Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Re: Security of LUG (Marc Gray)
2. Re: Security of LUG (Martin Wheeler)
3. Re: Security of LUG (Andrzej Jarz?bowski)
4. Re: Security of LUG (Alberto Lietor Santos)
5. Re: Security of LUG (Neil Fraser)
----------------------------------------------------------------------
Message: 1
Date: Tue, 1 Sep 2015 13:05:57 +0100
From: Marc Gray <marc.gray@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CAPorv7WZfRL0s7yXh8auVU7uVhdT9Yo6vPN7fW+086nJQjX15g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On 1 September 2015 at 12:43, Andrzej Jarz?bowski <
jarzebowski.andrzej@gmail.com> wrote:
> Linux User Group mailing list is place for professionals to exchange their
> knowledge about usage and security of Linux systems. It's safe to assume
> that place like that has been build by professionals with experience in
> systems security.
>
> If that is the case why LUG is storing passwords of all their users in
> clear text and why those passwords are sent to us every month in clear text
> as an email?
>
> Can this by changed? It's highly insecure especially for people that may
> use same password for other services. I understand that each password
> should be different but there is al lot of people that don't follow that
> rule. I would be happy to help fix that issue.
>
I can certainly forward your post to the admins?
? for their feedback, as you raise a valid point. I don't use mailman
myself, so don't know if that's a configurable option.
I would like to comment that as you advocate better security, perhaps not
using the same password elsewhere would also be a valid point.
Regards,
Marc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/6b3b0912/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 1 Sep 2015 13:07:24 +0100
From: "Martin Wheeler" <mwheeler@martinwheeler.co.uk>
To: "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<7cd73a22f53e71e12821ace26b4a3683.squirrel@martinwheeler.net>
Content-Type: text/plain;charset=iso-8859-1
> Linux User Group mailing list is place for professionals
I'm not a professional.
Should I unsubscribe ?
> It's safe to assume
> that place like that has been build by professionals with experience in
> systems security.
Your assumptions on what is 'safe' leave me speechless.
*My* professional interests are European literature; and mediaeval French
poetry.
> If that is the case why LUG is storing passwords of all their users in
> clear text and why those passwords are sent to us every month in clear
> text as an email?
Mmm. */What/* exactly are you using your LUG account for, I wonder ?
> Can this by changed? It's highly insecure especially for people that may
> use same password for other services.
Oh, Christ.
Goodbye.
--
Martin Wheeler
------------------------------
Message: 3
Date: Tue, 1 Sep 2015 13:30:26 +0100
From: Andrzej Jarz?bowski <jarzebowski.andrzej@gmail.com>
To: mwheeler@martinwheeler.co.uk, Bristol and Bath Linux User Group
<bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CAJ047Rkh2M8f5yXobEW_EtFnzCiyJVeMsfcgy0wOPbaSUj4oSQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Thats 100% correct, using the same password in multiple places is a bad
idea but we have to think about people who are new to the linux community,
who may not be as aware about password security as they shout be.
If you are not professional that awesome, and because people like you, who
are not professional sysadmins, just looking for answer for their
questions, not always having knowledge about security, LUG (and pretty much
anybody) should store passwords securely.
My point is that storing any passwords, anywhere in clear text is very bad
idea and shouldn't be done on any server, no matter how crucial the service
is.
2015-09-01 13:07 GMT+01:00 Martin Wheeler <mwheeler@martinwheeler.co.uk>:
> > Linux User Group mailing list is place for professionals
>
> I'm not a professional.
> Should I unsubscribe ?
>
> > It's safe to assume
> > that place like that has been build by professionals with experience in
> > systems security.
>
> Your assumptions on what is 'safe' leave me speechless.
> *My* professional interests are European literature; and mediaeval French
> poetry.
>
> > If that is the case why LUG is storing passwords of all their users in
> > clear text and why those passwords are sent to us every month in clear
> > text as an email?
>
> Mmm. */What/* exactly are you using your LUG account for, I wonder ?
>
> > Can this by changed? It's highly insecure especially for people that may
> > use same password for other services.
>
> Oh, Christ.
> Goodbye.
> --
> Martin Wheeler
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/7e680805/attachment-0001.html>
------------------------------
Message: 4
Date: Tue, 1 Sep 2015 13:45:42 +0100
From: Alberto Lietor Santos <alietors@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Cc: mwheeler@martinwheeler.co.uk
Subject: Re: [bristol] Security of LUG
Message-ID:
<CACXZLW71MN+xNcRZ8eXbz=g-w+CNX-jBgp3+G5KyTC8TEJgAzA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
WTF
I've never took a look to that "remainder email" but is true, they send you
your password without any encryption! There is an option where you can
configure if you want to receive this password reminder but in any case if
somehow they can send you your password in plain text it's because your
password it's not safe.
I hope they can fix this.
Martin how you use your account it is not an excuse to have poor security,
if you take a password it should be correctly treated and receiving your
password in plain text is a symptom of something it is not right.
2015-09-01 13:30 GMT+01:00 Andrzej Jarz?bowski <
jarzebowski.andrzej@gmail.com>:
> Thats 100% correct, using the same password in multiple places is a bad
> idea but we have to think about people who are new to the linux community,
> who may not be as aware about password security as they shout be.
>
> If you are not professional that awesome, and because people like you, who
> are not professional sysadmins, just looking for answer for their
> questions, not always having knowledge about security, LUG (and pretty much
> anybody) should store passwords securely.
>
> My point is that storing any passwords, anywhere in clear text is very bad
> idea and shouldn't be done on any server, no matter how crucial the service
> is.
>
> 2015-09-01 13:07 GMT+01:00 Martin Wheeler <mwheeler@martinwheeler.co.uk>:
>
>> > Linux User Group mailing list is place for professionals
>>
>> I'm not a professional.
>> Should I unsubscribe ?
>>
>> > It's safe to assume
>> > that place like that has been build by professionals with experience in
>> > systems security.
>>
>> Your assumptions on what is 'safe' leave me speechless.
>> *My* professional interests are European literature; and mediaeval French
>> poetry.
>>
>> > If that is the case why LUG is storing passwords of all their users in
>> > clear text and why those passwords are sent to us every month in clear
>> > text as an email?
>>
>> Mmm. */What/* exactly are you using your LUG account for, I wonder ?
>>
>> > Can this by changed? It's highly insecure especially for people that may
>> > use same password for other services.
>>
>> Oh, Christ.
>> Goodbye.
>> --
>> Martin Wheeler
>>
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/ede749f0/attachment-0001.html>
------------------------------
Message: 5
Date: Tue, 1 Sep 2015 14:34:15 +0100
From: Neil Fraser <nfraser@nadtechnology.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CA+Pd-UmDCz+tno=V16rHFaBnCUBgx46XjpHb2JeuSY2u_dOVFQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi
As Mailman disseminates it's information by email (including your monthly
password reminder) plain text is pretty much the only way this can be done.
If you are unhappy with this then I suggest you review this page:
http://www.gnu.org/software/mailman/security.html
HTH
Neil
On 1 September 2015 at 12:43, Andrzej Jarz?bowski <
jarzebowski.andrzej@gmail.com> wrote:
> Linux User Group mailing list is place for professionals to exchange their
> knowledge about usage and security of Linux systems. It's safe to assume
> that place like that has been build by professionals with experience in
> systems security.
>
> If that is the case why LUG is storing passwords of all their users in
> clear text and why those passwords are sent to us every month in clear text
> as an email?
>
> Can this by changed? It's highly insecure especially for people that may
> use same password for other services. I understand that each password
> should be different but there is al lot of people that don't follow that
> rule. I would be happy to help fix that issue.
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/8f3fb37a/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
End of Bristol Digest, Vol 616, Issue 3
***************************************
Tidak ada komentar:
Posting Komentar