenticator
> app

yes, that was assumed in my mail


> that offers protection against the scenario you describe.

did you see this part of my mail:


> > Also even when SMS is not used as 2FA, ownership of phone and email
> > can sometimes be enough to reset a password & 2FA

i did actually look into this a few months ago
and the authenticator often isnt helping you. Some providers will
reset your password if you proof possesion of the associated
phone and email. And claim you lost the phone with the authenticator

The alternative for the provider is to not give you your account back
if you loose the phone with the authenticator on it. Some do, yes
but some will reset your password if you proof possession of some
other 2nd factor like your phone even if thats not enabled as 2FA.

Iam not 100% sure but i think paypal is one where this can be done

Some email providers also have options with many warnings not to use
them that allows you to actually disallow recovery with phone + email
this shows more so that this path is real and "normal" in todays world

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241127/fcd21256/attachment.sig>

More information about the ffmpeg-devel mailing list