:) do you mean these? http://openid.net/
> Not at all. There are plenty of free solutions out there, people only need > to start using them. And also boycott service providers with lacklustre > security practices. > > Yahoo! has been setting the standard for bad practices in general for many > years now. Why some people still insist on using them is beyond me. > > dkataike <[email protected]> wrote: > >> >> >> >>Sent from Samsung Mobile >> >>kizito Mudambo <[email protected]> wrote: >> >>we need to find a long term solution for these issues... look at >>man-in-the-middle attack, we are at the mercy of hackers unless if you >>use a pgp,gpg or military grade encryption... >> >>On Dec 10, 2012 8:22 PM, "[email protected]" >><[email protected]> wrote: >>Password authentication, when implemented correctly, is safe enough for >>low-sec purposes. While brute force is effective *eventually*, if five >>consecutive authentication failures leads to account lockdown and a red >>flag somewhere, such an attack will not be feasible. Unfortunately, in >>the last few years some larger soc sites (I'm looking at you, Twitter) >>have been inexcusably lax in their security, with no limits on >>authentication failures whatsoever. If you are in charge of a web site >>implementing password authentication and it does not have measures >>against repetitive failures, give yourself a good hard slap across the >>face and rectify this. >> >>That said, I've been a proponent of pre-shared key authentication for >>several years. All major browsers support this reasonably uniformly, >>and the reason we're not using it boils down to laziness and some >>drawbacks which are rapidly getting outmoded. Several years ago people >>used several different computers as temporary workstations as they only >>owned a non-portable desktop computer if they owned any computer at >>all. Nowadays we do our work with laptops, tablets, and smartphones. We >>seldom use another person's terminal anymore, because we always carry >>our own terminals in our bags and pockets. Using shared keys have >>suddenly become more feasible; I hope our providers get with the >>program soon. >> >>kizito Mudambo <[email protected]> wrote: >>doesnt yahoomail support 2 step authetication... the real truth is >>passwords are no longer safe enough no matter how strong they are.... >>the only way for now is two step authetication as simple as that >> >>On Dec 10, 2012 2:51 PM, "Colline Waiswa" <[email protected]> wrote: >> >> >>I dont know how the breach took place but i highly doubt it was guessed >>coz i think it had the characteristics of a good password. >>1: it was quite long ( over 10+ characters) >>2: had alternating capitation >>3: had atleast 1 special character >>4: was unrelated to my cat, team,etc >> >>Colline >> >> >>------------------------------ >>On Mon, Dec 10, 2012 3:08 AM PST Benjamin Tayehanpour wrote: >> >>>Most *targeted* breaches are, yes. If you know a specific user and you >>want >>>that user's account, specifically, then password-guessing is common. >>But >>>this was quite evidently not a targeted breach, otherwise spam would >>be the >>>least of his/her problems. Most non-targeted breaches (as in: "I have >>this >>>lovely piece of spam I want to distribute, so I need one thousand >>hacked >>>accounts") happen through lousy workstation security, with spyware or >>MITM >>>attacks swiping the credentials. >>> >>>I'm curious. What was your password, Colline? Since you've changed it >>it >>>shouldn't hurt to reveal it, right? >>> >>>On 10 December 2012 11:58, Victor van Reijswoud < >>>[email protected]> wrote: >>> >>>> Most breaches are because of poor passwords (except this one, of >>course :) >>>> ). Interesting overview here: >>>> >>http://nakedsecurity.sophos.com/2012/07/13/yahoo-voices-poor-passwords/ >>>> >>>> >>>> On Mon, Dec 10, 2012 at 11:19 AM, Benjamin Tayehanpour < >>>> [email protected]> wrote: >>>> >>>> Any idea how the breach happened yet? Password-guessing for >>spam-related >>>> purposes is quite rare nowadays, with sophisticated brute force >>protection >>>> and especially if the password is a good strong one (which I assume, >>since >>>> you're a Linux user and thus have common sense). Did you have your >>password >>>> written down somewhere accessible? Did you save it with a password >>manager >>>> on a public computer? Did you link your account to some other >>account >>>> (Facebook/Twitter/&c.) which is compromised? >>>> >>>> On 10 December 2012 10:28, Colline Waiswa <[email protected]> >>wrote: >>>> >>>>> >>>>> >>>>> >>>>> Seeing as my sent mail folder is full of the that message sent to >>all my >>>>> contacts, i am pretty sure the mailbox was gotten into >>>>> >>>>> Colline >>>>> >>>>> ------------------------------ >>>>> On Mon, Dec 10, 2012 12:42 AM PST Mike Barnard wrote: >>>>> >>>>> >On 9 December 2012 17:37, Benjamin Tayehanpour >>>>> ><[email protected]>wrote: >>>>> > >>>>> > Without SPF protection, I could send e-mails which look like they >>>>> > originate from your account, and the receiver will have no means >>of >>>>> > verifying the sender address since SPF isn't implemented. That's >>one >>>>> of >>>>> > many reasons why Yahoo! is a bad e-mail service provider. I'm not >>>>> saying we >>>>> > should ban all users of Yahoo!; I'm saying Yahoo! as a service >>>>> provider >>>>> > should be boycotted due to the numerous flaws in their service. >>>>> > >>>>> > That said, I'm glad you managed to change the password so you >>didn't >>>>> lose >>>>> > the account. Such things can be a real pain otherwise! Do you >>know >>>>> how the >>>>> > breach happened? >>>>> > >>>>> > >>>>> >The "breach" will most likely happen again... I doubt that the >>person >>>>> >actually got into his mailbox. Most spam from yahoo addresses >>tends to >>>>> be >>>>> >from botnets that take advantage of the fact that one cannot >>>>> legitimately >>>>> >check whether its actually yahoo who sent the email. >>>>> > >>>>> > >>>>> >-- >>>>> >Mike >>>>> > >>>>> >Of course, you might discount this possibility, but remember that >>one >>>>> in a >>>>> >million chances happen 99% of the time. >>>>> >------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> The Uganda Linux User Group: http://linux.or.ug >>>>> >>>>> Send messages to this mailing list by addressing e-mails to: >>>>> [email protected] >>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>> >>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>> http://www.infocom.co.ug/ >>>>> >>>>> The above comments and data are owned by whoever posted them >>(including >>>>> attachments if any). The mailing list host is not responsible for >>them in >>>>> any way. >>>>> >>>> >>>> >>>> _______________________________________________ >>>> The Uganda Linux User Group: http://linux.or.ug >>>> >>>> Send messages to this mailing list by addressing e-mails to: >>>> [email protected] >>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>> To unsubscribe: http://kym.net/mailman/options/lug >>>> >>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>> http://www.infocom.co.ug/ >>>> >>>> The above comments and data are owned by whoever posted them >>(including >>>> attachments if any). The mailing list host is not responsible for >>them in >>>> any way. >>>> >>>> >>>> >>>> _______________________________________________ >>>> The Uganda Linux User Group: http://linux.or.ug >>>> >>>> Send messages to this mailing list by addressing e-mails to: >>>> [email protected] >>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>> To unsubscribe: http://kym.net/mailman/options/lug >>>> >>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>> http://www.infocom.co.ug/ >>>> >>>> The above comments and data are owned by whoever posted them >>(including >>>> attachments if any). The mailing list host is not responsible for >>them in >>>> any way. >>>> >>I highly doubt >>_______________________________________________ >>The Uganda Linux User Group: http://linux.or.ug >> >>Send messages to this mailing list by addressing e-mails to: >>[email protected] >>Mailing list archives: http://www.mail-archive.com/[email protected]/ >>Mailing list settings: http://kym.net/mailman/listinfo/lug >>To unsubscribe: http://kym.net/mailman/options/lug >> >>The Uganda LUG mailing list is generously hosted by INFOCOM: >>http://www.infocom.co.ug/ >> >>The above comments and data are owned by whoever posted them (including >>attachments if any). The mailing list host is not responsible for them >>in any way. >> >>The Uganda Linux User Group: http://linux.or.ug >> >> >>Send messages to this mailing list by addressing e-mails to: >>[email protected] >>Mailing list archives: http://www.mail-archive.com/[email protected]/ >> >>Mailing list settings: http://kym.net/mailman/listinfo/lug >>To unsubscribe: http://kym.net/mailman/options/lug >> >> >>The Uganda LUG mailing list is generously hosted by INFOCOM: >>http://www.infocom.co.ug/ >> >>The above comments and data are owned by whoever posted them (including >>attachments if any). The mailing list host is not respon >> sible >>for them in any way. >> >>____________________________________________________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
