Firewall Wizards mailing list archives
Sourceforge sending out passwords in the clear.
From: "Anton J Aylward, CISSP" <aja () si on ca>
Date: 02 Aug 2002 07:16:49 -0400
I understand this list is managed by "mailman". I just received a mail message from Sourceforge, the open source development site. Their list is managed by mailman as well. Being heads-up about security, the people here have got this one right ;-)
This is a password reminder sent via Mailman (http://www.list.org/), mailing list software used by SourceForge, every month.
Further down was my login ID and password in the clear. I consider this to be an irresponsible breach of basic good security practice. They should know better than to send such things in the clear over an unsecured store-and-forward medium. You don't have to be a developer to "join" sourceforge. Being periodic, this is predictable. The consequent risks of that are pretty obvious. I'm told this is the default action for mailman,. If so, its a bad default; Marcus isn't the only one who rails against such stupidity, but as the saying goes, "even the Gods ...". But I've also been on the sourceforge list for nearly a year and this is the first time I've received this message, so "obviously" something has changed. What happened? Some newbie sysadmin thinking he's being smart and helpful? Or perhaps I read the Risks Digest too often. /anton -- Hardware has grown following Moore's Law, software seems to be stuck with Gresham's Law. -Jim Horning, Inside Risks 133 CACM 44, 7, July 2001 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Sourceforge sending out passwords in the clear. Anton J Aylward, CISSP (Aug 02)
- Re: Sourceforge sending out passwords in the clear. Paul Robertson (Aug 02)
- Re: Sourceforge sending out passwords in the clear. R. DuFresne (Aug 02)
- <Possible follow-ups>
- RE: Sourceforge sending out passwords in the clear. Scott, Richard (Aug 02)
- Re: Sourceforge sending out passwords in the clear. Paul Robertson (Aug 02)