FSFE supporters affected: Payment provider Nexi cancelled us(fsfe.org)
57 pointsby rasjani4 hours ago8 comments
  • sam_lowry_2 hours ago
    Reminds me of the famous "Our security auditor is an idiot. How do I give him the information he wants? [1]

    [1] https://serverfault.com/questions/293217/our-security-audito...

    • rcxdudean hour ago
      Is there some part of PCI auditing requirements that is getting misinterpreted by some auditors to demand this? Though in my experience with standards like this what auditors want to see and what the standards say often have only loose overlap anyhow.
    • zvqcMMV6Zcr38 minutes ago
      That is crazier than any old dailywtf stories, and that site felt like everyone tried to one-up each other.
  • Freak_NL3 hours ago
    The FSFE justly drew the line at providing private information of supporters. How many other customers of Nexi simply handed over such data 'because audit'?
    • rasjani3 hours ago
      So this was not only about FSFE and payments for them but a general audit of their (Nexi's) customers ?
      • rcxdudean hour ago
        It seems unlikely that the FSFE is the first customer they have asked for this information.
      • TavsiE9s3 hours ago
        That’s how I read the linked post as well, yes.
  • samsk34 minutes ago
    We work with MLS provider(s) that requires us to keep plaintext password for our users and provide it on request in case of `breach in the security of MLS Listing Information or a violation of MLS Rules`.

    The user is accessing only copy of their data in _our_ systems, the user has no contact with MLS itself directly or indirectly.

  • eequah9L2 hours ago
    > Over the past few months, our former payment provider Nexi S.p.A. (“Nexi”) requested access to private data, which we understood to be specifically the usernames and passwords of our supporters.

    I must be missing something, but why is there an expectation that clear text passwords would even be known?

    • rcxdudean hour ago
      Probably because most people haven't internalized how password hashing works.
  • butokai3 hours ago
    As an Italian living in another EU country, I always thought that the amount of (broken) bureaucracy of Italy was not particularly worse. However this story comes after a couple more I heard this week, in a line of absurd practice possibly due to absurd regulations.
  • littlecranky672 hours ago
    Everytime people say bitcoin has no use case, I'd like to point them to cases like this.
    • zvqcMMV6Zcr35 minutes ago
      I will bite. How do I set up recurring crypto payments/donations for my site? How big cut will be taken by intermediary?
  • janpio2 hours ago
    So what did Nexi really want, and how did it get mangled so badly that it came out as "specifically the usernames and passwords of our supporters"?
    • rcxdudean hour ago
      It's entirely possible that is actually what they wanted (at least what the people in the company they were talking to wanted). I suspect that "we understood to mean" is language carefully designed to avoid a lawsuit.
  • grigio2 hours ago
    Maybe now more F/OSS supporters will understand the need of Bitcoin/Monero
    • g947o32 minutes ago
      You could put it this way, but to me the bigger question is why would a payment processor have such ridiculous requests? That probably should be examined first.
    • jasonvorhe2 hours ago
      Not unless they start questioning the Club of Rome induced climate scam.