Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Sourceforge sending out passwords in the clear.

From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Fri, 2 Aug 2002 11:04:55 -0500
<snip>
If you have my mailman password, you can unsubscribe me from the list 
(should be obvious when I stop receiving messages,) set me to digest, set 
me to nomail, and maybe a handful of other things[1].  

Granted, you could MITM my mailing list traffic and if I wasn't checking 
headers, you'd probably get me- but overall, that's not a huge risk (it 
sends list manager passwords too- a much higher risk, though that only 
happens at list creation and is easy to mitigate by not making the list live
or 
populating it until after the password is changed.)
</snip>

I think the lesson here is described perfectly well by Paul.  Risk
Mitigation is the craft, and to be honest there is very little risk, unless
of course that the users id and password could be used to alter something of
intrinsic value.  If you are developing source code using Source Forge and
this code is riddled with bugs, it could cause problems.  However, one would
hope to code would be prescreened prior to compilation.

If you feel that Source Forge is a risk/threat to your assets you should
mitigate this by either not using Source Forge for development of serious
software, don't use the same id's and password that you do on the list as
you would for other sensitive accounts and finally, if you must use either,
then make sure can mitigate the risk by a) performing code reviews,
integrity checks and b) frequently change the passwords.

However if this was periodically sent out, I would consider this bad
practice.  If it is the intention to remind users of their accounts,
sufficient email notification should be the first contact point.  Passwords
shouldn't be emailed out unless induced by a request and then only to the
email address the account is registered under.

Cheers
r.


Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries





_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: