On 2024-01-15 19:03, Steve Petrie via talk wrote:
My 2 cents *...*
Subject: Re: [GTALUG] "AI" on getting correct technical answers
Date: 2024-01-15 11:47
From: o1bigtenor via talk <talk@gtalug.org>
To: GTALUG Talk <talk@gtalug.org>
On Mon, Jan 15, 2024 at 8:56 AM Alvin Starr via talk <talk@gtalug.org>
wrote:
[snip]
You don't need a cell phone number but need to have a number that will
accept SMS.
VOIP services offer numbers with SMS features.
[Steve Petrie]
My personal policy is dead simple. Any seller / provider REQUIRING me
to receive SMS doesn't get my business. If they WON'T send me a code
via email, I WON'T use their service. So far so good.
One SMS flaw I encountered, was when someone sent me an SMS message
(which I never saw because I have no SMS service subscription), and
the sender claimed they got no bounce message. If this SMS "black
hole" phenomenon exists, that's a REALLY BAD THING.
SMS does have delivery notifications built into the protocol.
If you send a message from your phone you can tell that it was delivered.
But there are no "bounce backs" with notification of non-delivery.
It's not the greatest protocol but it does work.
Think of it like UDP.
Lots of stuff works well with UDP even though there are no delivery
guarantees.
* * *
* * *
[o1bigtenor]
[snip] I am considering using voip if not for everything as voip dies
when the power does and that's a serious flaw!
[Steve Petrie]
My "land line" phone service via a (wall-mounted) Bell Canada-provided
Sagemcom HomeHub 4000 modem in my apartment, ALSO DIES WHEN THE POWER
FAILS in my apartment. Bell's recommendation is for the Sagemcom
4000-equipped subscriber to purchase their own UPS to assure Sagemcomm
4000 operational continuity. Power outages being so very rare in
Toronto, I consider it a waste of $ to buy a UPS.
Supposedly (per Bell Canada), from the fibre-side of the Sagemcom 4000
modem in my apartment, all the way to battery-backed Bell upstream
electrical-powered facilities, 100% passive fibre facilities in Bell's
pole-mounted fibre equipment, require NO ELECTRICAL POWER to operate.
Ahhhh. I wondered about that.
You will have passive fibre to the remote at which point your on battery
backup only if you are in a rural area.
[snip]
[o1bigtenor]
Hm - - - - it was some time in the first 1/2 of 2012 when a VP at
Microsoft
issued the announcement that for those that were logging in off campus
that it would be thenceforth required to use 2FA (as either SMS or email).
[snip]
What none of these boffins seems to be aware of is that the same
individual
in early 2019 sent a similar email to the same recipients that " . . .
due to the inherent insecurity of [snip] open email systems
[Steve Petrie]
What's "insecure" about email over SMTP ?? Has always seemed rock
solid to me. If your OUTBOUND message doesn't get delivered to the
recipient, you receive a bounce notification.
The bounce may be several days later.
SMTP is generally sent in clear-text so there is an argument that a
person in the middle can read your email.
More people are using TLS encryption but there is no way to enforce that
as your mail passes through the various mail servers to get to you.
My understanding is that SMTP has a tiny hole where outbound message
non-delivery does not issue a bounce report email to the sender. Never
encountered this tiny glitch myself.
As for spoofed INBOUND messages, they are always obvious by their
general nature. Hackers don't know my personal context, so they can
only send me absurdly generic email content.
You would be surprised how much of your context can leak out.
I have often gotten email messages about delivery problems with parcels
when I order things to be delivered.
Somehow the fact that I am getting a delivery has leaked out somewhere.
IMHO -- entering a password into a web page + entering a confirmation
code sent to my email address, IS 2FA.
Yes it is a very popular 2FA so its not just your opinion.
Its likely about as secure as an SMS message
Is it EVEN POSSIBLE for a clever hacker to spoof my email inbox and
steal my inbound email messages ??
In theory yes.
If they can gain control of your DNS entries they could redirect your MX
but that is low risk.
If they get your login they could insert an email filter that forwards
all your messages to somewhere else.
If they have access to your mail server then your messages may be
readable using 'cat' or they could modify the mail transport to redirect
mails.
I suppose this would require the hacker to: (1) steal my password
protecting my email access login at my email hosting provider, or (2)
Steal my password protecting my personally-maintained DNS records at
my DNS provider, or (3) hack my email hosting provider's
infrastructure, or (4) hack my DNS provider's infrastructure.
We have the same list of hacks.
But here is one more.
If you access your email via a browser it is possible for a hacker to
get your session keys and craft up a session and then login to your
email without having to actually log in.
Which is a good reason to not use SSO services.
--
Alvin Starr || land: (647)478-6285
Netvel Inc. || Cell: (416)806-0133
al...@netvel.net ||
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk