Sent from Samsung Mobile kizito Mudambo <[email protected]> wrote: we need to find a long term solution for these issues... look at man-in-the-middle attack, we are at the mercy of hackers unless if you use a pgp, gpg or military grade encryption... On Dec 10, 2012 8:22 PM, "[email protected]" <[email protected]> wrote: Password authentication, when implemented correctly, is safe enough for low-sec purposes. While brute force is effective *eventually*, if five consecutive authentication failures leads to account lockdown and a red flag somewhere, such an attack will not be feasible. Unfortunately, in the last few years some larger soc sites (I'm looking at you, Twitter) have been inexcusably lax in their security, with no limits on authentication failures whatsoever. If you are in charge of a web site implementing password authentication and it does not have measures against repetitive failures, give yourself a good hard slap across the face and rectify this. That said, I've been a proponent of pre-shared key authentication for several years. All major browsers support this reasonably uniformly, and the reason we're not using it boils down to laziness and some drawbacks which are rapidly getting outmoded. Several years ago people used several different computers as temporary workstations as they only owned a non-portable desktop computer if they owned any computer at all. Nowadays we do our work with laptops, tablets, and smartphones. We seldom use another person's terminal anymore, because we always carry our own terminals in our bags and pockets. Using shared keys have suddenly become more feasible; I hope our providers get with the program soon. kizito Mudambo <[email protected]> wrote: doesnt yahoomail support 2 step authetication... the real truth is passwords are no longer safe enough no matter how strong they are.... the only way for now is two step authetication as simple as that On Dec 10, 2012 2:51 PM, "Colline Waiswa" <[email protected]> wrote: I dont know how the breach took place but i highly doubt it was guessed coz i think it had the characteristics of a good password. 1: it was quite long ( over 10+ characters) 2: had alternating capitation 3: had atleast 1 special character 4: was unrelated to my cat, team,etc Colline ------------------------------ On Mon, Dec 10, 2012 3:08 AM PST Benjamin Tayehanpour wrote: >Most *targeted* breaches are, yes. If you know a specific user and you want >that user's account, specifically, then password-guessing is common. But >this was quite evidently not a targeted breach, otherwise spam would be the >least of his/her problems. Most non-targeted breaches (as in: "I have this >lovely piece of spam I want to distribute, so I need one thousand hacked >accounts") happen through lousy workstation security, with spyware or MITM >attacks swiping the credentials. > >I'm curious. What was your password, Colline? Since you've changed it it >shouldn't hurt to reveal it, right? > >On 10 December 2012 11:58, Victor van Reijswoud < >[email protected]> wrote: > >> Most breaches are because of poor passwords (except this one, of course :) >> ). Interesting overview here: >> http://nakedsecurity.sophos.com/2012/07/13/yahoo-voices-poor-passwords/ >> >> >> On Mon, Dec 10, 2012 at 11:19 AM, Benjamin Tayehanpour < >> [email protected]> wrote: >> >> Any idea how the breach happened yet? Password-guessing for spam-related >> purposes is quite rare nowadays, with sophisticated brute force protection >> and especially if the password is a good strong one (which I assume, since >> you're a Linux user and thus have common sense). Did you have your password >> written down somewhere accessible? Did you save it with a password manager >> on a public computer? Did you link your account to some other account >> (Facebook/Twitter/&c.) which is compromised? >> >> On 10 December 2012 10:28, Colline Waiswa <[email protected]> wrote: >> >>> >>> >>> >>> Seeing as my sent mail folder is full of the that message sent to all my >>> contacts, i am pretty sure the mailbox was gotten into >>> >>> Colline >>> >>> ------------------------------ >>> On Mon, Dec 10, 2012 12:42 AM PST Mike Barnard wrote: >>> >>> >On 9 December 2012 17:37, Benjamin Tayehanpour >>> ><[email protected]>wrote: >>> > >>> > Without SPF protection, I could send e-mails which look like they >>> > originate from your account, and the receiver will have no means of >>> > verifying the sender address since SPF isn't implemented. That's one >>> of >>> > many reasons why Yahoo! is a bad e-mail service provider. I'm not >>> saying we >>> > should ban all users of Yahoo!; I'm saying Yahoo! as a service >>> provider >>> > should be boycotted due to the numerous flaws in their service. >>> > >>> > That said, I'm glad you managed to change the password so you didn't >>> lose >>> > the account. Such things can be a real pain otherwise! Do you know >>> how the >>> > breach happened? >>> > >>> > >>> >The "breach" will most likely happen again... I doubt that the person >>> >actually got into his mailbox. Most spam from yahoo addresses tends to >>> be >>> >from botnets that take advantage of the fact that one cannot >>> legitimately >>> >check whether its actually yahoo who sent the email. >>> > >>> > >>> >-- >>> >Mike >>> > >>> >Of course, you might discount this possibility, but remember that one >>> in a >>> >million chances happen 99% of the time. >>> >------------------------------------------------------------ >>> >>> _______________________________________________ >>> The Uganda Linux User Group: http://linux.or.ug >>> >>> Send messages to this mailing list by addressing e-mails to: >>> [email protected] >>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>> To unsubscribe: http://kym.net/mailman/options/lug >>> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>> http://www.infocom.co.ug/ >>> >>> The above comments and data are owned by whoever posted them (including >>> attachments if any). The mailing list host is not responsible for them in >>> any way. >>> >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. >> >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. >> I highly doubt _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not respon sible for them in any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
