Re: [OSM-talk] Fwd: Why doesn't OSM ?
2009/12/28 Aun Johnsen : > John Smith, you can put your money where your mouth is and write a patch, > since you brought this up? I can't do anything until I know what will be protected by SSL, because TomH said they don't even know yet. Until something certain is stated by someone with the ability to do something on the servers there is no point doing anything with client software. ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Fwd: Why doesn't OSM ?
On Sun, Dec 27, 2009 at 4:59 PM, Frederik Ramm wrote: > Hi, > > Aun Johnsen wrote: > >>John Smith wrote: >> > Lets assume for a second that they are smart enough to filter their >> > points so they aren't near their home location, we can also assume >> > they may not have vectorised the data, however there is a lot of >> > non-home/non-work information still not being protected by a simple >> > SSL connection OSM could be providing. >> >>Let me repeat: If your tracks contain information that needs >> protection, >>then *please* don't upload them to OSM. So your answer to this, if you >> are concerned about your security, don't contribute? >> > > Well, "concerned" is perhaps the wrong word here. > > If you have GPS tracks which contain information that is so sensitive that > you fear someone could be spying on your connection, retrieve the > information and use it to cause damage to you, then OpenStreetMap is clearly > not equipped to handle information of such importance. > > SSL encryption might keep your employer or your internet provider or the UK > government from spying on you, but the data will eventually land on the OSM > servers where any number of project members deemed trustworthy in a > non-ISO-certified process will have access to it, and will even be handed > out through an API which may be buggy, and where anyone can commit changes > into a publicly writable SVN. (Not everything commited to SVN will land in > production but it is absolutely not impossible that something will escape > the attention of an admin.) > > My concern is that if we allow people to claim that their data is so > sensitive that it needs SSL to upload, then the next thing they will demand > is that there be a complex vetting procedure for admins - "why am I going > through the hassle of uploading my data in an encrypted fashion when you > don't even make your admins sign a legally binding statement about what they > can and cannot do with the data", for example. The logical next step for > John Smith would be to inquire about the security precautions at the site > where our computers are. What locks are there, how many people have the > keys, and surely we have CCTV? And so on. > > Security is not something where you can twist a few screws somewhere and > hope that it will magically improve. It needs a thorough analysis - as I > said: What do we want to protect, and whom against, and then let's see where > the weakest points are. > > And then determine the price for the level of security you want, and think > about whether you are willing to pay that price. Because security *never* > comes for free - it will cost you more computing power, it will cost the > admins more nerves, create paperwork, formalities, slow down innovation, and > so on. > > > Isn't that the same as continuing the economic gap between industrial and >> developing countries? >> > > No, my argument has nothing whatsoever to do with the global economy; it > would be just as valid if OSM were a UK only (or London only, for that > matter) project. > > > Bye > Frederik > > -- > Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" > I very well understood you there, and mark that some of my points have been put to the extreme. Some of the socalled security concernes about OSM are covered by license disclaimers, some is covered by the fact that the source code are available so any security mechanisms can be examined by anybody to patch holes, and some are covered by OSMF's administration of the hardware. A vetting of the admins are senseless as what can be done with the data is covered by OSM's chose of License and the Disclaimer of the project. My point in all of this is not that we must implement security measures now, but that it must be put on the TODO list with an appropriate priority. If anybody are able to supply a patch for lets say SSL login to the API, than please let him supply the patch, and the admins then should take a look at it to see if it can be implemented right away or if it needs more patching to be obtained. As the source code of OSM should be awailable on the svn, than people with the appropriate programing and security knowledge should be able to supply the right patch. John Smith, you can put your money where your mouth is and write a patch, since you brought this up? ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Fwd: Why doesn't OSM ?
On Sun, Dec 27, 2009 at 2:36 PM, Matt Amos wrote: > On Sun, Dec 27, 2009 at 11:43 AM, Aun Johnsen > wrote: > > On Sun, Dec 27, 2009 at 9:26 AM, Liz wrote: > >> > >> On Sat, 26 Dec 2009, Frederik Ramm wrote: > >> > 1. What do we want to protect? > > > > The data is fully open, but some people want to reduce their fingerprint > on > > the data to protect themselves, for example they submit their GPX tracks > > privately so it will not be possible to derive from them where he lives > or > > works. This doesn't mean he is holding back data, he only chooses to give > it > > without his fingerprints. > > this isn't quite the case. even if tracks are submitted privately it > may be possible to find common locations such as home and work from > the anonymous points. then it also might to possible to find > corresponding local editing to get the user. for example, some of the > calculated home locations from http://stat.latlon.org/ are quite > accurate - mine is only about 200m from cloudmade's offices, where i > used to work. > > if you are really very concerned with your privacy: don't upload > tracks which include your home or office locations at all. > > cheers, > > matt > 200m is quite a distance if they have no other links between you and OSM, if that possition is the only thing they have to connect you to OSM, than how many other potential contributors live within 200m of that position? If that is in some of the larger cities we can talk thousands of people. ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Fwd: Why doesn't OSM ?
Hi, John Smith wrote: > Lets assume for a second that they are smart enough to filter their > points so they aren't near their home location, we can also assume > they may not have vectorised the data, however there is a lot of > non-home/non-work information still not being protected by a simple > SSL connection OSM could be providing. Let me repeat: If your tracks contain information that needs protection, then *please* don't upload them to OSM. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Fwd: Why doesn't OSM ?
2009/12/28 John Smith : > 2009/12/28 Matt Amos : >> if you are really very concerned with your privacy: don't upload >> tracks which include your home or office locations at all. > > Lets assume for a second that they are smart enough to filter their > points so they aren't near their home location, we can also assume > they may not have vectorised the data, however there is a lot of > non-home/non-work information still not being protected by a simple > SSL connection OSM could be providing. > Actually myself and someone else emailed TomH a while back about OSM providing this kind of anonymising service for people that are unable, we were offering to try and help, even though neither of us knew ruby, but due to a lack of interest the thread died at the time. ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Fwd: Why doesn't OSM ?
2009/12/28 Matt Amos : > if you are really very concerned with your privacy: don't upload > tracks which include your home or office locations at all. Lets assume for a second that they are smart enough to filter their points so they aren't near their home location, we can also assume they may not have vectorised the data, however there is a lot of non-home/non-work information still not being protected by a simple SSL connection OSM could be providing. ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Fwd: Why doesn't OSM ?
On Sun, Dec 27, 2009 at 11:43 AM, Aun Johnsen wrote: > On Sun, Dec 27, 2009 at 9:26 AM, Liz wrote: >> >> On Sat, 26 Dec 2009, Frederik Ramm wrote: >> > 1. What do we want to protect? > > The data is fully open, but some people want to reduce their fingerprint on > the data to protect themselves, for example they submit their GPX tracks > privately so it will not be possible to derive from them where he lives or > works. This doesn't mean he is holding back data, he only chooses to give it > without his fingerprints. this isn't quite the case. even if tracks are submitted privately it may be possible to find common locations such as home and work from the anonymous points. then it also might to possible to find corresponding local editing to get the user. for example, some of the calculated home locations from http://stat.latlon.org/ are quite accurate - mine is only about 200m from cloudmade's offices, where i used to work. if you are really very concerned with your privacy: don't upload tracks which include your home or office locations at all. cheers, matt ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Fwd: Why doesn't OSM ?
2009/12/27 Aun Johnsen : > Taiwan, Sri Lanka, Morocco, Israel, Palestine, Russia, all of these are Then there is China and Iran and various other countries that love to jail their dissidents... As I said before, until any of this has a direct negative effect on people personally they don't see what the big fuss about security and privacy is all about. > implementing SSL for login would to some extent prevent them from harvesting > mail addresses, which can reduce the amount of SPAM in some of our users > mailboxes, just to mention one real threat. Some may claim you can use a nickname to log into the site instead of an email address, but during initial signup and on various pages the email address is exposed, and thanks for bringing up this threat, I hadn't considered this but spam is one of the basic attacks OSM already suffers. Also OSM leaks email addresses, you can type an email address only into the signup page and it will tell you if that email address is valid in OSM, but I don't see any brute force protection to prevent this, a simple capture would at least slow things down before telling others that the email address is valid or not. ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
[OSM-talk] Fwd: Why doesn't OSM ?
On Sun, Dec 27, 2009 at 9:26 AM, Liz wrote: > On Sat, 26 Dec 2009, Frederik Ramm wrote: > > 1. What do we want to protect? > The data is fully open, but some people want to reduce their fingerprint on the data to protect themselves, for example they submit their GPX tracks privately so it will not be possible to derive from them where he lives or works. This doesn't mean he is holding back data, he only chooses to give it without his fingerprints. > > 2. Whom do we need to protect us against? > The whom depends also on from where, I will give you something on point 4 as this have to do more with that. > > 3. What resources (and what other means to get to 1.) does that guy have? > > > There are several forms of protection, several of them can be applied to OSM, and some of them doesn't need much resources to implement. > > Sometimes, for a balanced reaction, you might also want to add: > > > > 4. How realistic is the threat *currently*, and if the threat is not > > currently realistic, then how much damage would be done if one just > > waits until the threat becomes real? > > As part of my job I have to follow up on the ISPS regulation, it is an international regulation regarding ship and port security. It clearly identifies that the level of threat is different around the world, you cannot sit safely in Germany or England saying that there are no threats so we do not need security measures, when people participating in this project are from countries where the reality is completely different than western Europe. I myself is mostly connected from Brazil, though at work I have (at the moment) satellite link via Norway, there are people contributing from Taiwan, Sri Lanka, Marocco, Israel, Palestina, Russia, all of these are countries with a completely different threat reality. Marocco and Taiwan are places where snooping for mail addresses and passwords have been very high, and implementing SSL for login would to some extent prevent them from harvesting mail addresses, which can reduce the amount of SPAM in some of our users mailboxes, just to mention one real threat. What is the reason for NOT implementing simple security measures on OSM? Is it lack of security awareness, lack of resources, ignorance? In that case something should be done. If the reason on the other hand is prioritation, than maybe somebody should look at the TODO list to see if the priority is high enough, and maybe change the priority to something appropriate. ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
[OSM-talk] Fwd: Why doesn't OSM implement a simple measure to protect it's users and passwords?
-- Forwarded message -- From: John Smith Date: 2009/12/23 Subject: Re: [OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords? To: Frederik Ramm 2009/12/23 Frederik Ramm : > Why should we? I gave several good reasons, but you chose to rebuff my question with a silly question. > Firstly, I don't see what harm the UK government can do with your password. It's not just passwords, that's just the most obvious case, why would I even consider uploading private traces in future if the UK govt goes ahead and you fail to protect my privacy properly, OSM is worst off because people will upload less data that can be useful for vectorising. > And all the data you're uploading will be theirs for the taking anyway. At least if they request it from OSM they're be required to get a warrent and potentially face legal challenges, when they pull data over the wire en mass what legal recourse is there? > As I said above, the "everything else" is unencrypted anyway. And the > password - if you use a password for OSM that you use anywhere else, too, > then you have a security problem that SSL is not going to solve. And as I said above, the password is just the most obvious example of lax security. > It is difficult because with the current authentication scheme (HTTP Basic > Auth), the authentication token (from which username and password can be > derived) is transmitted with every request, This means we cannot simply > "make the login encrypted" - we would have to make ALL uploading > communications encrypted, and that would have the potential to use quite a > lot of processing power. Which we'd rather use for other things, i.e. faster > response times ;-) Then ask for donations for hardware or to buy hardware that can handle the requests, SSL really isn't a resource issue like it used to be, hardware has continued to improve greatly and demands from encryption is now a minor concern. ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
