Selasa, 01 September 2015

Bristol Digest, Vol 616, Issue 6

Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk

You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."


Today's Topics:

1. Re: Security of LUG (peter@hemmings.eclipse.co.uk)
2. Re: Security of LUG (Max Brooks)


----------------------------------------------------------------------

Message: 1
Date: Tue, 01 Sep 2015 19:20:25 +0300
From: peter@hemmings.eclipse.co.uk
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <1441124425.194749710@f28.my.com>
Content-Type: text/plain; charset="utf-8"


This subject has obviously more? activity (12 in 5 hours) and only one proposal but many opinions.
If someone wishes to sort out a more secure setup AND will be an active Member for at least a couple of years,? then step forward and make yourself known and put forward a proposal!
We can then move forward but Dave Smith the list administrator should have an input before anything is decided.
Just my 4p's worth as periodically we have a burst of activity but nothing develops,? but this might be different!!

--
Peter H
Sent from myMail app for Android Tuesday, 01 September 2015, 04:41pm +01:00 from Alberto Lietor Santos < alietors@gmail.com> :

>How this change anything?
>
>2015-09-01 16:37 GMT+01:00 Max Brooks < psykx.out@gmail.com > :
>>You do realize that this list is public right? All the information is available without any sort of password.?
>>
>>Sent from my iPhone, please excuse any typos.?
>>
>>On 01 Sep 2015, at 15:55, Alberto Lietor Santos < alietors@gmail.com > wrote:
>>
>>>The problem is not just the reminder.
>>>The problem is if the reminder sent you your password in plain text is because they have this password anywhere in the server in plain text, so, if someone "hack" the server it has access to all the passwords.
>>>
>>>Store passwords in plain text is clearly a security antipattern a big no-no.
>>>
>>>2015-09-01 15:50 GMT+01:00 Ian Plain < ian@cyber-cottage.co.uk > :
>>>>Or just log in and turn off the password reminder option. !!?
>>>>
>>>>On 1 September 2015 at 15:05, Will Avery < wilf@linuxmail.org > wrote:
>>>>>?
>>>>>You are not the first to see a problem with this: e.g. http://www.jwz.org/doc/mailman.html
>>>>>Sent: ?Tuesday, September 01, 2015 at 12:43 PM
>>>>>From: ?"Andrzej Jarz?bowski" < jarzebowski.andrzej@gmail.com >
>>>>>To: ?"Bristol and Bath Linux User Group" < bristol@mailman.lug.org.uk >
>>>>>Subject: ?[bristol] Security of LUG
>>>>>Linux User Group mailing list is place for professionals to exchange their knowledge about usage and security of Linux systems. It's safe to assume that place like that has been build by professionals with experience in systems security.?
>>>>>?
>>>>>If that is the case why LUG is storing passwords of all their users in clear text and why those passwords are sent to us every month in clear text as an email?
>>>>>?
>>>>>Can this by changed? It's highly insecure especially for people that may use same password for other services. I understand that each password should be different but there is al lot of people that don't follow that rule. I would be happy to help fix that issue. _______________________________________________ Bristol mailing list Bristol@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>>_______________________________________________
>>>>>Bristol mailing list
>>>>>Bristol@mailman.lug.org.uk
>>>>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>>
>>>>
>>>>--
>>>>Thanks
>>>>Ian Plain
>>>>http://www.cyber-cottage.co.uk
>>>>Twitter @cyberco
>>>>Skype ba17sw
>>>>Ph: 01225580025
>>>>Txt: 01225580025
>>>>
>>>>To Raise a Support request please got to? http://cyber-cottage.co.uk/osticket/ and open a new ticket
>>>>
>>>>
>>>>
>>>>The information transmitted is intended only for the entity or person to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer or media on which it resides. Any information statements or opinions contained in this message (including any attachments) are given by the author. They are not given on behalf of cyber-cottage.co.uk .? This email is for information purposes only and does not create legal relations unless confirmed in a letter or facsimile. cyber-cottage.co.uk ?does not accept any liability for information not relating to its official business. cyber-cottage.co.uk ?takes steps to minimise viruses and other errors but cannot guarantee that this email is error free. cyber-cottage.co.uk monitors email traffic for lawful purposes.
>>>>_______________________________________________
>>>>Bristol mailing list
>>>>Bristol@mailman.lug.org.uk
>>>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>>_______________________________________________
>>>Bristol mailing list
>>>Bristol@mailman.lug.org.uk
>>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>>_______________________________________________
>>Bristol mailing list
>>Bristol@mailman.lug.org.uk
>>https://mailman.lug.org.uk/mailman/listinfo/bristol
>
>_______________________________________________
>Bristol mailing list
>Bristol@mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/bristol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/b03e0fe7/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 1 Sep 2015 17:53:43 +0100
From: Max Brooks <psykx.out@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <16105E91-6A79-4184-9A0B-8CFDD20A7D9B@gmail.com>
Content-Type: text/plain; charset="utf-8"

Well security analysis is usually a risk based activity. Given that the likelihood of a password being stolen from an email is low, and that it would only give you access to public information, it seems like talking about security anti patterns is OTT.

Thanks, Max B

Sent from my iPhone, please excuse any typos.

> On 01 Sep 2015, at 16:41, Alberto Lietor Santos <alietors@gmail.com> wrote:
>
> How this change anything?
>
> 2015-09-01 16:37 GMT+01:00 Max Brooks <psykx.out@gmail.com>:
>> You do realize that this list is public right? All the information is available without any sort of password.
>>
>> Sent from my iPhone, please excuse any typos.
>>
>>> On 01 Sep 2015, at 15:55, Alberto Lietor Santos <alietors@gmail.com> wrote:
>>>
>>> The problem is not just the reminder.
>>> The problem is if the reminder sent you your password in plain text is because they have this password anywhere in the server in plain text, so, if someone "hack" the server it has access to all the passwords.
>>>
>>> Store passwords in plain text is clearly a security antipattern a big no-no.
>>>
>>> 2015-09-01 15:50 GMT+01:00 Ian Plain <ian@cyber-cottage.co.uk>:
>>>> Or just log in and turn off the password reminder option. !!
>>>>
>>>>> On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>>>>>
>>>>> You are not the first to see a problem with this: e.g. http://www.jwz.org/doc/mailman.html
>>>>> Sent: Tuesday, September 01, 2015 at 12:43 PM
>>>>> From: "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
>>>>> To: "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
>>>>> Subject: [bristol] Security of LUG
>>>>> Linux User Group mailing list is place for professionals to exchange their knowledge about usage and security of Linux systems. It's safe to assume that place like that has been build by professionals with experience in systems security.
>>>>>
>>>>> If that is the case why LUG is storing passwords of all their users in clear text and why those passwords are sent to us every month in clear text as an email?
>>>>>
>>>>> Can this by changed? It's highly insecure especially for people that may use same password for other services. I understand that each password should be different but there is al lot of people that don't follow that rule. I would be happy to help fix that issue.
>>>>> _______________________________________________ Bristol mailing list Bristol@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>>
>>>>> _______________________________________________
>>>>> Bristol mailing list
>>>>> Bristol@mailman.lug.org.uk
>>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks
>>>> Ian Plain
>>>> http://www.cyber-cottage.co.uk
>>>> Twitter @cyberco
>>>> Skype ba17sw
>>>> Ph: 01225580025
>>>> Txt: 01225580025
>>>>
>>>> To Raise a Support request please got to http://cyber-cottage.co.uk/osticket/ and open a new ticket
>>>>
>>>>
>>>>
>>>> The information transmitted is intended only for the entity or person to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer or media on which it resides. Any information statements or opinions contained in this message (including any attachments) are given by the author. They are not given on behalf of cyber-cottage.co.uk. This email is for information purposes only and does not create legal relations unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not accept any liability for information not relating to its official business. cyber-cottage.co.uk takes steps to minimise viruses and other errors but cannot guarantee that this email is error free. cyber-cottage.co.uk monitors email traffic for lawful purposes.
>>>>
>>>> _______________________________________________
>>>> Bristol mailing list
>>>> Bristol@mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>> _______________________________________________
>>> Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/14476dcc/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol

------------------------------

End of Bristol Digest, Vol 616, Issue 6
***************************************
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)