google account say it will no longer deliver email

[Fero Dali]

I got a warning from google that my account will be discontinued.

> On May 30, you may lose access to apps that are using less secure sign-in
> technology
> To help keep your account secure, Google will no longer support the use of
> third-party apps or devices which ask you to sign in to your Google Account
> using only your username and password. Instead, you’ll need to sign in
> using Sign in with Google

I have used a google account to read email from mailing lists. I am using
fetchmail to get emails from google. Now it says it will discontinue this
access to my mail. I do not want to use webmail (I need to receive my mail
on my computer). Is there a way to somehow download emails from gmail
as I used to after May 30?

Thanks

[Eike Lantzsch ZP6CGE]

Please read the archives on this mailing list to receive an in-depth-answer:

 fetchma...@lists.sourceforge.net

All the best to you
Eike

[mick crane]

There's scripts been posted on the getmail mailing list to fix this.
I ought to sort it out in the next day or so but it might be easier to
stop using gmail.
There's some other limiting thing coming in later apparently.
google instructions here.
https://support.google.com/accounts/answer/185833

mick

--
Key ID 4BFEBB31

[Brian]

On Wed 11 May 2022 at 15:25:34 +0200, Fero Dali wrote:

> I got a warning from google that my account will be discontinued.

No, you didn't.

>
> > On May 30, you may lose access to apps that are using less secure sign-in
> > technology
> > To help keep your account secure, Google will no longer support the use of
> > third-party apps or devices which ask you to sign in to your Google Account
> > using only your username and password. Instead, you’ll need to sign in
> > using Sign in with Google
>
> I have used a google account to read email from mailing lists. I am using
> fetchmail to get emails from google. Now it says it will discontinue this

> access to my mail,

Where does google say that?

--
Brian.

[Brian]

On Wed 11 May 2022 at 19:04:01 +0100, mick crane wrote:

> On 2022-05-11 18:51, Brian wrote:
> > On Wed 11 May 2022 at 15:25:34 +0200, Fero Dali wrote:
> >
> > > I got a warning from google that my account will be discontinued.
> >
>

> > Where does google say that?
>

> It's about stopping phishing emails or something
> https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html

That does not answer my question.

--
Brian.

[Fero Dali]

On Wed, May 11, 2022 at 7:51 PM Brian <ad...@cityscape.co.uk> wrote:
> On Wed 11 May 2022 at 15:25:34 +0200, Fero Dali wrote:
> > I got a warning from google that my account will be discontinued.
>
> No, you didn't.

Sorry for misunderstanding: it seems that my account will continue to work but
ability to download mail with POP3 without OAUTH2 will be unavailable.

> > > On May 30, you may lose access to apps that are using less secure sign-in
> > > technology
> > > To help keep your account secure, Google will no longer support the use of
> > > third-party apps or devices which ask you to sign in to your Google Account
> > > using only your username and password. Instead, you’ll need to sign in
> > > using Sign in with Google
> >
> > I have used a google account to read email from mailing lists. I am using
> > fetchmail to get emails from google. Now it says it will discontinue this
> > access to my mail,
>
> Where does google say that?

In the first line of their email:

[Brian]

It does not say

"On May 30, you may lose access to POP3 if you are using fetchmail".

It also says "may" not "will". Is it known for a fact that fetchmail is
on a list of "less secure sign-in technology". Have Google designated it
as such?

--
Brian.

[Brian]

On Wed 11 May 2022 at 18:07:01 +0100, mick crane wrote:

> On 2022-05-11 14:25, Fero Dali wrote:

> > I got a warning from google that my account will be discontinued.
>

> On Wed, May 11, 2022 at 4:31 PM mick crane <mick....@gmail.com> wrote:
>
> There's scripts been posted on the getmail mailing list to fix this.
> I ought to sort it out in the next day or so but it might be easier to
> stop using gmail.
> There's some other limiting thing coming in later apparently.
> google instructions here.
> https://support.google.com/accounts/answer/185833

[...]

> So I guess this is the end of me using gmail :( And I need to find
> other email provider. I looked at web and found http://riseup.net But
> to create account there I also need an Invite Code. So, please, if
> anyone can give me an Invite Code for riseup.net I would be very
> grateful.

No need to stop using gmail. Use gmx. Forward gmail's mail to there.

--
Brian.

[Fero Dali]

In the next line it says "will":

> Google will no longer support

In any case I am looking for another email service supplier that does not
use the 2-Step Verification (OAUTH2) process to access my email box.

On the web I looked at http://riseup.net and it looks like a good one.
But to create an account there I also need an Invite Code.

So, please, if anyone can give me an Invite Code for riseup.net
I would be very grateful.

Thanks

[Fero Dali]

On Wed, May 11, 2022 at 8:20 PM Brian <ad...@cityscape.co.uk> wrote:
> No need to stop using gmail. Use gmx. Forward gmail's mail to there.

Thank you for suggesting this, but unfortunately it is not available to me.
On their web site I got this:

> We’re very sorry – we can’t sign you up
>
> Your IP address suggests you are trying to sign up
> in a country where GMX registration is no longer possible.
> Unfortunately, this means we can’t create an account for you.

So please if there are any other working email accounts i could get tell me.
(I found http://riseup.net but I need Invite there which I do not have)

Thanks

[Siard]

On Wed, 11 May 2022 20:52:22 +0200, Fero Dali wrote:
> So please if there are any other working email accounts i could get tell
> me. (I found http://riseup.net but I need Invite there which I do not have)

Do a search for 'gmail alternatives' and you will find at least a dozen of
them. Ad-free accounts with 100% privacy cannot be free (as in beer), but
they don't cost much.
I have a mailbox.org account myself (they are based in Berlin, Germany) and
am very content with it. There are many settings you can tweak, such as the
spam filter settings, and many options such as e-mail aliases, disposable
addresses, incorporating external accounts and the like.
And I never had any bounces from this list any more.

BTW, they have an article on this:
"Google announces restriction of Gmail with third-party services"
https://mailbox.org/en/post/google-announces-restriction-of-gmail-with-third-party-services
and you see two suggestions here to solve this problem.

[Brian]

Does this country where GMX registration is not possible
have a name?

--
Brian.

[Fero Dali]

On Wed, May 11, 2022 at 10:13 PM Brian <ad...@cityscape.co.uk> wrote:
> Does this country where GMX registration is not possible
> have a name?

Yes :)
It is Serbia (Srbija in my language)

[John Hasler]

Siard writes:
> Do a search for 'gmail alternatives' and you will find at least a
> dozen of them. Ad-free accounts with 100% privacy cannot be free (as
> in beer), but they don't cost much.

I'm currently using pobox.com .

> I have a mailbox.org account myself (they are based in Berlin,
> Germany) and am very content with it. There are many settings you can
> tweak, such as the spam filter settings, and many options such as
> e-mail aliases, disposable addresses, incorporating external accounts
> and the like. And I never had any bounces from this list any more.

And get your own domain (I recommend Gandi as a registrar). You can
then point the MX records to whoever you are purchasing email service
from. That way you can change email providers without changing your
email address.
--
John Hasler
jo...@sugarbit.com
Elmwood, WI USA

[Virgo Pärna]

On Wed, 11 May 2022 20:09:14 +0200, Fero Dali <fero...@gmail.com> wrote:
> Sorry for misunderstanding: it seems that my account will continue to work but
> ability to download mail with POP3 without OAUTH2 will be unavailable.
>

Actually, even without OAUTH2 it should be still possible. With
two factor authentication enabled it is possible to generate app
password for use with standard authentication.

--
Virgo Pärna
virgo...@mail.ee

[Curt]

Yeah, this all seems like a tempest in a fictious teapot.

https://wiki.archlinux.org/title/Backup_Gmail_with_getmail

Troubleshooting
Depending on your Gmail security, you may be left with this error when
running getmail:

getmailrc: credential/login error ([ALERT] Please log in via your web
browser:
https://support.google.com/mail/accounts/bin/answer.py?answer=78754
(Failure))
0 messages (0 bytes) retrieved, 0 skipped

To bypass this Gmail security feature, one must enable access for
less secure apps

[Fero Dali]

On Thu, May 12, 2022 at 12:08 PM Virgo Pärna <virgo...@mail.ee> wrote:
>
> Actually, even without OAUTH2 it should be still possible. With
> two factor authentication enabled it is possible to generate app
> password for use with standard authentication.

In my second email in this thread I described why I can not get
two factor authentication. So I still can not use POP3 here.

BTW as far as I understand OAUTH2 and two factor authentication
are the same thing. I might be wrong though.

[Greg Wooledge]

On Thu, May 12, 2022 at 03:23:25PM +0200, Fero Dali wrote:
> BTW as far as I understand OAUTH2 and two factor authentication
> are the same thing. I might be wrong though.

A quick google search and a skim of one web site tells me that they
are not. It also tells me that I'm going to need more than a 30-second
skim to understand what OAUTH2 actually is... but it's definitely not
two-factor authentication. It's not even *authentication* at all;
according to the site I got, it's an *authorization* framework.

[Virgo Pärna]

On Thu, 12 May 2022 15:23:25 +0200, Fero Dali <fero...@gmail.com> wrote:
>
> In my second email in this thread I described why I can not get
> two factor authentication. So I still can not use POP3 here.
>

Tried rechecking all mails, but did not find that mail. TOTP
based twofactor can be used even without phone app.

> BTW as far as I understand OAUTH2 and two factor authentication
> are the same thing. I might be wrong though.
>

OAUTH2 is basically logging in via web brauser and then getting
authorization token, that needs to be refreshed from time to time for it to
continue work. It is theoretically open standard, but... In reallity
service providers like Google and Microsoft require certifing programs
before they can use their OAUTH2 login.

Also, for it to work seamlessly program needs to have embedded
web browser or web server to receive authentication tokens.


--
Virgo Pärna
virgo...@mail.ee

[Fero Dali]

On Thu, May 12, 2022 at 8:08 PM Virgo Pärna <virgo...@mail.ee> wrote:
>
> Tried rechecking all mails, but did not find that mail. TOTP
> based twofactor can be used even without phone app.

I made a mistake and replied privately to mick crane and he was very
kind and repost that mail to the list:
https://lists.debian.org/debian-user/2022/05/msg00331.html

[Ash Joubert]

On 13/05/2022 01:23, Fero Dali wrote:
> BTW as far as I understand OAUTH2 and two factor authentication
> are the same thing. I might be wrong though.

They are not. OAuth2 is a delegated access framework: with OAuth2 for
Gmail, you use your Google password once to authorise Google to give
your email client a token that it can then use to access your email,
contacts, and calendar and *only* those, and not any other Google
services. This means that your main Google password is not stored in
your email client, reducing the risk that it might be compromised, as
well as limiting the access of your email client.

Two-factor authentication is when you need to confirm your login with an
SMS message or one-time pad or other second way of authenticating that
you are who you claim to be. 2FA is popular because users choose weak
passwords and share them between services. If users generate a unique
strong random password for every service, little is gained with 2FA, and
2FA is then just a massive pain in the arse. But user behaviour is
unreliable.

Thunderbird supports OAuth2 and I use it for Gmail IMAP. K-9 Mail on
Android does not support OAuth2 so I use the Gmail app on Android for
Gmail alone.

Kind regards,

--
Ash Joubert <a...@transient.nz>
Director
Transient Software Limited <https://transient.nz/>
New Zealand

[tv.debian]

This is off-topic but on Android "FairEmail" supports OAuth2 with Google
and others, only in it's Play store version sadly, not the F-Droid one.
I am not affiliated with the author of "fairEmail" and used K9 previously.

[Nicholas Geovanis]

On Thu, May 12, 2022 at 6:06 PM Ash Joubert <a...@transient.nz> wrote:

...trimmed...

 

Two-factor authentication is when you need to confirm your login with an
SMS message or one-time pad or other second way of authenticating that
you are who you claim to be. 2FA is popular because users choose weak
passwords and share them between services. If users generate a unique
strong random password for every service, little is gained with 2FA, and
2FA is then just a massive pain in the arse. But user behaviour is
unreliable.

In the last couple years many corporate and not-for-profit organizations have implemented

2-factor authentication internally. Even in the physical office many transactions require 2FA interaction.

Where I am now that is also the case, and 2FA is configured to prompt with a choice between receiving 

the 2nd factor by SMS text message, voice call, or email. They're using Pulse 2FA. So your provider

can do that too if they want to. But the whole point of 2FA is that there shall be a second response

from a previously known location for you: phone number, email address, etc.

That's the value added in exchange for Ash's "massive pain in the arse". Just making the 1st factor be

a loong password is not equivalent to 2FA in any way. Machine reaching back to you is the difference.

.......

[to...@tuxteam.de]

The only "value added" is for those third-party providers: they know where
& when you are logging into which service and can monetize on it.

It's just the basic antipattern you can see everywhere in surveillance
capitalism: provide a service which interposes between users and the
things they do (search, communicate, marketplace, transport; in the
current case: identity management), try to make them dependent, monetize
the knowledge you gain about your users.

Not all 2FA is like that, of course. When your second factor is a
hardware dongle (best if you control it, i.e. it's open hardware and
free firmware, Nitrokey comes as near as it gets). Still, why?

A loong password is not "equivalent" to 2FA, that's right. Good
password management (of which length is but a part) is as secure
as 2FA.

Cheers
--
t

[Virgo Pärna]

Ok. Google Authenticator based 2 factor is TOTP. That is why I
said, that it can be used without phone. Keepass password manager
supports it. But that does mean, that you need to have access to those
programs anywhere, where you are logging into gmail. So that can be an
issue.

--
Virgo Pärna
virgo...@mail.ee

[Kamil Jońca]

yubikeys can be 2FA, either as U2F or totp (at least this one
https://www.yubico.com/pl/product/yubikey-5-nfc/ or https://www.yubico.com/pl/product/yubikey-5-nfc/)


KJ

--
http://wolnelektury.pl/wesprzyj/teraz/

[Curt]

On 2022-05-13, <to...@tuxteam.de> <to...@tuxteam.de> wrote:
>
> It's just the basic antipattern you can see everywhere in surveillance

You seem to be seeing these antipatterns at the drop of any hat.

But I read recently about a brand new password antipattern (whatever those are).
The only thing is, I don't really understand what the hell it is exactly.

In a joint effort to make the web more secure and usable for all,
Apple, Google and Microsoft today announced plans to expand support
for a common passwordless sign-in standard created by the FIDO
Alliance and the World Wide Web Consortium. The new capability will
allow websites and apps to offer consistent, secure, and easy
passwordless sign-ins to consumers across devices and platforms.

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

I guess the devil, as always, will be hiding somewhere in the details.

[to...@tuxteam.de]

On Fri, May 13, 2022 at 09:36:13AM -0000, Curt wrote:
> On 2022-05-13, <to...@tuxteam.de> <to...@tuxteam.de> wrote:
> >
> > It's just the basic antipattern you can see everywhere in surveillance
>
> You seem to be seeing these antipatterns at the drop of any hat.

Uh -- whatever you mean to say with that.

[...]

> I guess the devil, as always, will be hiding somewhere in the details.

It always does, indeed.

Cheers
--
t

[Curt]

On 2022-05-13, <to...@tuxteam.de> <to...@tuxteam.de> wrote:
>
>> > It's just the basic antipattern you can see everywhere in surveillance

>> You seem to be seeing these antipatterns at the drop of any hat.
>
> Uh -- whatever you mean to say with that.

I meant that you applied (or employed) the term quite recently in a
completely unrelated thread about openssh, and David Wright's
observation that logging in remotely as root can be problematic.

> [...]
>
>> I guess the devil, as always, will be hiding somewhere in the details.
>
> It always does, indeed.
>
> Cheers

> --=20
> t
>
> --Dpz3S9OQGoUbsVHa
> Content-Type: application/pgp-signature; name="signature.asc"
>
>
> --Dpz3S9OQGoUbsVHa--
>
>


--

[to...@tuxteam.de]

On Fri, May 13, 2022 at 11:44:52AM -0000, Curt wrote:
> On 2022-05-13, <to...@tuxteam.de> <to...@tuxteam.de> wrote:
> >
> >> > It's just the basic antipattern you can see everywhere in surveillance
>
> >> You seem to be seeing these antipatterns at the drop of any hat.
> >
> > Uh -- whatever you mean to say with that.
>
> I meant that you applied (or employed) the term quite recently in a
> completely unrelated thread about openssh, and David Wright's
> observation that logging in remotely as root can be problematic.

Hm. It seems I was unclear. Trying to fix it (hopefully *not* making
it worse):

- I do agree that logging in as root remotely can be problematic
(especially when root has a weak password). So I think it is
a good thing for the admin to be able to disable that.
- I think the software forcing the admin to do that would be an
antipattern. OpenSSH *doesn't* force the admin to do that,
so it *doesn't* follow that antipattern.

Cheers
--
t

[Michael Stone]

On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
>A loong password is not "equivalent" to 2FA, that's right. Good
>password management (of which length is but a part) is as secure
>as 2FA.

No, it really isn't.

[David Wright]

What I don't understand about that thread is why the shift in
focus to ssh, openssh, and logging in (or otherwise) as root.
I don't see any antipatterns there (they certainly haven't been
spelled out), but just choices made by the sysadmin, between
no root password, having a password but not usable for remote
logins, and so on. Choices helped along by our Debian developers.

Surely the serious antipatterns mentioned in that thread are:
. running setuid scripts, as the OP claimed was possible in the past,
. suggestion to run said scripts as root, without having seen them.

(One of the benefits of posting scripts here is that they get
criticised, usually constructively, and hence improved.)

Cheers,
David.

[Brian]

How does a 40 random character, high entropy sound for Google? Good
enough to go up against 2FA? Avoiding the tedium and inconveniece,
of course.

[Kamil Jońca]

Think about leaks.
Password can be stolen, while with 2fa you have to take control over two
factors.

Saying that IMO "app paswords" (maybe with time validity) are good
compromise between security and convenience.
And I do not like oauth2 in its current incarnation.
KJ


--
http://wolnelektury.pl/wesprzyj/teraz/

[Brian]

On Fri 13 May 2022 at 20:01:20 +0200, Kamil Jońca wrote:

> Brian <ad...@cityscape.co.uk> writes:
>
> > On Fri 13 May 2022 at 08:42:21 -0400, Michael Stone wrote:
> >
> >> On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> >> > A loong password is not "equivalent" to 2FA, that's right. Good
> >> > password management (of which length is but a part) is as secure
> >> > as 2FA.
> >>
> >> No, it really isn't.
> >
> > How does a 40 random character, high entropy sound for Google? Good
> > enough to go up against 2FA? Avoiding the tedium and inconveniece,
> > of course.
>
> Think about leaks.
> Password can be stolen, while with 2fa you have to take control over two
> factors.

When was the last time you experienced that or heard of a well-documented
case of it happening? I do not even know what my passwords are. Nothing to
be stolen!

Your claim is a good example of "frighten the user into doing what we want".

--
Brian.

[Kamil Jońca]

Brian <ad...@cityscape.co.uk> writes:

[...]

> When was the last time you experienced that or heard of a well-documented
> case of it happening?

I do not know what you mean "well documented"
https://haveibeenpwned.com/ is enough?

> I do not even know what my passwords are.

Does not matter. I also know very few my passwords (or rathers
'secrets') - only these to unlock password manager(s).

> Nothing to
> be stolen!
Erm? Could you clarify?


I do not know what is your point.
I believe you can protect your passwords. (So do I , I hope). But we
are rather rare species now.
Moreover, although your provider should not keep password in plain,
quite often they do.

> Your claim is a good example of "frighten the user into doing what we want".

Well, no? I think I was clear, that I do not like google/ms behavior.
KJ


--
http://wolnelektury.pl/wesprzyj/teraz/

[David]

On Sat, 14 May 2022 at 04:40, Brian <ad...@cityscape.co.uk> wrote:
> On Fri 13 May 2022 at 20:01:20 +0200, Kamil Jońca wrote:
> > Brian <ad...@cityscape.co.uk> writes:
> > > On Fri 13 May 2022 at 08:42:21 -0400, Michael Stone wrote:
> > >> On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:

> > >> > A loong password is not "equivalent" to 2FA, that's right. Good
> > >> > password management (of which length is but a part) is as secure
> > >> > as 2FA.

[...]

> > Password can be stolen, while with 2fa you have to take control over two
> > factors.

[...]

> Your claim is a good example of "frighten the user into doing what we want".

[Statements above are heavily trimmed and provide context only.
They are independent and do not represent a conversation.]

Speaking of "frighten the user into doing what we want" ...

Yesterday I needed to log in to a (different) gmail account that
I had not used for some time, so gmail reasonably required
some authentication.

1) Username (email address) ... I provided it.
2) Password (random chars, medium length) ... I provided it.
3) One-time auth token (sent to an unidentified non-gmail mailbox) ...
I provided it.

You would think that would be enough to satisfy 2FA, but it wasn't.

I was then prompted to enter a phone number, and it was
impossible to proceed without doing so, to obtain a onetime
token sent by SMS.

"so that we can verify your identity" or words to that effect.

The point is, I have never in my life before given gmail any phone
number. So gmail claiming that one was required to identify me
was a lie. At that point, any phone number would satisfy the process.

And denying access until I provided one, gave me a very
unpleasant feeling of being blackmailed into coughing up a phone
number in response to a lie.

Luckily, I was able to satisfy the requirement without revealing
any information that I care about. It will be annoying for future
logins though, so I now intend to move that content to a different
hosting service.

Diversity, not having all eggs (email, phones) in one basket is
my best solution to this. Use multiple, cheap, minimal, easily
swappable solutions where possible. The gmail account I'm
using to write this is only used for mailing lists, for example.

[Ash Joubert]

On 13/05/2022 12:23, Nicholas Geovanis wrote:
> That's the value added in exchange for Ash's "massive pain in the arse".
> Just making the 1st factor be
> a loong password is not equivalent to 2FA in any way. Machine reaching back
> to you is the difference.

There are attacks that 2FA can defeat, especially things like password
reset via compromised email server, but in general, two weak factors are
not a match for a strong unique random password. In particular, it is
not uncommon for sms/email/totp second factor to resolve to exactly the
same device as the first factor, reducing 2FA to a single factor.
Compromise such a user's phone and it is all over.

If Bob username "bob" chooses password "bob123" (real example, name
changed to protect the guilty) for both his email and website login, 2FA
via email is easily circumvented by intercepting the email. If both
email and website had strong unique random passwords, many attacks are
prevented. Password reset attacks via intercepted emails on the email
server remain a threat.

It is not enough for a password to be looong. It must be strong AND
unique AND random. Even a strong password is exploitable if one
compromised site can be used to obtain it and access many other sites.
It has to be random because someone else may have used the first 100
decimal digits or pi or e or the first paragraph of your favourite book.
Strong goes without saying.

[Ash Joubert]

A good password will not protect you from password reset via a weak
channel such as email on an insecure server.

2FA will not protect you if the second factor is weak or resolves to the
same device. Hint: if you store your password and TOTP key in the same
manager then you have only one factor.

2FA often smells to me like security theatre, a band-aid over a sucking
chest wound of weak security practices, much like forced password
expiry. Done well, in addition to good security practices, including
strong unique random passwords, 2FA enhances security, but the cost is
high. Note however that the cost of a compromise can be devastating.

If you use 2FA, you must include it in your disaster recovery plans.
Imagine all your on-site devices including your phone are destroyed. Now
recover.

[to...@tuxteam.de]

On Sat, May 14, 2022 at 03:05:11PM +1200, Ash Joubert wrote:
> On 14/05/2022 00:42, Michael Stone wrote:
> > On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> > > A loong password is not "equivalent" to 2FA, that's right. Good
> > > password management (of which length is but a part) is as secure
> > > as 2FA.
> >
> > No, it really isn't.
>
> A good password will not protect you from password reset via a weak channel
> such as email on an insecure server.
>
> 2FA will not protect you if the second factor is weak or resolves to the
> same device. Hint: if you store your password and TOTP key in the same
> manager then you have only one factor.

Not to speak of SIM spoofing or social engineering of your mobile phone
provider (yes, it has been observed in the wild). There goes your SMS
second factor.

Cheers
--
t

[to...@tuxteam.de]

On Sat, May 14, 2022 at 02:40:53PM +1200, Ash Joubert wrote:
> On 13/05/2022 12:23, Nicholas Geovanis wrote:
> > That's the value added in exchange for Ash's "massive pain in the arse".
> > Just making the 1st factor be
> > a loong password is not equivalent to 2FA in any way. Machine reaching back
> > to you is the difference.
>
> There are attacks that 2FA can defeat, especially things like password reset
> via compromised email server, but in general, two weak factors are not a

> match for a strong unique random password [...]

[strong, unique, random]

That's it. The unique part can't be stressed enough: if your have
umpteen services out there, it's a matter of time until one of
those passwords leak (incompetent service provider, phishing,
etc.). It better be different from your other passwords.

To minimise stress, I let a tool generate my passwords (pwgen).
Important ones are 16 char (disk & backup encryption, bank account
key armor, etc.), less important ones (e.g. local login) just 8.

Cheers
--
t

[Curt]

On 2022-05-14, Ash Joubert <a...@transient.nz> wrote:
> On 13/05/2022 12:23, Nicholas Geovanis wrote:
>> That's the value added in exchange for Ash's "massive pain in the arse".
>> Just making the 1st factor be
>> a loong password is not equivalent to 2FA in any way. Machine reaching back
>> to you is the difference.
>
> There are attacks that 2FA can defeat, especially things like password
> reset via compromised email server, but in general, two weak factors are
> not a match for a strong unique random password. In particular, it is
> not uncommon for sms/email/totp second factor to resolve to exactly the
> same device as the first factor, reducing 2FA to a single factor.
> Compromise such a user's phone and it is all over.

What about data breaches, and sites keeping your password
in plain text (though it seems access to the cryptographically hashed
passcodes is already a pretty good leg up)? What good is our entropy then?

https://en.wikipedia.org/wiki/List_of_data_breaches

https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

[to...@tuxteam.de]

On Sat, May 14, 2022 at 08:58:37AM -0000, Curt wrote:

[...]

> What about data breaches, and sites keeping your password
> in plain text (though it seems access to the cryptographically hashed
> passcodes is already a pretty good leg up)? What good is our entropy then?

As stated elsewhere: unique passwords. Don't use a password you're using
elsewhere. Much less so with a site you don't trust.

Cheers
--
t

[to...@tuxteam.de]

On Sat, May 14, 2022 at 11:21:39AM +0200, to...@tuxteam.de wrote:
> On Sat, May 14, 2022 at 08:58:37AM -0000, Curt wrote:
>
> [...]
>

> > What about data breaches [...]

> As stated elsewhere: unique passwords [...]

Or, if I may put it in another terms: Recycle your trash. Never
recycle your passwords.

Cheers
--
t

[Brian]

Let me introduce you to my bank: they reduced the maximum 20 chars
to 16 and did not allow some special chars such as "!" and ".".
Mind you, I feel much more secure - 3FA is used :).

--
Brian.

[Brian]

The time to brute force a hash depends on password entropy. The
second link is an interesting read, but I do not think evrything
in a cracker's garden is rosy. One can only hope providers use
decentt hashing techniques and keep data safe.

--
Brian.

[Curt]

As always, I'm very uncertain where your goal posts are placed or what
tacit agenda you're following. No one has advocated the use of unique
passwords.

In my plausible scenario, you're password entropy counts for nothing.
Your password, unique or otherwise, has been compromised. 2FA would
prevent illegal entry to your account in this case. The subject we're
addressing here is your assertion that 2FA adds no extra security. I
have demonstrated that it does.

> Cheers

[Brian]

Preventing data breaches are outside the scope of the user, providing
a high entropy password is not. If accessing a site is of importance
to him, then, in your plausible scenario, an eight character password
effectively gives little security.

That is not an argument for 2FA but for a user having a responsible
password policy to guard agains such breaches.

--
Brian.

[to...@tuxteam.de]

Three? Why not go all the way to 5FA [1]?

Cheers

[1] https://boingboing.net/2005/09/14/gillettes-5blade-raz.html
(not linking to the original Onion because their Javascript
doesn't want to play with me)

--
tomás

[Brian]

With MFA in play, does it really matter whether a password is strong
and unique? The only thing in this situation it now appears to do is
authorise a phone call or email.

--
Brian.

[Brian]

On Sat 14 May 2022 at 15:21:06 +0200, to...@tuxteam.de wrote:

> On Sat, May 14, 2022 at 12:42:28PM +0100, Brian wrote:

[...]

> > Let me introduce you to my bank: they reduced the maximum 20 chars
> > to 16 and did not allow some special chars such as "!" and ".".
> > Mind you, I feel much more secure - 3FA is used :).
>
> Three? Why not go all the way to 5FA [1]?
>
> Cheers
>
> [1] https://boingboing.net/2005/09/14/gillettes-5blade-raz.html
> (not linking to the original Onion because their Javascript
> doesn't want to play with me)

I have just realised that PayPal does 5FA. It meets the Gillete
standard. Or should that be the MAD standard? Our capacity to
put up with sysadmin (management?) nonsense is unlimited.

--
Brian.

[to...@tuxteam.de]

On Sat, May 14, 2022 at 07:43:08PM +0100, Brian wrote:
> On Sat 14 May 2022 at 15:21:06 +0200, to...@tuxteam.de wrote:

[FIVE blades!1!!]

> I have just realised that PayPal does 5FA. It meets the Gillete
> standard. Or should that be the MAD standard? Our capacity to
> put up with sysadmin (management?) nonsense is unlimited.

:-o

Now I thought I had good satire. They do spoil everything, don't they?

Thanks for that data point.

Cheers
--
t

[Brian]

The scene is Margaret Thatcher in a restaurant with her Cabinet.

Waitor: What do you want, madam?
Margaret: Lamb staeks.
Waitor: What about the vegetables?
Margaret: They will have the same as me.

Satire is probably dead in today's Europe.

--
Brian.

[gene heskett]

No, it is not unlimited, Brian. Business sites in particular often have
a 20+ char pw for me, and if, after I set a 20+ char pw, I have to trim
the end of it to make it work again, they get a nastygram. My bank, about
2 years ago did some minor revamping and wound at an 8 char limit. They
not only thanked me for the nastygram, and advised me that it had been
raised to 32. I am a big enough depositor they don't want to upset me.

The nagging thing about using FF is that it drops to a secret question
and a 6 digit OTP response I've 5 minutes to respond to. And I can't set
kmail to refresh the local imap image any faster than 5 minutes...

Take care, and stay well, Brian.

Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

[to...@tuxteam.de]

On Sat, May 14, 2022 at 08:27:46PM +0100, Brian wrote:

[...]

> The scene is Margaret Thatcher in a restaurant with her Cabinet.
>
> Waitor: What do you want, madam?
> Margaret: Lamb staeks.
> Waitor: What about the vegetables?
> Margaret: They will have the same as me.

:-)

> Satire is probably dead in today's Europe.

Satire's doing fine around here, thank you. As for the vegetables...
we're coping too, as well as we can :)

Cheers
--
t

[gene heskett]

So are we tolerating the vegetables, Tomas, but not too well.
Politicians and diapers need frequent changing, usually for the same
reason.

[to...@tuxteam.de]

On Sun, May 15, 2022 at 07:58:25AM -0400, gene heskett wrote:

[...]

> So are we tolerating the vegetables, Tomas, but not too well.
> Politicians and diapers need frequent changing, usually for the same
> reason.

I was rather thinking in terms "we vegetables are well tolerated" ;-)

Cheers
--
t

[David Wright]

On Sat 14 May 2022 at 14:02:36 (+0100), Brian wrote:
> On Sat 14 May 2022 at 12:02:49 -0000, Curt wrote:

Preventing data breaches might be outside my control, but mitigating
their effect might not be. So I like to have 2FA set up as entering
a code in response to a phone call. There's some peace of mind in my
/not/ receiving any of those calls unless /I/ try to login.

Were it to ring unexpectedly and I heard a woman with a crisp British
accent announce "Hello [pause] You have requested a code for logging
in to your account; the number is one three fave [sic] seven nine
nine; this code will expire in ten minutes", I would know something's
afoot, and I've got some urgent calls to make.

Cheers,
David.

[Curt]

On 2022-05-16, David Wright <deb...@lionunicorn.co.uk> wrote:
>>
>> Preventing data breaches are outside the scope of the user, providing
>> a high entropy password is not. If accessing a site is of importance
>> to him, then, in your plausible scenario, an eight character password
>> effectively gives little security.
>>
>> That is not an argument for 2FA but for a user having a responsible
>> password policy to guard agains such breaches.
>
> Preventing data breaches might be outside my control, but mitigating
> their effect might not be. So I like to have 2FA set up as entering

B. purports breaches are outside user control but then with alacrity
asserts that the user should guard against them.

2FA is a mitigating factor in this real-world case (and they are
*legion*). No rational argument has been presented so far as to why it
wouldn't be (all brain-damaged "theories" and ill-formed "ideologies"
and ersatz "philosophies" by the usual straw men aside).

[to...@tuxteam.de]

On Mon, May 16, 2022 at 07:59:38AM -0000, Curt wrote:

[...]

> B. purports breaches are outside user control but then with alacrity
> asserts that the user should guard against them.
>
> 2FA is a mitigating factor in this real-world case (and they are
> *legion*). No rational argument has been presented so far as to why it
> wouldn't be (all brain-damaged "theories" and ill-formed "ideologies"
> and ersatz "philosophies" by the usual straw men aside).

Difficult to say to whom you are referring to, due to lots of passive
voice being used in your post.

Just in case, let me stated that I never implied that 2FA doesn't do
any good. It /is/ a mitigation indeed. But for me, the bang it brings
isn't worth the buck it costs. Simply that.

Cheers
--
t

[Stella Ashburne]

Excuse me, Fero Dali, how is your post/question relevant to this mailing list?

[Curt]

On 2022-05-16, <to...@tuxteam.de> <to...@tuxteam.de> wrote:

> Just in case, let me stated that I never implied that 2FA doesn't do
> any good. It /is/ a mitigation indeed. But for me, the bang it brings
> isn't worth the buck it costs. Simply that.
>

But you did imply it. To the question of data breaches and sites storing
your password in plain text, you replied, "unique passwords," as if that
non sequitur in the form of sound advice rendered 2FA superfluous and
could mitigate the scenario in which your unique password is part of a
list on the darknet following a data breach.

[Celejar]

Once again, it is well understood (although, bafflingly, often not by
those who should care, such as financial institutions) that SMS is a
terrible choice for 2FA. Hardware tokens, or at least authenticator
apps, are far better. (Although as others have pointed out in this
thread, if your auth app is stored together with your password, that
can eliminate some (but not all) of the benefits of 2FA.)

--
Celejar

[Celejar]

On Sat, 14 May 2022 15:05:11 +1200
Ash Joubert <a...@transient.nz> wrote:

> On 14/05/2022 00:42, Michael Stone wrote:
> > On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> >> A loong password is not "equivalent" to 2FA, that's right. Good
> >> password management (of which length is but a part) is as secure
> >> as 2FA.
> >
> > No, it really isn't.
>
> A good password will not protect you from password reset via a weak
> channel such as email on an insecure server.
>
> 2FA will not protect you if the second factor is weak or resolves to the
> same device. Hint: if you store your password and TOTP key in the same
> manager then you have only one factor.

But as you concede below, this is an argument against poorly
implemented 2FA, not against well-implemented 2FA.

> 2FA often smells to me like security theatre, a band-aid over a sucking
> chest wound of weak security practices, much like forced password
> expiry. Done well, in addition to good security practices, including
> strong unique random passwords, 2FA enhances security, but the cost is
> high. Note however that the cost of a compromise can be devastating.

Is the cost really that high? U2F hardware keys are readily available
for as little as $15 USD (perhaps less - I just took a very quick look
on Amazon), and they can secure all your accounts (that support U2F
2FA).

> If you use 2FA, you must include it in your disaster recovery plans.
> Imagine all your on-site devices including your phone are destroyed. Now
> recover.

A very good point. For that, well-implemented 2FA systems typically
encourage the printing out / saving of a handful of OTP passcodes
(which you should backup / print out and save offsite). But of course,
the same is true for passwords as well (assuming you're using (as you
should) long, random ones that are difficult or impossible to remember).

But I agree that it's complicated:

https://dmitryfrank.com/articles/backup_u2f_token

--
Celejar

[Brian]

Something may be untoward, but it very likely won't be as a result of
your 16/20 character, high entropy password being brute-forced after a
data breach at your credit card provider. This mitigation technique
should be sufficient to bring peace of mind.

OTOH, 2FA is part of the regulatory aspect for some financial entities
and impossible to avoid. Of what use is a strong password in that
situation? Strong or weak, autherntication now takes place with the
second factor.

--
Brian.

[David Wright]

Sure, there's always the argument that your password only has to be
difficult enough to crack that numerous others will already be being
exploited. There's no point in their trying to crack more and more
difficult passwords when there's already a plentiful harvest available.

> OTOH, 2FA is part of the regulatory aspect for some financial entities
> and impossible to avoid. Of what use is a strong password in that
> situation? Strong or weak, autherntication now takes place with the
> second factor.

Technically, it's only the "second" factor because it's normally
solicited by success with the password. It doesn't /have to/ be
that way. For example, I could schedule a code to be sent to my
phone at noon every Tuesday and, if I chose to use it, authentication
would take place with what we're currently calling the "first" factor,
the password.

One facility I didn't mention in connection with 2FA by phone. It's
conventional when you log in to be reminded of when you logged in
previously. With 2FA, I don't have to stretch my memory cells to
recall when that was, I can just look at the list of dialled calls.

(Note: I'm only explaining why 2FA by phone suits me. I'm not making
any arguments with respect to the exchanges further up the thread.)

Cheers,
David.

[Brian]

On Thu 12 May 2022 at 10:08:01 -0000, Virgo Pärna wrote:

> On Wed, 11 May 2022 20:09:14 +0200, Fero Dali <fero...@gmail.com> wrote:
> > Sorry for misunderstanding: it seems that my account will continue to work but
> > ability to download mail with POP3 without OAUTH2 will be unavailable.
> >
>
> Actually, even without OAUTH2 it should be still possible. With
> two factor authentication enabled it is possible to generate app
> password for use with standard authentication.

It's June 1st and my ability to collect mail via POP3 from gmail is
unimpaired. No OAUTH2 or 2FA at this site. Whatever Google intended
the situation to be after May 30th, it appears the interpretation by
some users of their mail was off the mark.

--
Brian.

[Patrick Bartek]

Still works here, too. Claws-mail 3.17.3 IMAP. No OAuth2 or 2FA.
Neither of which this version of Claws supports, IIRC. Of course,
notification email did say "may not" not won't.

FWIW: Yahoo mail ceased working with Claws several years ago due to
security changes. Though still accessible via web browser with only a
password.

B

[Brian]

On Wed 01 Jun 2022 at 10:44:17 -0700, Patrick Bartek wrote:

> On Wed, 1 Jun 2022 18:04:02 +0100
> Brian <ad...@cityscape.co.uk> wrote:
>
> > On Thu 12 May 2022 at 10:08:01 -0000, Virgo Pärna wrote:
> >
> > > On Wed, 11 May 2022 20:09:14 +0200, Fero Dali <fero...@gmail.com>
> > > wrote:
> > > > Sorry for misunderstanding: it seems that my account will
> > > > continue to work but ability to download mail with POP3 without
> > > > OAUTH2 will be unavailable.
> > >
> > > Actually, even without OAUTH2 it should be still possible.
> > > With two factor authentication enabled it is possible to generate
> > > app password for use with standard authentication.
> >
> > It's June 1st and my ability to collect mail via POP3 from gmail is
> > unimpaired. No OAUTH2 or 2FA at this site. Whatever Google intended
> > the situation to be after May 30th, it appears the interpretation by
> > some users of their mail was off the mark.
> >
>
> Still works here, too. Claws-mail 3.17.3 IMAP. No OAuth2 or 2FA.
> Neither of which this version of Claws supports, IIRC. Of course,
> notification email did say "may not" not won't.

Indeed, the mail did say that. However, many vociferous users went
into Chicken Licken mode and forecast distaster.

--
Brian.

[nemo]

On Wed, Jun 1, 2022 at 10:24 PM mick crane <mick....@gmail.com> wrote:

I'd just allowed non secure apps a year or so ago and seems to be still
working.

mick

Me too except today it doesn't seem to be working. must test but I think I've been shut out, using Alpine with non-secure apps switched on.

fjd

[rhkr...@gmail.com]

On Thursday, June 02, 2022 11:13:14 AM nemo wrote:
> Me too except today it doesn't seem to be working. must test but I think
> I've been shut out, using Alpine with non-secure apps switched on.
> fjd

My gmail (normally delivered by pop3 to my old version of kmail (on Wheezy)
stopped working around 8:30 am this morning.

I set up an application specific password this morning, and that old version of
kmail (version 1.13.7 for kde 4.8.4 on Debian Wheezy) works again using pop3

I had a little trouble setting it up until I got to the right place in google
-- I first tried to change the settings on the gmail webclient page but
couldn't find the correct options. Then logged in on google.com and did find
the correct option (Security), and then, in general terms, turned on 2 step
verification and eventually found the option to set up an application specific
password.

I then entered that in place of the old passwords in kmail. (I don't think it
stated it -- I wasn't sure whether to enter the spaces as part of the password
or not -- I did, and that worked.)

[pa...@quillandmouse.com]

I had this same problem starting about the same time. I was in the
middle of another project and didn't have time to deal with it.
Claw-Mail was issuing error alerts every 10 minutes as it would try to
fetch gmail.

However, as of about 30 minutes ago, it is now working again, and I did
nothing to it.

Paul


--
Paul M. Foster
Personal Blog: http://noferblatz.com
Company Site: http://quillandmouse.com
Software Projects: https://gitlab.com/paulmfoster

[Felmon Davis]

that's my experience too - right now email via Alpine seems to be
working again.

however I do intend to follow rhkramer's path and do the 2fa
and the "app-specific password" two-step.

guess Google's still trying to figure out which 3rd-party clients they
dislike.

fjd

--
Davis

Verbum sat sapienti.

[rhkr...@gmail.com]

On Thursday, June 02, 2022 01:59:45 PM rhkr...@gmail.com wrote:
> I then entered that in place of the old passwords in kmail. (I don't think
> it stated it -- I wasn't sure whether to enter the spaces as part of the
> password or not -- I did, and that worked.)

An update -- that was on an old (the Debian Wheezy) version of kmail, on a
newer version of kmail, I had to take the spaces out. (Maybe on the older
version of kmail something took the spaces out automatically?)

[Curt]

On 2022-06-02, Brad Rogers <br...@fineby.me.uk> wrote:
>
> Expect access from anything other than google's own web interface to go
> away at some point in the future.
>

Bullshit.

[to...@tuxteam.de]

Famous last word.

--
t

[Felmon Davis]

On Sat, 4 Jun 2022, Brad Rogers wrote:

> On Sat, 4 Jun 2022 11:50:55 -0000 (UTC)
> Curt <cu...@free.fr> wrote:
>
> Hello Curt,
>
>> Bullshit.
>>
> Well!
>
> What a witty, erudite, cogent, well reasoned, rational and eloquently
> put explanation.
>
> I'm convinced.
>
>

not his usual stylistic savoir-faire but who cares? we'll soon know
what's going on.

I do think Google et al. sometimes make pronouncements and then don't
get off their ass ('arse' if you prefer) - that how committees work
with (or against) other committees.

for now, I still have Alpine with the app-specific setting.

[to...@tuxteam.de]

On Sat, Jun 04, 2022 at 03:45:00PM +0200, Felmon Davis wrote:
> On Sat, 4 Jun 2022, Brad Rogers wrote:
>
> > On Sat, 4 Jun 2022 11:50:55 -0000 (UTC)
> > Curt <cu...@free.fr> wrote:
> >
> > Hello Curt,
> >
> > > Bullshit.
> > >
> > Well!
> >
> > What a witty, erudite, cogent, well reasoned, rational and eloquently
> > put explanation.
> >
> > I'm convinced.
> >
> >
>
> not his usual stylistic savoir-faire but who cares? we'll soon know what's
> going on.
>
> I do think Google et al. sometimes make pronouncements and then don't get
> off their ass ('arse' if you prefer) - that how committees work with (or
> against) other committees.

I think they do constant A/B testing. Perhaps they have a built-in feedback
loop (increase B if A loses less than a given fraction or something).

> for now, I still have Alpine with the app-specific setting.

They're messing with your brain. I'd leave the sinking ship.

;-P

Cheers
--
t

[to...@tuxteam.de]

On Sat, Jun 04, 2022 at 02:24:16PM -0000, Curt wrote:
> On 2022-06-04, <to...@tuxteam.de> <to...@tuxteam.de> wrote:
> >
> >> >
>
> >> Bullshit.
> >
> > Famous last word.
> >
>
> I've already determined that your principles go no deeper than your
> dime-a-dozen opinions.

This might be due to your short-sightedness. Or not.

Cheers
--
t

[Curt]

[Curt]

On 2022-06-04, Brad Rogers <br...@fineby.me.uk> wrote:
>
>>Bullshit.
>>
> Well!
>
> What a witty, erudite, cogent, well reasoned, rational and eloquently
> put explanation.
>
> I'm convinced.
>

That's what's missing from *your* affirmation and the very reason it is
pure bullshit.

[Felmon Davis]

the furniture, Gentlemen, mind the furniture!

we have an announcement of Google's intent. let's see if they carry it
out. and if they follow through, there is a work-around which rhkramer
and others have used.

I'm kinda thinking they are wrangling among themselves. but we don't
have to.

[Felmon Davis]

I misspoke or miswrote: I have Alpine running but *without* the

app-specific setting.

> They're messing with your brain. I'd leave the sinking ship.
>

I'm glad to have my Alpine still. we'll see.

[to...@tuxteam.de]

On Sat, Jun 04, 2022 at 04:39:39PM +0200, Felmon Davis wrote:

[...]

> the furniture, Gentlemen, mind the furniture!

That one's good :-)

Thanks for a hearty laugh!

Cheers
--
t

[to...@tuxteam.de]

On Sat, Jun 04, 2022 at 07:21:57PM +0200, Felmon Davis wrote:
> On Sat, 4 Jun 2022, to...@tuxteam.de wrote:

[...]

> I misspoke or miswrote: I have Alpine running but *without* the app-specific
> setting.
>
> > They're messing with your brain. I'd leave the sinking ship.
> >
>
> I'm glad to have my Alpine still. we'll see.

I wasn't thinking of Alpine when I wrote "sinking ship" ;-)

Alpine is free software. Free software never sinks ;-) ;-)

Cheers
--
t

[sp...@caiway.net]

Hi,


IMO I would search for another mail account.

I use google mail only for sites where i expect SPAM.

Last time I checked google mail is some 3 years ago.


So I tried my provider's mail account.

There it is not possible to send to protonmail.
It has also no working web interface.

So I am also in the search for a good free provider.

Arne



On Wed, 11 May 2022 15:25:34 +0200
Fero Dali <fero...@gmail.com> wrote:

> I got a warning from google that my account will be discontinued.
>
> > On May 30, you may lose access to apps that are using less secure sign-in
> > technology
> > To help keep your account secure, Google will no longer support the use of
> > third-party apps or devices which ask you to sign in to your Google Account
> > using only your username and password. Instead, you’ll need to sign in
> > using Sign in with Google
>
> I have used a google account to read email from mailing lists. I am using
> fetchmail to get emails from google. Now it says it will discontinue this
> access to my mail. I do not want to use webmail (I need to receive my mail
> on my computer). Is there a way to somehow download emails from gmail
> as I used to after May 30?
>
> Thanks
>

[Richard Owlett]

On 06/04/2022 01:50 PM, sp...@caiway.net wrote:
*SNIP*

>
> So I am also in the search for a good free provider.
>

FREE COSTS *TOO MUCH* !!!!!!!!!!!!!!!!!!!!!!!!

If you think Google et al are charities

I have a bridge for sale in Brooklyn.

[John Hasler]

Arne writes:
> So I am also in the search for a good free provider.

Why does it need to be free?
--
John Hasler
jo...@sugarbit.com
Elmwood, WI USA

[sp...@caiway.net]

Hi,

My first mail provider (in Oslo) promised free mailadress for life.

Then it was sold to a kapitalist and they started to ask money.

I do not like that.

I know it is possible to run a free host.

By volunteers running the server for example.



Arne

[John Hasler]

sp...@caiway.net writes:
> I know it is possible to run a free host.
> By volunteers running the server for example.

There are expenses. Who pays them?

[sp...@caiway.net]

On Sat, 04 Jun 2022 15:34:19 -0500
John Hasler <jo...@sugarbit.com> wrote:

> sp...@caiway.net writes:
> > I know it is possible to run a free host.
> > By volunteers running the server for example.
>
> There are expenses. Who pays them?

There will be always volunteers for learning/perfectioning a mailserver.

Donations for the best mailserver in the world for example.

IMHO

Arne

[wec]

On 6/4/22 4:02 PM, sp...@caiway.net wrote:

> Hi,
>
> My first mail provider (in Oslo) promised free mailadress for life.
>
> Then it was sold to a kapitalist and they started to ask money.
>
> I do not like that.
>
> I know it is possible to run a free host.
>
> By volunteers running the server for example.

Why not you be the first volunteer???

[Edwin Zimmerman]

> There will be always volunteers for learning/perfectioning a mailserver.
>
> Donations for the best mailserver in the world for example.

As a sysadmin of a mailserver, I can tell you this would never be able to compete on uptime, security, and features of gmail.

[Alain D D Williams]

On Sat, Jun 04, 2022 at 10:02:05PM +0200, sp...@caiway.net wrote:
> Hi,
>
> My first mail provider (in Oslo) promised free mailadress for life.
>
> Then it was sold to a kapitalist and they started to ask money.
>
> I do not like that.
>
> I know it is possible to run a free host.
>
> By volunteers running the server for example.

Oh - great ... please do us all a favour and set up a free host and give us
free addresses for life.

Thanks!

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>

[sp...@caiway.net]

Hi,

The reason:

I am promoting a free volunteer-run run society.

This mailing list as example for how I learned. Thanks!

Things go faster and better.


All those commercial ones only have one goal: make more profit.

Led by stupid managers with only $ $ eyes giving orders to developers.


Thanks,

have a nice day

Arne

[sp...@caiway.net]

rsync to every country for example

# uprecords
# Uptime | System Boot up
----------------------------+---------------------------------------------------
1 131 days, 03:28:53 | Linux 4.19.152 Fri Mar 12 16:19:55 2021
2 77 days, 18:00:15 | Linux 5.10.0-8-amd64 Tue Oct 12 02:00:22 2021
3 71 days, 00:45:31 | Linux 5.10.0-8-amd64 Sun Jan 9 23:44:43 2022
4 62 days, 05:55:04 | Linux 5.7.10-arne-t620q Mon Aug 3 19:35:15 2020
5 52 days, 07:34:58 | Linux 5.10.0-8-amd64 Fri Aug 20 18:25:01 2021
-> 6 49 days, 16:57:39 | Linux 5.10.0-8-amd64 Sat Apr 16 06:23:31 2022
7 34 days, 23:00:23 | Linux 4.19.152 Sun Dec 6 18:30:36 2020
8 34 days, 02:00:06 | Linux 4.19.152 Mon Nov 2 16:03:18 2020
9 29 days, 13:00:08 | Linux 4.19.0-6-amd64 Thu Nov 21 02:59:06 2019
10 26 days, 15:55:15 | Linux 5.3.0-0.bpo.2-amd6 Fri Jun 26 00:46:57 2020
----------------------------+---------------------------------------------------
1up in 2 days, 14:37:20 | at Tue Jun 7 13:58:29 2022
no1 in 81 days, 10:31:15 | at Thu Aug 25 09:52:24 2022
up 946 days, 19:40:23 | since Wed Oct 30 18:46:50 2019
down 1 day , 07:53:57 | since Wed Oct 30 18:46:50 2019
%up 99.860 | since Wed Oct 30 18:46:50 2019

on the downtime: powerloss, experimenting, learning

on a thin client I keep a webserver running at home:

https://linuxmuseum.arnekai.net/

538Mb now

And now I am setting up buku server, I found another job of playing with debian/devuan

That is an example of working with volunteers

PS.

I could use some mirrors

keeping linux history is important

[sp...@caiway.net]

NO!

Some people like to work for a boss and follow orders from imbiciles.


Arne

On Sat, 4 Jun 2022 19:40:34 -0500
Larry Martell <larry....@gmail.com> wrote:

> On Sat, Jun 4, 2022 at 4:17 PM sp...@caiway.net <sp...@caiway.net> wrote:
> >
> > Hi,
> >
> > The reason:
> >
> > I am promoting a free volunteer-run run society.
> >
> > This mailing list as example for how I learned. Thanks!
> >
> > Things go faster and better.
> >
> >
> > All those commercial ones only have one goal: make more profit.
> >
> > Led by stupid managers with only $ $ eyes giving orders to developers.
>

> So you are against people making profit for their labors?

[Larry Martell]

On Sat, Jun 4, 2022 at 4:17 PM sp...@caiway.net <sp...@caiway.net> wrote:
>

> Hi,
>
> The reason:
>
> I am promoting a free volunteer-run run society.
>
> This mailing list as example for how I learned. Thanks!
>
> Things go faster and better.
>
>
> All those commercial ones only have one goal: make more profit.
>
> Led by stupid managers with only $ $ eyes giving orders to developers.

[Larry Martell]

On Sat, Jun 4, 2022 at 7:44 PM sp...@caiway.net <sp...@caiway.net> wrote:
>
> NO!
>
> Some people like to work for a boss and follow orders from imbiciles.

You sound like an imbecile to me.

[John Hasler]

Please don't feed the troll.