Re: Sourceforge sending out passwords in the clear.

[Paul Robertson <proberts () patriot net>]

On 2 Aug 2002, Anton J Aylward, CISSP wrote:

> I understand this list is managed by "mailman".  I just received 
> a mail message from Sourceforge, the open source development site.
> Their list is managed by mailman as well.  Being heads-up about security,
> the people here have got this one right ;-)  
>
> > This is a password reminder sent via Mailman (http://www.list.org/),
> > mailing list software used  by SourceForge, every month. 
>
> Further down was my login ID and password in the clear.
> I consider this to be an irresponsible breach of basic good 
> security practice.  They should know better than to send such 
> things in the clear over an unsecured store-and-forward medium.

I don't know what sourceforge does with its credentials- mailman's premise 
is that the password should be unique (that is not used for "real" things) 
and used only for list operations on your list settings.  

Since "I forgot my password" is still about the most expensive IT cost, 
and most lists aren't making any money- support in the form of "mail me my 
password" is the norm if you don't want to get killed doing support.  

> I'm told this is the default action for mailman,.  If so, its a 

If you have my mailman password, you can unsubscribe me from the list 
(should be obvious when I stop receiving messages,) set me to digest, set 
me to nomail, and maybe a handful of other things[1].  

Granted, you could MITM my mailing list traffic and if I wasn't checking 
headers, you'd probably get me- but overall, that's not a huge risk (it 
sends list manager passwords too- a much higher risk, though that only 
happens at list creation and is easy to mitigate by not making the list live or 
populating it until after the password is changed.)

> But I've also been on the sourceforge list for nearly a year and this 
> is the first time I've received this message, so "obviously" something
> has changed.  What happened?  Some newbie sysadmin thinking he's being 
> smart and helpful?

Probably they moved to a new mailman installation that's set to do the 
monthly reminder thing (that's the default.)

> Or perhaps I read the Risks Digest too often.

The alternative is a mail/web combination thing- and that would make 
everything more difficult/complex- or a manual thing which would *suck*.

You'd be surprised at the administrative stuff I deal with now, and this 
list holds a very high ratio of clueons.

Paul
[1] That's the theoretical generic me- the actual me is subscribed from 
multiple accounts and reads headers.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards