On 2024-01-15 19:03, Steve Petrie via talk wrote:

My 2 cents ...

Subject: Re: [GTALUG] "AI" on getting correct technical answers
Date: 2024-01-15 11:47
From: o1bigtenor via talk <talk@gtalug.org>
To: GTALUG Talk <talk@gtalug.org>

On Mon, Jan 15, 2024 at 8:56 AM Alvin Starr via talk <talk@gtalug.org> wrote:
[snip]
You don't need a cell phone number but need to have a number that will
accept SMS.
VOIP services offer numbers with SMS features.
[Steve Petrie]
My personal policy is dead simple. Any seller / provider REQUIRING me to receive SMS doesn't get my business. If they WON'T send me a code via email, I WON'T use their service. So far so good.
 
One SMS flaw I encountered, was when someone sent me an SMS message (which I never saw because I have no SMS service subscription), and the sender claimed they got no bounce message. If this SMS "black hole" phenomenon exists, that's a REALLY BAD THING.
SMS does have delivery notifications built into the protocol.
If you send a message from your phone you can tell that it was delivered.
But there are no "bounce backs" with notification of non-delivery.

It's not the greatest protocol but it does work.
Think of it like UDP.
Lots of stuff works well with UDP even though there are no delivery guarantees.


 
* * *
* * *
 
[o1bigtenor]
[snip] I am considering using voip if not for everything as voip dies when the power does and that's a serious flaw!
 
[Steve Petrie]
My "land line" phone service via a (wall-mounted) Bell Canada-provided Sagemcom HomeHub 4000 modem in my apartment, ALSO DIES WHEN THE POWER FAILS in my apartment. Bell's recommendation is for the Sagemcom 4000-equipped subscriber to purchase their own UPS to assure Sagemcomm 4000 operational continuity. Power outages being so very rare in Toronto, I consider it a waste of $ to buy a UPS.
 
Supposedly (per Bell Canada), from the fibre-side of the Sagemcom 4000 modem in my apartment, all the way to battery-backed Bell upstream electrical-powered facilities, 100% passive fibre facilities in Bell's pole-mounted fibre equipment, require NO ELECTRICAL POWER to operate.
 
Ahhhh. I wondered about that.
You will have passive fibre to the remote at which point your on battery backup only if you are in a rural area.

[snip]
 
[o1bigtenor]
Hm - - - - it was some time in the first 1/2 of 2012 when a VP at Microsoft
issued the announcement that for those that were logging in off campus
that it would be thenceforth required to use 2FA (as either SMS or email).
 
[snip]

What none of these boffins seems to be aware of is that the same individual
in early 2019 sent a similar email to the same recipients that " . . .
due to the inherent insecurity of [snip] open email systems
 
[Steve Petrie]
What's "insecure" about email over SMTP ?? Has always seemed rock solid to me. If your OUTBOUND message doesn't get delivered to the recipient, you receive a bounce notification.

The bounce may be several days later.
SMTP is generally sent in clear-text so there is an argument that a person in the middle can read your email.
More people are using TLS encryption but there is no way to enforce that as your mail passes through the various mail servers to get to you.

 
My understanding is that SMTP has a tiny hole where outbound message non-delivery does not issue a bounce report email to the sender. Never encountered this tiny glitch myself.
 
As for spoofed INBOUND messages, they are always obvious by their general nature. Hackers don't know my personal context, so they can only send me absurdly generic email content.


You would be surprised how much of your context can leak out.
I have often gotten email messages about delivery problems with parcels when I order things to be delivered.
Somehow the fact that I am getting a delivery has leaked out somewhere.


IMHO -- entering a password into a web page + entering a confirmation code sent to my email address, IS 2FA.
Yes it is a very popular 2FA so its not just your opinion.
Its likely about as secure as an SMS message

 
Is it EVEN POSSIBLE for a clever hacker to spoof my email inbox and steal my inbound email messages ??
In theory yes.
If they can gain control of your DNS entries they could redirect your MX but that is low risk.
If they get your login they could insert an email filter that forwards all your messages to somewhere else.
If they have access to your mail server then your messages may be readable using 'cat' or they could modify the mail transport to redirect mails.


 
I suppose this would require the hacker to: (1) steal my password protecting my email access login at my email hosting provider, or (2) Steal my password protecting my personally-maintained DNS records at my DNS provider, or (3) hack my email hosting provider's infrastructure, or (4) hack my DNS provider's infrastructure.
We have the same list of hacks.

But here is one more.

If you access your email via a browser it is possible for a hacker to get your session keys and craft up a session and then login to your email without having to actually log in.
Which is a good reason to not use SSO services.
-- 
Alvin Starr                   ||   land:  (647)478-6285
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin@netvel.net              ||