[FFmpeg-devel] [RFC] dormant git accounts

Michael Niedermayer michael at niedermayer.cc
Mon Nov 11 21:33:09 EET 2024 

Hi

On Mon, Nov 11, 2024 at 05:00:42PM +0000, Derek Buitenhuis wrote:
> On 11/11/2024 4:42 PM, Michael Niedermayer wrote:
> > Publically listing which developer provides which part of the DNS infra
> > makes it easier to attack not harder.
> > That said, i suspect who provides what was mentioned in the past already
> 
> It is already publically available info to anyone who can look up an IP.

Then what is this discussion about? (If all peoples names can be found easily)


> 
> > If an attacker doesnt know who provides a server then the attacker can only
> > attack the server directly via its name and IP.
> > If an attacker knows who owns the server then he can perform a wide
> > range of additional attacks. For example
> > Impersonating that developer towards the server hoster, or if the attacker
> > can figure out the phone number of the developer then sim swaping becomes
> > possible. From that various other accounts can then be taken over and
> > Once an attacker is in control of phone and email of someone further
> > account compromises become increasingly easy.
> > 
> > I do not think we would be doing FFmpeg a service or improve security
> > by listing everyones names in a public file. Even if most of this
> > probably was said publically already, having it in one single place
> > makes it even easier for an attacker
> 
> This only convinces me further that it this whole setup ins't for for purpose,
> and is being run by people who have no concept of actual security. This is
> totally insane.

So "publically listing every admins and server owner (where its not the company)
name" is the normal and sane thing and not listing them publically is totally insane ?

Do i understand this correctly?

If so, then iam sure that every security related company lists these publically?
Likewise the FBI, financial institutions, and so forth.

These are organisations where security is very important, but none of them
lists server owners and admins publically. And iam not even sure what they
would do if you called them and asked, but they probably would ask you for
your name, intend and at least internally report this without awnsering your
question.

But lets go back the original question
1. what exact information do you ask for ?
2. why ?
3. what do you intend to do with this information ?
4. The names of the developers providing the infra have been provided before, did you look through past discussion?
5. Do you ask these questions to every project or just FFmpeg ?
   (i have been told these questions only happen toward FFmpeg, can you
   explain why ?)

Last years i tried to simply awnser all the questions, but that didnt make
anyone happy. I must be missing something.

I mean we can go through the whole again if people want but I really
think most developers would prefer to work on the code and project instead.

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241111/b444ba40/attachment.sig>

More information about the ffmpeg-devel mailing list