Path: ...!2.eu.feeder.erje.net!3.eu.feeder.erje.net!feeder.erje.net!weretis.net!feeder8.news.weretis.net!news.mixmin.net!aioe.org!+i4EydgmiJ8omDYHqvXi4Q.user.46.165.242.75.POSTED!not-for-mail From: Aioe Newsgroups: news.software.nntp Subject: Re: Postfilter guide Date: Thu, 8 Sep 2022 15:32:14 +0200 Organization: Aioe.org NNTP Server Message-ID: References: <18a6ab47-cb69-9cb3-a96c-ffab276f9c5b@bofh.team> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: gioia.aioe.org; logging-data="42680"; posting-host="+i4EydgmiJ8omDYHqvXi4Q.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org"; User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 X-Notice: Filtered by postfilter v. 0.9.2 Content-Language: en-US Bytes: 3192 Lines: 32 Il 07/09/22 16:57, Frank Slootweg ha scritto: > What's so hard about authentication? Aioe.org has been running without authentication for about 22 years and has never caused major abuse problems. Authentication has two problems: it must be managed and it requires the retention of personal data. A system without authentication is much easier to manage because the administrative part consists only in keeping the part of the logs that indicates who posted each message. You have no other obligations. When creating an authentication-protected system, you must allow users to register in a way that makes hard to create fake identities. Nowadays this takes time, a lot of system resources and in any case it doesn't guarantee you won't have problems. Doing without authentication means you don't have to worry about CAPTCHAs, users who use 1234 as passwords, people asking you what 'username' means. In recent years, managing users' personal data has become complicated for small projects. Since name, surname, email and date of birth are considered personal data, if you collect this data to identify your users when they register then the processing of this data requires cautions. You have to keep this data safe and this is expensive; you have to equip yourself with procedures to manage this data and this is complicated and requires writing several documents; you must have systems that allow you to identify who is accessing the data and which data is being read. If you don't do these things you risk a hefty fine. Then you have to manage the crazy guys: if someone writes you an email and asks you what personal data you have on file, you have to answer quickly and correctly even if he registered three years ago and logged in twice in total. If someone asks you to delete his personal data you must obey and you must also delete them from the backups. For long-lived servers this can become a serious problem. If you give up authentication, you solve all these problems at once: you simply do not collect, process and store personal data of users.