the idea of the waiting period opens a small potential for a DoS on the storage system. you’d have to keep the system image around during the waiting period (in case the deletion was illegitimate). so someone with unauthorized access could create a large number of images and delete them all at once, forcing them all to sit in the queue and take up space.

also, i’m a bit too paranoid to trust openID for something this critical at this point. it’s been around for a little while, but not long enough for my taste.

i think emailed login notifications are a good idea, as is scrapping the root password email. the “enable” mode (kind of like sudo access) seems plausible…though just having a second password doesn’t really protect against things like sticky note theft…

That's why you have backups. You do have backups, right?

Posted By: lexThat's why you have backups. Youdohave backups, right?

Of course. But I wasn't aware that having backups was good enough security for this.

Just "having backups" is hardly a solution here.

Why not have a series of security questions that are previously entered and then requested when you are doing destructive tasks such as deleting your slice.

You could also offer customer's the opportunity to enter their primary IP addresses then whenever they log in you could audit the IP address and verify them against their list. If does not match an IP that's on the list a warning comes up the next time you log in that you may need to change your password. This would be an extra feature a customer could turn on or off and would work as long as there is some kind of secondary protection for destructive tasks.