Firewall Wizards mailing list archives
RE: Sourceforge sending out passwords in the clear.
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Fri, 2 Aug 2002 11:04:55 -0500
<snip> If you have my mailman password, you can unsubscribe me from the list (should be obvious when I stop receiving messages,) set me to digest, set me to nomail, and maybe a handful of other things[1]. Granted, you could MITM my mailing list traffic and if I wasn't checking headers, you'd probably get me- but overall, that's not a huge risk (it sends list manager passwords too- a much higher risk, though that only happens at list creation and is easy to mitigate by not making the list live or populating it until after the password is changed.) </snip> I think the lesson here is described perfectly well by Paul. Risk Mitigation is the craft, and to be honest there is very little risk, unless of course that the users id and password could be used to alter something of intrinsic value. If you are developing source code using Source Forge and this code is riddled with bugs, it could cause problems. However, one would hope to code would be prescreened prior to compilation. If you feel that Source Forge is a risk/threat to your assets you should mitigate this by either not using Source Forge for development of serious software, don't use the same id's and password that you do on the list as you would for other sensitive accounts and finally, if you must use either, then make sure can mitigate the risk by a) performing code reviews, integrity checks and b) frequently change the passwords. However if this was periodically sent out, I would consider this bad practice. If it is the intention to remind users of their accounts, sufficient email notification should be the first contact point. Passwords shouldn't be emailed out unless induced by a request and then only to the email address the account is registered under. Cheers r. Richard Scott INFORMATION SECURITY Tel: (001) -952-324-0697 Fax: (001) -952-996-4830 Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Sourceforge sending out passwords in the clear. Anton J Aylward, CISSP (Aug 02)
- Re: Sourceforge sending out passwords in the clear. Paul Robertson (Aug 02)
- Re: Sourceforge sending out passwords in the clear. R. DuFresne (Aug 02)
- <Possible follow-ups>
- RE: Sourceforge sending out passwords in the clear. Scott, Richard (Aug 02)
- Re: Sourceforge sending out passwords in the clear. Paul Robertson (Aug 02)