[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?

Frederik Ramm frederik at remote.org
Sat Dec 26 11:04:57 GMT 2009


Hi,

Matt Amos wrote:
> as with any security measure, to minimise your risk you need to be
> aware of the security horizon (which will depend on what your attack
> profile is) and change your authentication details regularly.

I think any security discussion should start with a threat assessment:

1. What do we want to protect?
2. Whom do we need to protect us against?
3. What resources (and what other means to get to 1.) does that guy have?

Sometimes, for a balanced reaction, you might also want to add:

4. How realistic is the threat *currently*, and if the threat is not 
*currently* realistic, then how much damage would be done if one just 
waits until the threat becomes real?

The existing demands for encryption seem more politically/ideologically 
motivated ("we should long since have done X"), with the answers to the 
above being something like "our privacy" for 1, and "world governments" 
for 2. - I don't believe in the notion that general paranoia heightens 
your personal security and privacy.

As for OSM, I'd say we can afford to wait until governments start 
large-scale spying on their citizens (or subjects, for those of us who 
live in monarchies), and then we can still encrypt everything.

Bye
Frederik




More information about the talk mailing list