Rabu, 02 September 2015

Bristol Digest, Vol 616, Issue 8

Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk

You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."


Today's Topics:

1. Re: Security of LUG (MFPA)
2. Re: Security of LUG (Allen Coates)
3. Re: Security of LUG (Amias Channer)


----------------------------------------------------------------------

Message: 1
Date: Wed, 2 Sep 2015 00:13:40 +0100
From: MFPA <2014-667rhzu3dc-lists-groups@riseup.net>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <55E63124.4010101@riseup.net>
Content-Type: text/plain; charset=utf-8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi

Tue, 01 Sep 2015 20:19:53 +0100, in Message-ID
<55E5FA59.6090201@cidercounty.org.uk>, Allen wrote:-

> My gut-feeling is to employ simple encryption to both the user's
> password AND all his/her personal data, and then to safeguard the
> encryption key as best you can.

What personal data are we talking about, apart from email address?



- --
MFPA <Mailto:2014-667rhzu3dc-lists-groups@riseup.net>
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJV5jENXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwWuAH/3H5A070nnZA29N10g7E94kT
J2stkMnXjLFELu++nMTMEqYUq/RygPneonFTr5BOvCJjUEpa3gr8hleAX6+TXrqp
GlzwLg8w9KsTt42eHteBk0Zd97FSr6PPEi43hGhR82c7MHJyqDa5qKPB3YNTChzn
pehpZTjl5bu+XYwMpF/LQ2xVI/Lm0+ierpiIYIOabTE7tXeKC9In27BVWWeDl8q7
uymcUGyR4NLtYIMf4MINVZ2MGrj0dzYhpcLAf3uUNrPWBHm3kfmfITXVyN8stEd9
+dD1OyR8vzJ0USflEWeMpukhFxyvExGlQOGU0Anxo3/nibExu53VJWOUZGOY1hSI
vgQBFgoAZgUCVeYxIF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45An2AQBUPC7aS1SC7yCKERrpT0jyCg0h
qICYervgm9p6sFP+jgEAyGi6rvTvU2x60sA9NnHJ1pXeRMj0rld5EEn9LnRZaAM=
=xbWV
-----END PGP SIGNATURE-----



------------------------------

Message: 2
Date: Wed, 02 Sep 2015 01:34:17 +0100
From: Allen Coates <lug-7@cidercounty.org.uk>
To: bristol@mailman.lug.org.uk
Subject: Re: [bristol] Security of LUG
Message-ID: <55E64409.8060002@cidercounty.org.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed



On 02/09/15 00:13, MFPA wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi
>
> Tue, 01 Sep 2015 20:19:53 +0100, in Message-ID
> <55E5FA59.6090201@cidercounty.org.uk>, Allen wrote:-
>
>> My gut-feeling is to employ simple encryption to both the user's
>> password AND all his/her personal data, and then to safeguard the
>> encryption key as best you can.
> What personal data are we talking about, apart from email address?
Anything the administrators care to store about me.

Don't forget it's not just my data being stored. If someone compromises
the server, they will have a complete list of all the subscribers.
Depending on how things are organised, perhaps of all the subscribers to
all the LUGs in the country.

In quantities like that, even "just" a name / email pair will become
valuable.

It's a pipe-dream, I know, but I would like to think that *ALL* personal
data - however trivial - is protected.


>
>
>
> - --
> MFPA <Mailto:2014-667rhzu3dc-lists-groups@riseup.net>
> -----BEGIN PGP SIGNATURE-----
>
> iQF8BAEBCgBmBQJV5jENXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
> QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwWuAH/3H5A070nnZA29N10g7E94kT
> J2stkMnXjLFELu++nMTMEqYUq/RygPneonFTr5BOvCJjUEpa3gr8hleAX6+TXrqp
> GlzwLg8w9KsTt42eHteBk0Zd97FSr6PPEi43hGhR82c7MHJyqDa5qKPB3YNTChzn
> pehpZTjl5bu+XYwMpF/LQ2xVI/Lm0+ierpiIYIOabTE7tXeKC9In27BVWWeDl8q7
> uymcUGyR4NLtYIMf4MINVZ2MGrj0dzYhpcLAf3uUNrPWBHm3kfmfITXVyN8stEd9
> +dD1OyR8vzJ0USflEWeMpukhFxyvExGlQOGU0Anxo3/nibExu53VJWOUZGOY1hSI
> vgQBFgoAZgUCVeYxIF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
> cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
> MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45An2AQBUPC7aS1SC7yCKERrpT0jyCg0h
> qICYervgm9p6sFP+jgEAyGi6rvTvU2x60sA9NnHJ1pXeRMj0rld5EEn9LnRZaAM=
> =xbWV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
>




------------------------------

Message: 3
Date: Wed, 2 Sep 2015 12:26:51 +0100
From: Amias Channer <me@amias.net>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID:
<CAMgU7XUFM9t6zNyWO1JtCoLJTjOM08La=ff=j9HZ2hvH-VC5RA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hello luggers,

You could get a list of all active members by singing up and then
downloading the archives.

I would argue that whilst the security could be improved the benefits are
not worth it because
the data is not sensitive or dangerous, its meant to be public. The costs
of implementing more
security would be more expensive hosting for the extra load computing
passwords and more admin
time dealing with broken accounts, as well as the time to make the changes.

I'm pretty sure this is all run by volunteers so that load may well break
the deal.

The solution is simple , just don't use an important password for your lug
account and if you are
that bothered just disable password reminders for your account.

Cheers
Amias

On 2 September 2015 at 01:34, Allen Coates <lug-7@cidercounty.org.uk> wrote:

>
>
> On 02/09/15 00:13, MFPA wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi
>>
>> Tue, 01 Sep 2015 20:19:53 +0100, in Message-ID
>> <55E5FA59.6090201@cidercounty.org.uk>, Allen wrote:-
>>
>> My gut-feeling is to employ simple encryption to both the user's
>>> password AND all his/her personal data, and then to safeguard the
>>> encryption key as best you can.
>>>
>> What personal data are we talking about, apart from email address?
>>
> Anything the administrators care to store about me.
>
> Don't forget it's not just my data being stored. If someone compromises
> the server, they will have a complete list of all the subscribers.
> Depending on how things are organised, perhaps of all the subscribers to
> all the LUGs in the country.
>
> In quantities like that, even "just" a name / email pair will become
> valuable.
>
> It's a pipe-dream, I know, but I would like to think that *ALL* personal
> data - however trivial - is protected.
>
>
>
>
>>
>>
>> - -- MFPA <Mailto:2014-667rhzu3dc-lists-groups@riseup.net>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQF8BAEBCgBmBQJV5jENXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
>> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
>> QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwWuAH/3H5A070nnZA29N10g7E94kT
>> J2stkMnXjLFELu++nMTMEqYUq/RygPneonFTr5BOvCJjUEpa3gr8hleAX6+TXrqp
>> GlzwLg8w9KsTt42eHteBk0Zd97FSr6PPEi43hGhR82c7MHJyqDa5qKPB3YNTChzn
>> pehpZTjl5bu+XYwMpF/LQ2xVI/Lm0+ierpiIYIOabTE7tXeKC9In27BVWWeDl8q7
>> uymcUGyR4NLtYIMf4MINVZ2MGrj0dzYhpcLAf3uUNrPWBHm3kfmfITXVyN8stEd9
>> +dD1OyR8vzJ0USflEWeMpukhFxyvExGlQOGU0Anxo3/nibExu53VJWOUZGOY1hSI
>> vgQBFgoAZgUCVeYxIF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
>> cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
>> MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45An2AQBUPC7aS1SC7yCKERrpT0jyCg0h
>> qICYervgm9p6sFP+jgEAyGi6rvTvU2x60sA9NnHJ1pXeRMj0rld5EEn9LnRZaAM=
>> =xbWV
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>>
>>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150902/805cddd8/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol

------------------------------

End of Bristol Digest, Vol 616, Issue 8
***************************************
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)