Firewall Wizards mailing list archives

Re: Sourceforge sending out passwords in the clear.

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 2 Aug 2002 14:23:00 -0400 (EDT)

On Fri, 2 Aug 2002, Paul Robertson wrote:

        [SNIP]


If you have my mailman password, you can unsubscribe me from the list 
(should be obvious when I stop receiving messages,) set me to digest, set 
me to nomail, and maybe a handful of other things[1].  

Granted, you could MITM my mailing list traffic and if I wasn't checking 
headers, you'd probably get me- but overall, that's not a huge risk (it 
sends list manager passwords too- a much higher risk, though that only 
happens at list creation and is easy to mitigate by not making the list live or 
populating it until after the password is changed.)


        [SNIP]


You'd be surprised at the administrative stuff I deal with now, and this 
list holds a very high ratio of clueons.


Many mailman list do this monthly send of the passwords and account info,
as well as some including chater info for the lists these days since so
many are moving over to mailman.  The Firewalls list does so monthly,
FULL-Disclosure does also.  So far I do not recall any of the security
focus lists doing so, we read a number of those.  but, for those lists
that do, we have not encountered any problems.  I've seen instances of
users with full mail box notices or address no longer vaild messages get
dropped from the Firewalls list due to one of the list readers there
forging unsubscribes, so perhaps the password infoo is not always
nessecary...

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Sourceforge sending out passwords in the clear. Anton J Aylward, CISSP (Aug 02)
- Re: Sourceforge sending out passwords in the clear. Paul Robertson (Aug 02)
  - Re: Sourceforge sending out passwords in the clear. R. DuFresne (Aug 02)
- <Possible follow-ups>
- RE: Sourceforge sending out passwords in the clear. Scott, Richard (Aug 02)