Firewall Wizards mailing list archives
Re: Sourceforge sending out passwords in the clear.
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 2 Aug 2002 14:23:00 -0400 (EDT)
On Fri, 2 Aug 2002, Paul Robertson wrote: [SNIP]
If you have my mailman password, you can unsubscribe me from the list (should be obvious when I stop receiving messages,) set me to digest, set me to nomail, and maybe a handful of other things[1]. Granted, you could MITM my mailing list traffic and if I wasn't checking headers, you'd probably get me- but overall, that's not a huge risk (it sends list manager passwords too- a much higher risk, though that only happens at list creation and is easy to mitigate by not making the list live or populating it until after the password is changed.)
[SNIP]
You'd be surprised at the administrative stuff I deal with now, and this list holds a very high ratio of clueons.
Many mailman list do this monthly send of the passwords and account info, as well as some including chater info for the lists these days since so many are moving over to mailman. The Firewalls list does so monthly, FULL-Disclosure does also. So far I do not recall any of the security focus lists doing so, we read a number of those. but, for those lists that do, we have not encountered any problems. I've seen instances of users with full mail box notices or address no longer vaild messages get dropped from the Firewalls list due to one of the list readers there forging unsubscribes, so perhaps the password infoo is not always nessecary... Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Sourceforge sending out passwords in the clear. Anton J Aylward, CISSP (Aug 02)
- Re: Sourceforge sending out passwords in the clear. Paul Robertson (Aug 02)
- Re: Sourceforge sending out passwords in the clear. R. DuFresne (Aug 02)
- <Possible follow-ups>
- RE: Sourceforge sending out passwords in the clear. Scott, Richard (Aug 02)
- Re: Sourceforge sending out passwords in the clear. Paul Robertson (Aug 02)