[Operators] Prosody vs. spammers - security measures?

michael p michael at rustyhalo.org
Tue Feb 4 16:59:37 UTC 2014

Wait, why do the phone numbers need to be stored/logged? Can't a completely separate system be used to send an audio message or text to a number, then once the correct verification code is received, signal the new user to be created on the jabber server and discard the number?

I understand the reluctance of people to enter their phone numbers into foreign systems, I do, and for people who will never give out their number, I know this is a non-starter, but we're trying to fight bogus registrations, here. If a completely separate, log-free system was used for registration, I wouldn't have issue putting my number in. Unsolicited SMS and cell calls are illegal to the point that spammers (as far as I've seen) don't go anywhere near spamming people's cells with texts or calls, especially with how easy it is to trace back to the source of such things. If there's no worry of a 'phone number database' being compromised, and the system doing the verifications is separate and secure, short of that verification system being compromised (which is a risk when storing any other personal information along with your XMPP account), what's the big deal?

Google asks for your phone number, and so does Facebook. I may be comparing apples and oranges, but I'm pointing out its far from unheard of. With free DIDs easy to come by, and Google Voice free to US users, many privacy minded folks already have other numbers they give out other than their cell.

I'm all for privacy, but I realize I need to trade some in order to use other people's free as in beer services. If people expect free services to also allow anonymous registration and not somehow to become bastions of spammers, they have unreasonable expectations (IMHO, but I'm welcome to be corrected).

Alexander Holler <holler at ahsoftware.de> wrote:
>Am 04.02.2014 15:35, schrieb Evgeny Khramtsov:
>> Mon, 03 Feb 2014 21:25:23 +0100
>> Alexander Holler <holler at ahsoftware.de> wrote:
>>> Am 03.02.2014 20:57, schrieb Evgeny Khramtsov:
>>>> We're thinking to switch to SMS-based verification for
>>>> jabber.ru: we have it currently and it works fine and is pretty
>>>> cheap, just need to disable email verification completely.
>>> Hmm, nice way to collect users phone numbers.
>>> I'm not sure if such should be done as it requires that users have
>>> provide more datas than they usually want.
>>> And if such becomes a common requirement, privacy has become a bit
>>> more eroded, if such even still exists on the net.
>>> Regards,
>>> Alexander Holler
>> It's up to you. I just shared my experience. Nobody is going to make
>> a requirement. I don't even think there will be any proposal. We have
>> such discussions from time to time here and they end up nowhere. I
>> don't think this discussion will be an exception.
>Hmm, I think you misunderstood me. I haven't assumed it will become a 
>requirement dictated by any XEP or similiar, and if someone would be 
>silly enough trying to do such, it will be likely a politican or spook.
>The keyword above was 'common', that means if more service-providers do
>think that this is a good idea (because it might work), it might become
>finally accepted by users too. And then people will have to leave their
>phone numbers everywhere (e.g. to login to some bugzilla) and the phone
>numbers will be conserved in logs, DBs and similiar for future 
>generations, besides all the stuff which can already be done if you
>someones phone number.
>Alexander Holler

Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140204/9e3829a9/attachment-0001.html>

More information about the Operators mailing list