Not at all. There are plenty of free solutions out there, people only need to
start using them. And also boycott service providers with lacklustre security
practices.
Yahoo! has been setting the standard for bad practices in general for many
years now. Why some people still insist on using them is beyond me.
dkataike <[email protected]> wrote:
>
>
>
>Sent from Samsung Mobile
>
>kizito Mudambo <[email protected]> wrote:
>
>we need to find a long term solution for these issues... look at
>man-in-the-middle attack, we are at the mercy of hackers unless if you
>use a pgp,gpg or military grade encryption...
>
>On Dec 10, 2012 8:22 PM, "[email protected]"
><[email protected]> wrote:
>Password authentication, when implemented correctly, is safe enough for
>low-sec purposes. While brute force is effective *eventually*, if five
>consecutive authentication failures leads to account lockdown and a red
>flag somewhere, such an attack will not be feasible. Unfortunately, in
>the last few years some larger soc sites (I'm looking at you, Twitter)
>have been inexcusably lax in their security, with no limits on
>authentication failures whatsoever. If you are in charge of a web site
>implementing password authentication and it does not have measures
>against repetitive failures, give yourself a good hard slap across the
>face and rectify this.
>
>That said, I've been a proponent of pre-shared key authentication for
>several years. All major browsers support this reasonably uniformly,
>and the reason we're not using it boils down to laziness and some
>drawbacks which are rapidly getting outmoded. Several years ago people
>used several different computers as temporary workstations as they only
>owned a non-portable desktop computer if they owned any computer at
>all. Nowadays we do our work with laptops, tablets, and smartphones. We
>seldom use another person's terminal anymore, because we always carry
>our own terminals in our bags and pockets. Using shared keys have
>suddenly become more feasible; I hope our providers get with the
>program soon.
>
>kizito Mudambo <[email protected]> wrote:
>doesnt yahoomail support 2 step authetication... the real truth is
>passwords are no longer safe enough no matter how strong they are....
>the only way for now is two step authetication as simple as that
>
>On Dec 10, 2012 2:51 PM, "Colline Waiswa" <[email protected]> wrote:
>
>
>I dont know how the breach took place but i highly doubt it was guessed
>coz i think it had the characteristics of a good password.
>1: it was quite long ( over 10+ characters)
>2: had alternating capitation
>3: had atleast 1 special character
>4: was unrelated to my cat, team,etc
>
>Colline
>
>
>------------------------------
>On Mon, Dec 10, 2012 3:08 AM PST Benjamin Tayehanpour wrote:
>
>>Most *targeted* breaches are, yes. If you know a specific user and you
>want
>>that user's account, specifically, then password-guessing is common.
>But
>>this was quite evidently not a targeted breach, otherwise spam would
>be the
>>least of his/her problems. Most non-targeted breaches (as in: "I have
>this
>>lovely piece of spam I want to distribute, so I need one thousand
>hacked
>>accounts") happen through lousy workstation security, with spyware or
>MITM
>>attacks swiping the credentials.
>>
>>I'm curious. What was your password, Colline? Since you've changed it
>it
>>shouldn't hurt to reveal it, right?
>>
>>On 10 December 2012 11:58, Victor van Reijswoud <
>>[email protected]> wrote:
>>
>>> Most breaches are because of poor passwords (except this one, of
>course :)
>>> ). Interesting overview here:
>>>
>http://nakedsecurity.sophos.com/2012/07/13/yahoo-voices-poor-passwords/
>>>
>>>
>>> On Mon, Dec 10, 2012 at 11:19 AM, Benjamin Tayehanpour <
>>> [email protected]> wrote:
>>>
>>> Any idea how the breach happened yet? Password-guessing for
>spam-related
>>> purposes is quite rare nowadays, with sophisticated brute force
>protection
>>> and especially if the password is a good strong one (which I assume,
>since
>>> you're a Linux user and thus have common sense). Did you have your
>password
>>> written down somewhere accessible? Did you save it with a password
>manager
>>> on a public computer? Did you link your account to some other
>account
>>> (Facebook/Twitter/&c.) which is compromised?
>>>
>>> On 10 December 2012 10:28, Colline Waiswa <[email protected]>
>wrote:
>>>
>>>>
>>>>
>>>>
>>>> Seeing as my sent mail folder is full of the that message sent to
>all my
>>>> contacts, i am pretty sure the mailbox was gotten into
>>>>
>>>> Colline
>>>>
>>>> ------------------------------
>>>> On Mon, Dec 10, 2012 12:42 AM PST Mike Barnard wrote:
>>>>
>>>> >On 9 December 2012 17:37, Benjamin Tayehanpour
>>>> ><[email protected]>wrote:
>>>> >
>>>> > Without SPF protection, I could send e-mails which look like they
>>>> > originate from your account, and the receiver will have no means
>of
>>>> > verifying the sender address since SPF isn't implemented. That's
>one
>>>> of
>>>> > many reasons why Yahoo! is a bad e-mail service provider. I'm not
>>>> saying we
>>>> > should ban all users of Yahoo!; I'm saying Yahoo! as a service
>>>> provider
>>>> > should be boycotted due to the numerous flaws in their service.
>>>> >
>>>> > That said, I'm glad you managed to change the password so you
>didn't
>>>> lose
>>>> > the account. Such things can be a real pain otherwise! Do you
>know
>>>> how the
>>>> > breach happened?
>>>> >
>>>> >
>>>> >The "breach" will most likely happen again... I doubt that the
>person
>>>> >actually got into his mailbox. Most spam from yahoo addresses
>tends to
>>>> be
>>>> >from botnets that take advantage of the fact that one cannot
>>>> legitimately
>>>> >check whether its actually yahoo who sent the email.
>>>> >
>>>> >
>>>> >--
>>>> >Mike
>>>> >
>>>> >Of course, you might discount this possibility, but remember that
>one
>>>> in a
>>>> >million chances happen 99% of the time.
>>>> >------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> The Uganda Linux User Group: http://linux.or.ug
>>>>
>>>> Send messages to this mailing list by addressing e-mails to:
>>>> [email protected]
>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>>>> To unsubscribe: http://kym.net/mailman/options/lug
>>>>
>>>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>>>> http://www.infocom.co.ug/
>>>>
>>>> The above comments and data are owned by whoever posted them
>(including
>>>> attachments if any). The mailing list host is not responsible for
>them in
>>>> any way.
>>>>
>>>
>>>
>>> _______________________________________________
>>> The Uganda Linux User Group: http://linux.or.ug
>>>
>>> Send messages to this mailing list by addressing e-mails to:
>>> [email protected]
>>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>>> To unsubscribe: http://kym.net/mailman/options/lug
>>>
>>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>>> http://www.infocom.co.ug/
>>>
>>> The above comments and data are owned by whoever posted them
>(including
>>> attachments if any). The mailing list host is not responsible for
>them in
>>> any way.
>>>
>>>
>>>
>>> _______________________________________________
>>> The Uganda Linux User Group: http://linux.or.ug
>>>
>>> Send messages to this mailing list by addressing e-mails to:
>>> [email protected]
>>> Mailing list archives: http://www.mail-archive.com/[email protected]/
>>> Mailing list settings: http://kym.net/mailman/listinfo/lug
>>> To unsubscribe: http://kym.net/mailman/options/lug
>>>
>>> The Uganda LUG mailing list is generously hosted by INFOCOM:
>>> http://www.infocom.co.ug/
>>>
>>> The above comments and data are owned by whoever posted them
>(including
>>> attachments if any). The mailing list host is not responsible for
>them in
>>> any way.
>>>
>I highly doubt
>_______________________________________________
>The Uganda Linux User Group: http://linux.or.ug
>
>Send messages to this mailing list by addressing e-mails to:
>[email protected]
>Mailing list archives: http://www.mail-archive.com/[email protected]/
>Mailing list settings: http://kym.net/mailman/listinfo/lug
>To unsubscribe: http://kym.net/mailman/options/lug
>
>The Uganda LUG mailing list is generously hosted by INFOCOM:
>http://www.infocom.co.ug/
>
>The above comments and data are owned by whoever posted them (including
>attachments if any). The mailing list host is not responsible for them
>in any way.
>
>The Uganda Linux User Group: http://linux.or.ug
>
>
>Send messages to this mailing list by addressing e-mails to:
>[email protected]
>Mailing list archives: http://www.mail-archive.com/[email protected]/
>
>Mailing list settings: http://kym.net/mailman/listinfo/lug
>To unsubscribe: http://kym.net/mailman/options/lug
>
>
>The Uganda LUG mailing list is generously hosted by INFOCOM:
>http://www.infocom.co.ug/
>
>The above comments and data are owned by whoever posted them (including
>attachments if any). The mailing list host is not respon
> sible
>for them in any way.
>
>_____________________________________
_______________________________________________
The Uganda Linux User Group: http://linux.or.ug
Send messages to this mailing list by addressing e-mails to: [email protected]
Mailing list archives: http://www.mail-archive.com/[email protected]/
Mailing list settings: http://kym.net/mailman/listinfo/lug
To unsubscribe: http://kym.net/mailman/options/lug
The Uganda LUG mailing list is generously hosted by INFOCOM:
http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The mailing list host is not responsible for them in any
way.
