[OSM-talk] Fwd: Why doesn't OSM ?

Sun Dec 27 11:43:57 GMT 2009

 On Sun, Dec 27, 2009 at 9:26 AM, Liz <edodd at billiau.net> wrote:

> On Sat, 26 Dec 2009, Frederik Ramm wrote:
> > 1. What do we want to protect?
>

The data is fully open, but some people want to reduce their fingerprint on
the data to protect themselves, for example they submit their GPX tracks
privately so it will not be possible to derive from them where he lives or
works. This doesn't mean he is holding back data, he only chooses to give it
without his fingerprints.

> > 2. Whom do we need to protect us against?
>

The whom depends also on from where, I will give you something on point 4 as
this have to do more with that.

> > 3. What resources (and what other means to get to 1.) does that guy have?
> >
>

There are several forms of protection, several of them can be applied to
OSM, and some of them doesn't need much resources to implement.

> > Sometimes, for a balanced reaction, you might also want to add:
> >
> > 4. How realistic is the threat *currently*, and if the threat is not
> > currently realistic, then how much damage would be done if one just
> > waits until the threat becomes real?
>
>
As part of my job I have to follow up on the ISPS regulation, it is an
international regulation regarding ship and port security. It clearly
identifies that the level of threat is different around the world, you
cannot sit safely in Germany or England saying that there are no threats so
we do not need security measures, when people participating in this project
are from countries where the reality is completely different than western
Europe. I myself is mostly connected from Brazil, though at work I have (at
the moment) satellite link via Norway, there are people contributing from
Taiwan, Sri Lanka, Marocco, Israel, Palestina, Russia, all of these are
countries with a completely different threat reality. Marocco and Taiwan are
places where snooping for mail addresses and passwords have been very high,
and implementing SSL for login would to some extent prevent them from
harvesting mail addresses, which can reduce the amount of SPAM in some of
our users mailboxes, just to mention one real threat.

What is the reason for NOT implementing simple security measures on OSM? Is
it lack of security awareness, lack of resources, ignorance? In that case
something should be done. If the reason on the other hand is prioritation,
than maybe somebody should look at the TODO list to see if the priority is
high enough, and maybe change the priority to something appropriate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20091227/d15f1209/attachment.html>