Bristol and Bath Linux: September 2015

Rabu, 30 September 2015

Bristol Digest, Vol 619, Issue 1

Minggu, 27 September 2015

Bristol Digest, Vol 618, Issue 1

Sabtu, 12 September 2015

Bristol Digest, Vol 617, Issue 3

Jumat, 11 September 2015

Bristol Digest, Vol 617, Issue 2

Senin, 07 September 2015

Bristol Digest, Vol 617, Issue 1

Sabtu, 05 September 2015

Bristol Digest, Vol 616, Issue 11

Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk

You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."

Today's Topics:

1. Privacy ethics of smartphone manufacturers (Y Martin)
2. Re: Privacy ethics of smartphone manufacturers (Nigel Sollars)
3. Re: Privacy ethics of smartphone manufacturers (Y Martin)
4. Re: Privacy ethics of smartphone manufacturers (Martin)
5. Re: Security of LUG (David Smith)

----------------------------------------------------------------------

Message: 1
Date: Sat, 05 Sep 2015 15:13:41 +0100
From: Y Martin <ym2013@riseup.net>
To: bristol@mailman.lug.org.uk
Subject: [bristol] Privacy ethics of smartphone manufacturers
Message-ID: <55EAF895.9010002@riseup.net>
Content-Type: text/plain; charset=utf-8

Hi

I am interested in buying a smartphone and flashing it with Cyanogen Mod
(an open source firmware). When I heard in the Snowden cables
about how Apple actively collaborates with the NSA in installing
backdoors into iPhones it made me not want to touch Apple hardware.

I also read about a report of China being up to the same misdeeds with
Huawei and ZTE:
http://www.cnet.com/news/lawmakers-to-u-s-companies-dont-buy-huawei-zte/

Google are a bit too creepy for my liking.

Given that Cyanogen Mod is not supported on Nokia phones, that rules 5
manufacturers out so far. The remaining seem to be:
Samsung
Sony
HTC
LG
Motorola

It would be good to get a clearer picture of the smartphone market from
the perspective of privacy ethics. Can anyone provide any further
information about the privacy ethics of these or any further companies?
There must be some existing reviews or good articles out there about
this topic.

Sincerely,

Yousef

P.S. I know that the idea of 'smartphone-security' is a bit of a
contradiction, but I would prefer to give my money to companies that do
not sell out on their consumers' rights to privacy.

P.P.S. No I dont have the money for a Blackphone2!

------------------------------

Message: 2
Date: Sat, 5 Sep 2015 10:54:44 -0400
From: Nigel Sollars <nsollars@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Privacy ethics of smartphone manufacturers
Message-ID:
<CAG6aBkVjiKYtB-9EG+7vT7nDpf+EirBVA0zKHTNY01yyUKjDpg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

With regards to Mobile, your gunna be SOL for anything thats not NSA / GCHQ
centric tbh, unless of course you totally role your own.

Cyanogen is in league with the M$ crowd also iirc..

Nige

On Sat, Sep 5, 2015 at 10:13 AM, Y Martin <ym2013@riseup.net> wrote:

> Hi
>
> I am interested in buying a smartphone and flashing it with Cyanogen Mod
> (an open source firmware). When I heard in the Snowden cables
> about how Apple actively collaborates with the NSA in installing
> backdoors into iPhones it made me not want to touch Apple hardware.
>
> I also read about a report of China being up to the same misdeeds with
> Huawei and ZTE:
> http://www.cnet.com/news/lawmakers-to-u-s-companies-dont-buy-huawei-zte/
>
> Google are a bit too creepy for my liking.
>
> Given that Cyanogen Mod is not supported on Nokia phones, that rules 5
> manufacturers out so far. The remaining seem to be:
> Samsung
> Sony
> HTC
> LG
> Motorola
>
> It would be good to get a clearer picture of the smartphone market from
> the perspective of privacy ethics. Can anyone provide any further
> information about the privacy ethics of these or any further companies?
> There must be some existing reviews or good articles out there about
> this topic.
>
> Sincerely,
>
> Yousef
>
> P.S. I know that the idea of 'smartphone-security' is a bit of a
> contradiction, but I would prefer to give my money to companies that do
> not sell out on their consumers' rights to privacy.
>
> P.P.S. No I dont have the money for a Blackphone2!
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>

--
?Science is a differential equation. Religion is a boundary condition.?

Alan Turing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150905/bcd43a63/attachment-0001.html>

------------------------------

Message: 3
Date: Sat, 05 Sep 2015 16:52:38 +0100
From: Y Martin <ym2013@riseup.net>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Privacy ethics of smartphone manufacturers
Message-ID: <55EB0FC6.2060208@riseup.net>
Content-Type: text/plain; charset=windows-1252

Wow..so the Cyanogen Mod and M$ partnership wasnt just some April fools
day joke afterall!

Perhaps the Nokia N900 with Maemo is the way to go. But there are hardly
any apps with Maemo.

Though expensive, the Neo900 project looks pretty interesting.

Yousef

On 05/09/15 15:54, Nigel Sollars wrote:
> With regards to Mobile, your gunna be SOL for anything thats not NSA / GCHQ
> centric tbh, unless of course you totally role your own.
>
> Cyanogen is in league with the M$ crowd also iirc..
>
> Nige
>
> On Sat, Sep 5, 2015 at 10:13 AM, Y Martin <ym2013@riseup.net> wrote:
>
>> Hi
>>
>> I am interested in buying a smartphone and flashing it with Cyanogen Mod
>> (an open source firmware). When I heard in the Snowden cables
>> about how Apple actively collaborates with the NSA in installing
>> backdoors into iPhones it made me not want to touch Apple hardware.
>>
>> I also read about a report of China being up to the same misdeeds with
>> Huawei and ZTE:
>> http://www.cnet.com/news/lawmakers-to-u-s-companies-dont-buy-huawei-zte/
>>
>> Google are a bit too creepy for my liking.
>>
>> Given that Cyanogen Mod is not supported on Nokia phones, that rules 5
>> manufacturers out so far. The remaining seem to be:
>> Samsung
>> Sony
>> HTC
>> LG
>> Motorola
>>
>> It would be good to get a clearer picture of the smartphone market from
>> the perspective of privacy ethics. Can anyone provide any further
>> information about the privacy ethics of these or any further companies?
>> There must be some existing reviews or good articles out there about
>> this topic.
>>
>> Sincerely,
>>
>> Yousef
>>
>> P.S. I know that the idea of 'smartphone-security' is a bit of a
>> contradiction, but I would prefer to give my money to companies that do
>> not sell out on their consumers' rights to privacy.
>>
>> P.P.S. No I dont have the money for a Blackphone2!
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
>
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>

------------------------------

Message: 4
Date: Sat, 05 Sep 2015 22:29:05 +0100
From: Martin <inkubus@interalpha.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Privacy ethics of smartphone manufacturers
Message-ID: <1441488545.25977.223.camel@raphael>
Content-Type: text/plain; charset="UTF-8"

On Sat, 2015-09-05 at 16:52 +0100, Y Martin wrote:
> Wow..so the Cyanogen Mod and M$ partnership wasnt just some April fools
> day joke afterall!
>
> Perhaps the Nokia N900 with Maemo is the way to go. But there are hardly
> any apps with Maemo.
>
> Though expensive, the Neo900 project looks pretty interesting.

Also possibly relevant to your interests:

http://www.theregister.co.uk/2015/08/25/wileyfox_phones_tick_reg_readers_boxes/
http://www.ubuntu.com/phone/devices
https://www.silentcircle.com/products-and-solutions/devices/
http://wiki.openmoko.org/wiki/Main_Page
http://neo900.org/

I think the really key areas of question about trustworthy-ness that it
is hard to get around are 1. it will be assembled in China and 2. the
baseband processor will be running some kind of binary blob.

Unless you have an FPGA and a decent open hardware system (some of the
Open Cores projects look quite promising and it is an area where free
software style commoditisation really could become a thing), you are
really going to have to trust the hardware manufacture and assembly
chain (and even then what about the FPGA etc. etc. although it is much
harder to come up with a generic, hardware exploit for a system running
on an FPGA), so, for now, I think you'll have to live with 1.

[ As an aside, I used to think that CPU level backdoors were largely a
theoretical issue. Some of the more recent "features" of Intel
processors have somewhat changed my mind. AMT seems to create a
back-channel from the network to full control of the processor, via
non-user accessible, proprietary software which has already been shown
to have security bugs. If you are concerned about BIOS freedom, this is
much much worse. Then there is SGX, which give a *completely* new
security architecture for the entire chip, unlike *anything* currently
or previously available. For a change this sweeping and radical it has
been kept remarkably quiet. Although I can see it has positive uses, it
also has the capacity to be ALL of the things people feared when
"trusted computing" was first proposed. Disturbingly when I spoke to
some of the designers they didn't seem to realise that it would
effectively make malware analysis impossible for these processors. All
of which makes the statement:
?It doesn?t matter what state the system will be in, it will be
listening all the time,?
http://www.technologyreview.com/news/530491/hello-computer-intels-new-mobile-chips-are-always-listening/
just that bit more sinister. ]

A free software baseband and a system to run it on would be
*interesting* and more achievable. Osmocom's work on this is amazing
( http://bb.osmocom.org/trac/ ) but is only really for research use
(free software baseband + software radio = fun ?). There was a baseband
implementation of one phone which may have been released at one point
and you can still get the code if you know who to ask but it's copyright
status is ... questionable and the hardware is long gone. Given that a
baseband that supports GSM, GPRS, EDGE, LTE, etc. is likely to be in the
millions of lines of code this is a non-trivial project (and a
non-trivial attack surface) but one can hope. [It could be an
interesting strategy for someone like Blackberry, who have control of
the whole stack and the need for some interesting strategies. ] Given
all of this I think the thing to do is to treat the baseband / modem as
an untrusted blob and use the architecture of the system to prevent its
compromise being escalated to a full system compromise. To my
understanding this is beginning to happen on some of the more secure
phone designs but one can mimic this with a USB "mobile internet" dongle
and a linux box. You keep as much compute as you can on Linux and just
use the modem (hooked over the (hopefully secure) USB serial device) to
send and receive SMS and hook up to the Internet. Voice is a pain to do
like this though.

ANYWAY, please forgive me for rambling, as this is something I have been
thinking about and allow me to finish on a question : do people have any
good recommendations for the most minimal feature phone that can be
effectively used as a peripheral for a Linux box? Basically a 3G or 4G
USB dongle with battery, screen, keyboard, mic and speaker and nothing
else.

Cheers,
- Martin

------------------------------

Message: 5
Date: Sun, 06 Sep 2015 07:53:33 +0100
From: David Smith <David.Smith@ds-electronics.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <1441522413.16742.39.camel@ubuntu>
Content-Type: text/plain; charset=utf-8

On Tue, 2015-09-01 at 12:43 +0100, Andrzej Jarz?bowski wrote:
> Linux User Group mailing list is place for professionals to exchange
> their knowledge about usage and security of Linux systems. It's safe
> to assume that place like that has been build by professionals with
> experience in systems security.
>
>
> If that is the case why LUG is storing passwords of all their users in
> clear text and why those passwords are sent to us every month in clear
> text as an email?
>
>
> Can this by changed? It's highly insecure especially for people that
> may use same password for other services. I understand that each
> password should be different but there is al lot of people that don't
> follow that rule. I would be happy to help fix that issue.

Firstly, as has previously mentioned, there is little difference between
storing information in plaintext, and storing it encrypted with the
decryption key. Therefore, if I say that something is stored in
plaintext, I am including the possibility that it could be stored
encrypted with the decryption key on the same server. This is also
because I suspect that the server actually *will* be storing it in
plaintext.

On Wed, 2015-09-02 at 01:34 +0100, Allen Coates wrote:
> Don't forget it's not just my data being stored. If someone
> compromises the server, they will have a complete list of all the
> subscribers.
> Depending on how things are organised, perhaps of all the subscribers
> to all the LUGs in the country.

Well, by definition, the server needs to have a list of the email
addresses of all of the subscribers in a plaintext format. Otherwise,
it's going to be pretty useless as a mailing list server.

OK, so what is the password actually protecting?

1. Your email address? No, since your password is only useful to
someone who already knows your email address.

2. Everyone else's email address? No, it doesn't give you access to the
complete subscriber list; it does give you access to the email address
of everyone that has ever posted (by downloading the archives), but an
attacker could just subscribe to the list and download that information
themselves.

So, all it's really protecting is your subscription settings - whether
you want digest versions, whether you want a mail at all, etc.

Given the low value of the information it's protecting, I don't consider
it to be much of an issue. The BBLUG list is hosted on a server that
serves most of the LUGs in the UK, and we are simply a customer of that
service. If you can persuade the SysOps of that server that it is worth
their time and effort to upgrade to a newer version of Mailman, then
feel free, but I doubt they'll be bothered.

There are clear warnings given about sharing passwords between the
mailing list and other places; people shouldn't be stupid enough to
ignore those warnings.

It's quite simple - don't use your LUG password for anything else; if
you're still worried, turn off the reminder mails, and if you're
completely paranoid, unsubscribe from the list.

------------------------------

Subject: Digest Footer

_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol

------------------------------

End of Bristol Digest, Vol 616, Issue 11
****************************************

Jumat, 04 September 2015

Bristol Digest, Vol 616, Issue 10

Kamis, 03 September 2015

Bristol Digest, Vol 616, Issue 9

Rabu, 02 September 2015

Bristol Digest, Vol 616, Issue 8

Selasa, 01 September 2015

Bristol Digest, Vol 616, Issue 7

Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk

You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."

Today's Topics:

1. Re: Security of LUG (Allen Coates)
2. Re: Security of LUG (Ian Plain)
3. Re: Security of LUG (Alberto Lietor Santos)

----------------------------------------------------------------------

Message: 1
Date: Tue, 01 Sep 2015 20:19:53 +0100
From: Allen Coates <lug-7@cidercounty.org.uk>
To: bristol@mailman.lug.org.uk
Subject: Re: [bristol] Security of LUG
Message-ID: <55E5FA59.6090201@cidercounty.org.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I concur with the notion that storing passwords in the clear smacks of
sloppy workmanship - but then a RADIUS authentication server stores
passwords that way. So the MailMan package is in good company...

Storing encrypted passwords <I>where the encryption key is available to
the program</I> is not all that much more secure, and it will add a
layer of complication.

There is then a big jump to one-way hashes of the password, which makes
them irrecoverable - and the monthly "reminder" emails impossible to create.

My gut-feeling is to employ simple encryption to both the user's
password AND all his/her personal data, and then to safeguard the
encryption key as best you can. (Say put it in a file, available to the
mother process but NOT to the user interface).

As for the monthly reminder emails, perhaps there is a case for using
PGP encryption - always supposing the user has A PGP key.

There is no such thing as Total Security - only a "least worst" solution.

Hope this helps.

Allen C

------------------------------

Message: 2
Date: Tue, 1 Sep 2015 22:13:40 +0100
From: Ian Plain <ian@cyber-cottage.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CAPdamw_+Z1wnuJCSNdszbT=Hx_OMcejxmXPnUL23oCAgBScm1Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Why do you assume that just because the password is sent as plain text that
its stored as plain text ??

On 1 September 2015 at 15:55, Alberto Lietor Santos <alietors@gmail.com>
wrote:

> The problem is not just the reminder.
> The problem is if the reminder sent you your password in plain text is
> because they have this password anywhere in the server in plain text, so,
> if someone "hack" the server it has access to all the passwords.
>
> Store passwords in plain text is clearly a security antipattern a big
> no-no.
>
> 2015-09-01 15:50 GMT+01:00 Ian Plain <ian@cyber-cottage.co.uk>:
>
>> Or just log in and turn off the password reminder option. !!
>>
>> On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>>
>>>
>>> You are not the first to see a problem with this: e.g.
>>> http://www.jwz.org/doc/mailman.html
>>> *Sent:* Tuesday, September 01, 2015 at 12:43 PM
>>> *From:* "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
>>> *To:* "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
>>> *Subject:* [bristol] Security of LUG
>>> Linux User Group mailing list is place for professionals to exchange
>>> their knowledge about usage and security of Linux systems. It's safe to
>>> assume that place like that has been build by professionals with experience
>>> in systems security.
>>>
>>> If that is the case why LUG is storing passwords of all their users in
>>> clear text and why those passwords are sent to us every month in clear text
>>> as an email?
>>>
>>> Can this by changed? It's highly insecure especially for people that may
>>> use same password for other services. I understand that each password
>>> should be different but there is al lot of people that don't follow that
>>> rule. I would be happy to help fix that issue.
>>> _______________________________________________ Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>> _______________________________________________
>>> Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>
>>
>>
>> --
>> Thanks
>> Ian Plain
>> http://www.cyber-cottage.co.uk
>> Twitter @cyberco
>> Skype ba17sw
>> Ph: 01225580025
>> Txt: 01225580025
>>
>> *To Raise a Support request please got
>> to http://cyber-cottage.co.uk/osticket/
>> <http://cyber-cottage.co.uk/osticket/> and open a new ticket*
>>
>>
>>
>> The information transmitted is intended only for the entity or person to
>> whom it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of, or
>> taking of any action in reliance upon, this information by persons or
>> entities other than the intended recipient is prohibited. If you receive
>> this in error, please contact the sender and delete the material from any
>> computer or media on which it resides. Any information statements or
>> opinions contained in this message (including any attachments) are given by
>> the author. They are not given on behalf of cyber-cottage.co.uk. This
>> email is for information purposes only and does not create legal relations
>> unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
>> accept any liability for information not relating to its official business.
>> cyber-cottage.co.uk takes steps to minimise viruses and other errors
>> but cannot guarantee that this email is error free. cyber-cottage.co.uk
>> monitors email traffic for lawful purposes.
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>

--
Thanks
Ian Plain
http://www.cyber-cottage.co.uk
Twitter @cyberco
Skype ba17sw
Ph: 01225580025
Txt: 01225580025

*To Raise a Support request please got
to http://cyber-cottage.co.uk/osticket/
<http://cyber-cottage.co.uk/osticket/> and open a new ticket*

The information transmitted is intended only for the entity or person to
whom it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you receive
this in error, please contact the sender and delete the material from any
computer or media on which it resides. Any information statements or
opinions contained in this message (including any attachments) are given by
the author. They are not given on behalf of cyber-cottage.co.uk. This
email is for information purposes only and does not create legal relations
unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
accept any liability for information not relating to its official business.
cyber-cottage.co.uk takes steps to minimise viruses and other errors but
cannot guarantee that this email is error free. cyber-cottage.co.uk
monitors email traffic for lawful purposes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/bbb38fed/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 1 Sep 2015 22:45:05 +0100
From: Alberto Lietor Santos <alietors@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CACXZLW5LtCujXU0TKX_xy6S2Lngzh9ZEokxK8BOZQ9Zq-FxCrg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I don't mind how it is store but if there is a way to convert what it is
stored to my password the security is the same, none.
A good password storage is the one you cannot get the original password
from the stuff stored. This is the reason you never get your password
recovered from anywhere just a temporal password.
On 1 Sep 2015 22:14, "Ian Plain" <ian@cyber-cottage.co.uk> wrote:

> Why do you assume that just because the password is sent as plain text
> that its stored as plain text ??
>
> On 1 September 2015 at 15:55, Alberto Lietor Santos <alietors@gmail.com>
> wrote:
>
>> The problem is not just the reminder.
>> The problem is if the reminder sent you your password in plain text is
>> because they have this password anywhere in the server in plain text, so,
>> if someone "hack" the server it has access to all the passwords.
>>
>> Store passwords in plain text is clearly a security antipattern a big
>> no-no.
>>
>> 2015-09-01 15:50 GMT+01:00 Ian Plain <ian@cyber-cottage.co.uk>:
>>
>>> Or just log in and turn off the password reminder option. !!
>>>
>>> On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>>>
>>>>
>>>> You are not the first to see a problem with this: e.g.
>>>> http://www.jwz.org/doc/mailman.html
>>>> *Sent:* Tuesday, September 01, 2015 at 12:43 PM
>>>> *From:* "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
>>>> *To:* "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
>>>> *Subject:* [bristol] Security of LUG
>>>> Linux User Group mailing list is place for professionals to exchange
>>>> their knowledge about usage and security of Linux systems. It's safe to
>>>> assume that place like that has been build by professionals with experience
>>>> in systems security.
>>>>
>>>> If that is the case why LUG is storing passwords of all their users in
>>>> clear text and why those passwords are sent to us every month in clear text
>>>> as an email?
>>>>
>>>> Can this by changed? It's highly insecure especially for people that
>>>> may use same password for other services. I understand that each password
>>>> should be different but there is al lot of people that don't follow that
>>>> rule. I would be happy to help fix that issue.
>>>> _______________________________________________ Bristol mailing list
>>>> Bristol@mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>> _______________________________________________
>>>> Bristol mailing list
>>>> Bristol@mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks
>>> Ian Plain
>>> http://www.cyber-cottage.co.uk
>>> Twitter @cyberco
>>> Skype ba17sw
>>> Ph: 01225580025
>>> Txt: 01225580025
>>>
>>> *To Raise a Support request please got
>>> to http://cyber-cottage.co.uk/osticket/
>>> <http://cyber-cottage.co.uk/osticket/> and open a new ticket*
>>>
>>>
>>>
>>> The information transmitted is intended only for the entity or person to
>>> whom it is addressed and may contain confidential and/or privileged
>>> material. Any review, retransmission, dissemination or other use of, or
>>> taking of any action in reliance upon, this information by persons or
>>> entities other than the intended recipient is prohibited. If you receive
>>> this in error, please contact the sender and delete the material from any
>>> computer or media on which it resides. Any information statements or
>>> opinions contained in this message (including any attachments) are given by
>>> the author. They are not given on behalf of cyber-cottage.co.uk. This
>>> email is for information purposes only and does not create legal relations
>>> unless confirmed in a letter or facsimile. cyber-cottage.co.uk does
>>> not accept any liability for information not relating to its official
>>> business. cyber-cottage.co.uk takes steps to minimise viruses and
>>> other errors but cannot guarantee that this email is error free.
>>> cyber-cottage.co.uk monitors email traffic for lawful purposes.
>>>
>>> _______________________________________________
>>> Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
>
> --
> Thanks
> Ian Plain
> http://www.cyber-cottage.co.uk
> Twitter @cyberco
> Skype ba17sw
> Ph: 01225580025
> Txt: 01225580025
>
> *To Raise a Support request please got
> to http://cyber-cottage.co.uk/osticket/
> <http://cyber-cottage.co.uk/osticket/> and open a new ticket*
>
>
>
> The information transmitted is intended only for the entity or person to
> whom it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you receive
> this in error, please contact the sender and delete the material from any
> computer or media on which it resides. Any information statements or
> opinions contained in this message (including any attachments) are given by
> the author. They are not given on behalf of cyber-cottage.co.uk. This
> email is for information purposes only and does not create legal relations
> unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
> accept any liability for information not relating to its official business.
> cyber-cottage.co.uk takes steps to minimise viruses and other errors but
> cannot guarantee that this email is error free. cyber-cottage.co.uk
> monitors email traffic for lawful purposes.
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/fdc2b3d8/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol

------------------------------

End of Bristol Digest, Vol 616, Issue 7
***************************************

Bristol Digest, Vol 616, Issue 6

Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk

You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."

Today's Topics:

1. Re: Security of LUG (peter@hemmings.eclipse.co.uk)
2. Re: Security of LUG (Max Brooks)

----------------------------------------------------------------------

Message: 1
Date: Tue, 01 Sep 2015 19:20:25 +0300
From: peter@hemmings.eclipse.co.uk
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <1441124425.194749710@f28.my.com>
Content-Type: text/plain; charset="utf-8"

This subject has obviously more? activity (12 in 5 hours) and only one proposal but many opinions.
If someone wishes to sort out a more secure setup AND will be an active Member for at least a couple of years,? then step forward and make yourself known and put forward a proposal!
We can then move forward but Dave Smith the list administrator should have an input before anything is decided.
Just my 4p's worth as periodically we have a burst of activity but nothing develops,? but this might be different!!

--
Peter H
Sent from myMail app for Android Tuesday, 01 September 2015, 04:41pm +01:00 from Alberto Lietor Santos < alietors@gmail.com> :

>How this change anything?
>
>2015-09-01 16:37 GMT+01:00 Max Brooks < psykx.out@gmail.com > :
>>You do realize that this list is public right? All the information is available without any sort of password.?
>>
>>Sent from my iPhone, please excuse any typos.?
>>
>>On 01 Sep 2015, at 15:55, Alberto Lietor Santos < alietors@gmail.com > wrote:
>>
>>>The problem is not just the reminder.
>>>The problem is if the reminder sent you your password in plain text is because they have this password anywhere in the server in plain text, so, if someone "hack" the server it has access to all the passwords.
>>>
>>>Store passwords in plain text is clearly a security antipattern a big no-no.
>>>
>>>2015-09-01 15:50 GMT+01:00 Ian Plain < ian@cyber-cottage.co.uk > :
>>>>Or just log in and turn off the password reminder option. !!?
>>>>
>>>>On 1 September 2015 at 15:05, Will Avery < wilf@linuxmail.org > wrote:
>>>>>?
>>>>>You are not the first to see a problem with this: e.g. http://www.jwz.org/doc/mailman.html
>>>>>Sent: ?Tuesday, September 01, 2015 at 12:43 PM
>>>>>From: ?"Andrzej Jarz?bowski" < jarzebowski.andrzej@gmail.com >
>>>>>To: ?"Bristol and Bath Linux User Group" < bristol@mailman.lug.org.uk >
>>>>>Subject: ?[bristol] Security of LUG
>>>>>Linux User Group mailing list is place for professionals to exchange their knowledge about usage and security of Linux systems. It's safe to assume that place like that has been build by professionals with experience in systems security.?
>>>>>?
>>>>>If that is the case why LUG is storing passwords of all their users in clear text and why those passwords are sent to us every month in clear text as an email?
>>>>>?
>>>>>Can this by changed? It's highly insecure especially for people that may use same password for other services. I understand that each password should be different but there is al lot of people that don't follow that rule. I would be happy to help fix that issue. _______________________________________________ Bristol mailing list Bristol@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>>_______________________________________________
>>>>>Bristol mailing list
>>>>>Bristol@mailman.lug.org.uk
>>>>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>>
>>>>
>>>>--
>>>>Thanks
>>>>Ian Plain
>>>>http://www.cyber-cottage.co.uk
>>>>Twitter @cyberco
>>>>Skype ba17sw
>>>>Ph: 01225580025
>>>>Txt: 01225580025
>>>>
>>>>To Raise a Support request please got to? http://cyber-cottage.co.uk/osticket/ and open a new ticket
>>>>
>>>>
>>>>
>>>>The information transmitted is intended only for the entity or person to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer or media on which it resides. Any information statements or opinions contained in this message (including any attachments) are given by the author. They are not given on behalf of cyber-cottage.co.uk .? This email is for information purposes only and does not create legal relations unless confirmed in a letter or facsimile. cyber-cottage.co.uk ?does not accept any liability for information not relating to its official business. cyber-cottage.co.uk ?takes steps to minimise viruses and other errors but cannot guarantee that this email is error free. cyber-cottage.co.uk monitors email traffic for lawful purposes.
>>>>_______________________________________________
>>>>Bristol mailing list
>>>>Bristol@mailman.lug.org.uk
>>>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>>_______________________________________________
>>>Bristol mailing list
>>>Bristol@mailman.lug.org.uk
>>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>>_______________________________________________
>>Bristol mailing list
>>Bristol@mailman.lug.org.uk
>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>
>_______________________________________________
>Bristol mailing list
>Bristol@mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/bristol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/b03e0fe7/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 1 Sep 2015 17:53:43 +0100
From: Max Brooks <psykx.out@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <16105E91-6A79-4184-9A0B-8CFDD20A7D9B@gmail.com>
Content-Type: text/plain; charset="utf-8"

Well security analysis is usually a risk based activity. Given that the likelihood of a password being stolen from an email is low, and that it would only give you access to public information, it seems like talking about security anti patterns is OTT.

Thanks, Max B

Sent from my iPhone, please excuse any typos.

> On 01 Sep 2015, at 16:41, Alberto Lietor Santos <alietors@gmail.com> wrote:
>
> How this change anything?
>
> 2015-09-01 16:37 GMT+01:00 Max Brooks <psykx.out@gmail.com>:
>> You do realize that this list is public right? All the information is available without any sort of password.
>>
>> Sent from my iPhone, please excuse any typos.
>>
>>> On 01 Sep 2015, at 15:55, Alberto Lietor Santos <alietors@gmail.com> wrote:
>>>
>>> The problem is not just the reminder.
>>> The problem is if the reminder sent you your password in plain text is because they have this password anywhere in the server in plain text, so, if someone "hack" the server it has access to all the passwords.
>>>
>>> Store passwords in plain text is clearly a security antipattern a big no-no.
>>>
>>> 2015-09-01 15:50 GMT+01:00 Ian Plain <ian@cyber-cottage.co.uk>:
>>>> Or just log in and turn off the password reminder option. !!
>>>>
>>>>> On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>>>>>
>>>>> You are not the first to see a problem with this: e.g. http://www.jwz.org/doc/mailman.html
>>>>> Sent: Tuesday, September 01, 2015 at 12:43 PM
>>>>> From: "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
>>>>> To: "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
>>>>> Subject: [bristol] Security of LUG
>>>>> Linux User Group mailing list is place for professionals to exchange their knowledge about usage and security of Linux systems. It's safe to assume that place like that has been build by professionals with experience in systems security.
>>>>>
>>>>> If that is the case why LUG is storing passwords of all their users in clear text and why those passwords are sent to us every month in clear text as an email?
>>>>>
>>>>> Can this by changed? It's highly insecure especially for people that may use same password for other services. I understand that each password should be different but there is al lot of people that don't follow that rule. I would be happy to help fix that issue.
>>>>> _______________________________________________ Bristol mailing list Bristol@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>>
>>>>> _______________________________________________
>>>>> Bristol mailing list
>>>>> Bristol@mailman.lug.org.uk
>>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks
>>>> Ian Plain
>>>> http://www.cyber-cottage.co.uk
>>>> Twitter @cyberco
>>>> Skype ba17sw
>>>> Ph: 01225580025
>>>> Txt: 01225580025
>>>>
>>>> To Raise a Support request please got to http://cyber-cottage.co.uk/osticket/ and open a new ticket
>>>>
>>>>
>>>>
>>>> The information transmitted is intended only for the entity or person to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer or media on which it resides. Any information statements or opinions contained in this message (including any attachments) are given by the author. They are not given on behalf of cyber-cottage.co.uk. This email is for information purposes only and does not create legal relations unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not accept any liability for information not relating to its official business. cyber-cottage.co.uk takes steps to minimise viruses and other errors but cannot guarantee that this email is error free. cyber-cottage.co.uk monitors email traffic for lawful purposes.
>>>>
>>>> _______________________________________________
>>>> Bristol mailing list
>>>> Bristol@mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>> _______________________________________________
>>> Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/14476dcc/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol

------------------------------

End of Bristol Digest, Vol 616, Issue 6
***************************************