From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Greg Stark <stark(at)mit(dot)edu> |
Cc: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, PostgreSQL WWW Mailing List <pgsql-www(at)postgresql(dot)org> |
Subject: | Re: Wiki 2FA |
Date: | 2016-01-24 12:30:25 |
Message-ID: | CABUevEz4DuWdLvBrkp8PCvXJ9oDJ8gqyHdnmjMdbZ=p5VaWauQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Sun, Jan 24, 2016 at 1:04 AM, Greg Stark <stark(at)mit(dot)edu> wrote:
> On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd(at)commandprompt(dot)com>
> wrote:
> > No. I meant the idea of having Google Authenticator required (which is
> open
> > source). It works on any Android device as well as others (windows). I
> > believe it would help with the autoscripting edits?
>
> Why? It doesn't in any way prevent automated scripted spammers. They
> can automatically generate TOTP codes from a script just as easy as
> the app can. A SMS-based 2FA scheme might have an impact but even that
> can be farmed out easily.
>
> Actually requiring a Google account and OAUTH login would actually
> have an impact because Google cares about spammers with Google
> accounts and goes after them and shuts them down. On the one hand
> Google is going to do a better job of anti-spam, opsec, and dos
> mitigation than we every will. But on the other hand I suspect Google
> is only concerned by numbers that are significantly larger than our
> threshold of pain and it would mean giving away a lot of control over
> the process.
>
The majority of the spam came from people with freshly signed up @gmail.com
or yandex email addresses. So they clearly got through at least one layer
of defense there.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2016-01-24 12:32:30 | Re: Wiki 2FA |
Previous Message | Quinn Weaver | 2016-01-24 11:09:43 | Wiki editor privileges |