Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Re: Security of LUG (Rayner)
2. Re: Security of LUG (Will Avery)
3. Re: Security of LUG (Ian Plain)
4. Re: Security of LUG (Emlyn Jones)
5. Re: Security of LUG (Alberto Lietor Santos)
----------------------------------------------------------------------
Message: 1
Date: Tue, 1 Sep 2015 14:51:22 +0100 (BST)
From: Rayner <rayner+lug@anarres-worlds.org>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <alpine.DEB.2.10.1509011434490.1216@teal.anarres.org>
Content-Type: text/plain; charset="iso-8859-2"; Format="flowed"
On Tue, 1 Sep 2015, Andrzej Jarz?bowski wrote:
> If that is the case why LUG is storing passwords of all their users in clear
> text and why those passwords are sent to us every month in clear text as an
> email?
This is a misfeature of GNU Mailman 2.1, which was designed in a less
security-conscious time. In Mailman 3, passwords are encrypted and
there are no reminder e-mails.
> Can this by changed? It's highly insecure especially for people that may use
> same password for other services. I understand that each password should be
> different but there is al lot of people that don't follow that rule. I would
> be happy to help fix that issue.
The mailing list is provided by lug.org.uk. We would either need to
move to a new mailing list platform, or convince the admins
(http://lug.org.uk/admins) of lug.org.uk to upgrade to Mailman 3.
Until one of those things happens, you can make your password slightly
more secure by turning off the reminder e-mails:
http://wiki.list.org/DOC/How%20do%20I%20turn%20off%20passwords%20completely%3F
Best regards,
Rayner
------------------------------
Message: 2
Date: Tue, 1 Sep 2015 16:05:30 +0200
From: "Will Avery" <wilf@linuxmail.org>
To: bristol@mailman.lug.org.uk
Subject: Re: [bristol] Security of LUG
Message-ID:
<trinity-01f37509-7191-4549-93da-9977e2002924-1441116330140@3capp-mailcom-lxa07>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/dd35d7df/attachment-0001.html>
------------------------------
Message: 3
Date: Tue, 1 Sep 2015 15:50:00 +0100
From: Ian Plain <ian@cyber-cottage.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CAPdamw8oeB+PVaTGQSzbSCCpDgdiv3U+UBP3bOR0sUA8qTk=HQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Or just log in and turn off the password reminder option. !!
On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>
> You are not the first to see a problem with this: e.g.
> http://www.jwz.org/doc/mailman.html
> *Sent:* Tuesday, September 01, 2015 at 12:43 PM
> *From:* "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
> *To:* "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
> *Subject:* [bristol] Security of LUG
> Linux User Group mailing list is place for professionals to exchange their
> knowledge about usage and security of Linux systems. It's safe to assume
> that place like that has been build by professionals with experience in
> systems security.
>
> If that is the case why LUG is storing passwords of all their users in
> clear text and why those passwords are sent to us every month in clear text
> as an email?
>
> Can this by changed? It's highly insecure especially for people that may
> use same password for other services. I understand that each password
> should be different but there is al lot of people that don't follow that
> rule. I would be happy to help fix that issue.
> _______________________________________________ Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
--
Thanks
Ian Plain
http://www.cyber-cottage.co.uk
Twitter @cyberco
Skype ba17sw
Ph: 01225580025
Txt: 01225580025
*To Raise a Support request please got
to http://cyber-cottage.co.uk/osticket/
<http://cyber-cottage.co.uk/osticket/> and open a new ticket*
The information transmitted is intended only for the entity or person to
whom it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you receive
this in error, please contact the sender and delete the material from any
computer or media on which it resides. Any information statements or
opinions contained in this message (including any attachments) are given by
the author. They are not given on behalf of cyber-cottage.co.uk. This
email is for information purposes only and does not create legal relations
unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
accept any liability for information not relating to its official business.
cyber-cottage.co.uk takes steps to minimise viruses and other errors but
cannot guarantee that this email is error free. cyber-cottage.co.uk
monitors email traffic for lawful purposes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/cef2ab8f/attachment-0001.html>
------------------------------
Message: 4
Date: Tue, 01 Sep 2015 14:55:24 +0000
From: Emlyn Jones <lug@brizzle.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CAKX26Hd+Y6HdzGUqAexRQgBD-g5AKyyMHvPwPVAkZ-vpA4-3hg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
The password is entirely optional. The instructions on sign up could not be
any clearer:
" You may enter a privacy password below. This provides only mild security,
but should prevent others from messing with your subscription. Do not use a
valuable password as it will occasionally be emailed back to you in
cleartext."
https://mailman.lug.org.uk/mailman/listinfo/bristol/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/5bb45127/attachment-0001.html>
------------------------------
Message: 5
Date: Tue, 1 Sep 2015 15:55:47 +0100
From: Alberto Lietor Santos <alietors@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CACXZLW73GtbM=hgWzbdm4bSY=ETunac3hWHk12-d3LX9JJ6qvw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
The problem is not just the reminder.
The problem is if the reminder sent you your password in plain text is
because they have this password anywhere in the server in plain text, so,
if someone "hack" the server it has access to all the passwords.
Store passwords in plain text is clearly a security antipattern a big no-no.
2015-09-01 15:50 GMT+01:00 Ian Plain <ian@cyber-cottage.co.uk>:
> Or just log in and turn off the password reminder option. !!
>
> On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>
>>
>> You are not the first to see a problem with this: e.g.
>> http://www.jwz.org/doc/mailman.html
>> *Sent:* Tuesday, September 01, 2015 at 12:43 PM
>> *From:* "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
>> *To:* "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
>> *Subject:* [bristol] Security of LUG
>> Linux User Group mailing list is place for professionals to exchange
>> their knowledge about usage and security of Linux systems. It's safe to
>> assume that place like that has been build by professionals with experience
>> in systems security.
>>
>> If that is the case why LUG is storing passwords of all their users in
>> clear text and why those passwords are sent to us every month in clear text
>> as an email?
>>
>> Can this by changed? It's highly insecure especially for people that may
>> use same password for other services. I understand that each password
>> should be different but there is al lot of people that don't follow that
>> rule. I would be happy to help fix that issue.
>> _______________________________________________ Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
>
> --
> Thanks
> Ian Plain
> http://www.cyber-cottage.co.uk
> Twitter @cyberco
> Skype ba17sw
> Ph: 01225580025
> Txt: 01225580025
>
> *To Raise a Support request please got
> to http://cyber-cottage.co.uk/osticket/
> <http://cyber-cottage.co.uk/osticket/> and open a new ticket*
>
>
>
> The information transmitted is intended only for the entity or person to
> whom it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you receive
> this in error, please contact the sender and delete the material from any
> computer or media on which it resides. Any information statements or
> opinions contained in this message (including any attachments) are given by
> the author. They are not given on behalf of cyber-cottage.co.uk. This
> email is for information purposes only and does not create legal relations
> unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
> accept any liability for information not relating to its official business.
> cyber-cottage.co.uk takes steps to minimise viruses and other errors but
> cannot guarantee that this email is error free. cyber-cottage.co.uk
> monitors email traffic for lawful purposes.
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/0f5f658d/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
End of Bristol Digest, Vol 616, Issue 4
***************************************
Tidak ada komentar:
Posting Komentar