Sourceforge sending out passwords in the clear.

["Anton J Aylward, CISSP" <aja () si on ca>]

I understand this list is managed by "mailman".  I just received 
a mail message from Sourceforge, the open source development site.
Their list is managed by mailman as well.  Being heads-up about security,
the people here have got this one right ;-)  

> This is a password reminder sent via Mailman (http://www.list.org/),
> mailing list software used  by SourceForge, every month. 

Further down was my login ID and password in the clear.
I consider this to be an irresponsible breach of basic good 
security practice.  They should know better than to send such 
things in the clear over an unsecured store-and-forward medium.

You don't have to be a developer to "join" sourceforge.

Being periodic, this is predictable.  The consequent risks of that 
are pretty obvious.

I'm told this is the default action for mailman,.  If so, its a 
bad default; Marcus isn't the only one who rails against such stupidity, 
but as the saying goes, "even the Gods ...".

But I've also been on the sourceforge list for nearly a year and this 
is the first time I've received this message, so "obviously" something
has changed.  What happened?  Some newbie sysadmin thinking he's being 
smart and helpful?

Or perhaps I read the Risks Digest too often.


/anton
--
Hardware has grown following Moore's Law, 
software seems to be stuck with Gresham's Law.
  -Jim Horning, Inside Risks 
         133 CACM 44, 7, July 2001
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards