Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Re: Security of LUG (Allen Coates)
2. Re: Security of LUG (Ian Plain)
3. Re: Security of LUG (Alberto Lietor Santos)
----------------------------------------------------------------------
Message: 1
Date: Tue, 01 Sep 2015 20:19:53 +0100
From: Allen Coates <lug-7@cidercounty.org.uk>
To: bristol@mailman.lug.org.uk
Subject: Re: [bristol] Security of LUG
Message-ID: <55E5FA59.6090201@cidercounty.org.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I concur with the notion that storing passwords in the clear smacks of
sloppy workmanship - but then a RADIUS authentication server stores
passwords that way. So the MailMan package is in good company...
Storing encrypted passwords <I>where the encryption key is available to
the program</I> is not all that much more secure, and it will add a
layer of complication.
There is then a big jump to one-way hashes of the password, which makes
them irrecoverable - and the monthly "reminder" emails impossible to create.
My gut-feeling is to employ simple encryption to both the user's
password AND all his/her personal data, and then to safeguard the
encryption key as best you can. (Say put it in a file, available to the
mother process but NOT to the user interface).
As for the monthly reminder emails, perhaps there is a case for using
PGP encryption - always supposing the user has A PGP key.
There is no such thing as Total Security - only a "least worst" solution.
Hope this helps.
Allen C
------------------------------
Message: 2
Date: Tue, 1 Sep 2015 22:13:40 +0100
From: Ian Plain <ian@cyber-cottage.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CAPdamw_+Z1wnuJCSNdszbT=Hx_OMcejxmXPnUL23oCAgBScm1Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Why do you assume that just because the password is sent as plain text that
its stored as plain text ??
On 1 September 2015 at 15:55, Alberto Lietor Santos <alietors@gmail.com>
wrote:
> The problem is not just the reminder.
> The problem is if the reminder sent you your password in plain text is
> because they have this password anywhere in the server in plain text, so,
> if someone "hack" the server it has access to all the passwords.
>
> Store passwords in plain text is clearly a security antipattern a big
> no-no.
>
> 2015-09-01 15:50 GMT+01:00 Ian Plain <ian@cyber-cottage.co.uk>:
>
>> Or just log in and turn off the password reminder option. !!
>>
>> On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>>
>>>
>>> You are not the first to see a problem with this: e.g.
>>> http://www.jwz.org/doc/mailman.html
>>> *Sent:* Tuesday, September 01, 2015 at 12:43 PM
>>> *From:* "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
>>> *To:* "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
>>> *Subject:* [bristol] Security of LUG
>>> Linux User Group mailing list is place for professionals to exchange
>>> their knowledge about usage and security of Linux systems. It's safe to
>>> assume that place like that has been build by professionals with experience
>>> in systems security.
>>>
>>> If that is the case why LUG is storing passwords of all their users in
>>> clear text and why those passwords are sent to us every month in clear text
>>> as an email?
>>>
>>> Can this by changed? It's highly insecure especially for people that may
>>> use same password for other services. I understand that each password
>>> should be different but there is al lot of people that don't follow that
>>> rule. I would be happy to help fix that issue.
>>> _______________________________________________ Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>> _______________________________________________
>>> Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>
>>
>>
>> --
>> Thanks
>> Ian Plain
>> http://www.cyber-cottage.co.uk
>> Twitter @cyberco
>> Skype ba17sw
>> Ph: 01225580025
>> Txt: 01225580025
>>
>> *To Raise a Support request please got
>> to http://cyber-cottage.co.uk/osticket/
>> <http://cyber-cottage.co.uk/osticket/> and open a new ticket*
>>
>>
>>
>> The information transmitted is intended only for the entity or person to
>> whom it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of, or
>> taking of any action in reliance upon, this information by persons or
>> entities other than the intended recipient is prohibited. If you receive
>> this in error, please contact the sender and delete the material from any
>> computer or media on which it resides. Any information statements or
>> opinions contained in this message (including any attachments) are given by
>> the author. They are not given on behalf of cyber-cottage.co.uk. This
>> email is for information purposes only and does not create legal relations
>> unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
>> accept any liability for information not relating to its official business.
>> cyber-cottage.co.uk takes steps to minimise viruses and other errors
>> but cannot guarantee that this email is error free. cyber-cottage.co.uk
>> monitors email traffic for lawful purposes.
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
--
Thanks
Ian Plain
http://www.cyber-cottage.co.uk
Twitter @cyberco
Skype ba17sw
Ph: 01225580025
Txt: 01225580025
*To Raise a Support request please got
to http://cyber-cottage.co.uk/osticket/
<http://cyber-cottage.co.uk/osticket/> and open a new ticket*
The information transmitted is intended only for the entity or person to
whom it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you receive
this in error, please contact the sender and delete the material from any
computer or media on which it resides. Any information statements or
opinions contained in this message (including any attachments) are given by
the author. They are not given on behalf of cyber-cottage.co.uk. This
email is for information purposes only and does not create legal relations
unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
accept any liability for information not relating to its official business.
cyber-cottage.co.uk takes steps to minimise viruses and other errors but
cannot guarantee that this email is error free. cyber-cottage.co.uk
monitors email traffic for lawful purposes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/bbb38fed/attachment-0001.html>
------------------------------
Message: 3
Date: Tue, 1 Sep 2015 22:45:05 +0100
From: Alberto Lietor Santos <alietors@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CACXZLW5LtCujXU0TKX_xy6S2Lngzh9ZEokxK8BOZQ9Zq-FxCrg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I don't mind how it is store but if there is a way to convert what it is
stored to my password the security is the same, none.
A good password storage is the one you cannot get the original password
from the stuff stored. This is the reason you never get your password
recovered from anywhere just a temporal password.
On 1 Sep 2015 22:14, "Ian Plain" <ian@cyber-cottage.co.uk> wrote:
> Why do you assume that just because the password is sent as plain text
> that its stored as plain text ??
>
> On 1 September 2015 at 15:55, Alberto Lietor Santos <alietors@gmail.com>
> wrote:
>
>> The problem is not just the reminder.
>> The problem is if the reminder sent you your password in plain text is
>> because they have this password anywhere in the server in plain text, so,
>> if someone "hack" the server it has access to all the passwords.
>>
>> Store passwords in plain text is clearly a security antipattern a big
>> no-no.
>>
>> 2015-09-01 15:50 GMT+01:00 Ian Plain <ian@cyber-cottage.co.uk>:
>>
>>> Or just log in and turn off the password reminder option. !!
>>>
>>> On 1 September 2015 at 15:05, Will Avery <wilf@linuxmail.org> wrote:
>>>
>>>>
>>>> You are not the first to see a problem with this: e.g.
>>>> http://www.jwz.org/doc/mailman.html
>>>> *Sent:* Tuesday, September 01, 2015 at 12:43 PM
>>>> *From:* "Andrzej Jarz?bowski" <jarzebowski.andrzej@gmail.com>
>>>> *To:* "Bristol and Bath Linux User Group" <bristol@mailman.lug.org.uk>
>>>> *Subject:* [bristol] Security of LUG
>>>> Linux User Group mailing list is place for professionals to exchange
>>>> their knowledge about usage and security of Linux systems. It's safe to
>>>> assume that place like that has been build by professionals with experience
>>>> in systems security.
>>>>
>>>> If that is the case why LUG is storing passwords of all their users in
>>>> clear text and why those passwords are sent to us every month in clear text
>>>> as an email?
>>>>
>>>> Can this by changed? It's highly insecure especially for people that
>>>> may use same password for other services. I understand that each password
>>>> should be different but there is al lot of people that don't follow that
>>>> rule. I would be happy to help fix that issue.
>>>> _______________________________________________ Bristol mailing list
>>>> Bristol@mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>> _______________________________________________
>>>> Bristol mailing list
>>>> Bristol@mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks
>>> Ian Plain
>>> http://www.cyber-cottage.co.uk
>>> Twitter @cyberco
>>> Skype ba17sw
>>> Ph: 01225580025
>>> Txt: 01225580025
>>>
>>> *To Raise a Support request please got
>>> to http://cyber-cottage.co.uk/osticket/
>>> <http://cyber-cottage.co.uk/osticket/> and open a new ticket*
>>>
>>>
>>>
>>> The information transmitted is intended only for the entity or person to
>>> whom it is addressed and may contain confidential and/or privileged
>>> material. Any review, retransmission, dissemination or other use of, or
>>> taking of any action in reliance upon, this information by persons or
>>> entities other than the intended recipient is prohibited. If you receive
>>> this in error, please contact the sender and delete the material from any
>>> computer or media on which it resides. Any information statements or
>>> opinions contained in this message (including any attachments) are given by
>>> the author. They are not given on behalf of cyber-cottage.co.uk. This
>>> email is for information purposes only and does not create legal relations
>>> unless confirmed in a letter or facsimile. cyber-cottage.co.uk does
>>> not accept any liability for information not relating to its official
>>> business. cyber-cottage.co.uk takes steps to minimise viruses and
>>> other errors but cannot guarantee that this email is error free.
>>> cyber-cottage.co.uk monitors email traffic for lawful purposes.
>>>
>>> _______________________________________________
>>> Bristol mailing list
>>> Bristol@mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>>
>>
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
>
> --
> Thanks
> Ian Plain
> http://www.cyber-cottage.co.uk
> Twitter @cyberco
> Skype ba17sw
> Ph: 01225580025
> Txt: 01225580025
>
> *To Raise a Support request please got
> to http://cyber-cottage.co.uk/osticket/
> <http://cyber-cottage.co.uk/osticket/> and open a new ticket*
>
>
>
> The information transmitted is intended only for the entity or person to
> whom it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you receive
> this in error, please contact the sender and delete the material from any
> computer or media on which it resides. Any information statements or
> opinions contained in this message (including any attachments) are given by
> the author. They are not given on behalf of cyber-cottage.co.uk. This
> email is for information purposes only and does not create legal relations
> unless confirmed in a letter or facsimile. cyber-cottage.co.uk does not
> accept any liability for information not relating to its official business.
> cyber-cottage.co.uk takes steps to minimise viruses and other errors but
> cannot guarantee that this email is error free. cyber-cottage.co.uk
> monitors email traffic for lawful purposes.
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150901/fdc2b3d8/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
End of Bristol Digest, Vol 616, Issue 7
***************************************
Tidak ada komentar:
Posting Komentar