Re: [OSM-talk] Mailing list security

2017-11-25 Thread Colin Smale 
On 2017-11-25 17:59, Frederik Ramm wrote:

> Hi,
> 
> On 11/25/2017 11:12 AM, Colin Smale wrote: 
> 
>> I just got an email from the mailing list system that my
>> account/membership had been disabled due to "excessive bounces". I have
>> no idea why, but that is not the point I want to make here. My point is
>> that the email I received contained my password to that account, in
>> plain text!
> 
> Why don't we simply nuke all mailman passwords, they're not needed
> anyway. (All the lists I signed up for, I can't remember, either I
> didn't set a password, or Mailman assigned a random one, so it never
> occurred to me that there was anything to protect.)

Might not be a bad idea... System-generated passwords are at least
limited to that one system, and indeed, the worst that can happen is
likely to be that someone cancels your mailing list subscription. The
problem is that people, being human, might use their "usual" password
for multiple sites (despite warnings against this). If mailman is hacked
into revealing the passwords, some of them might be user-entered and may
provide access to other sites as well 

I expect OSM has some kind of "duty of care". If one is allowed to
choose one's own password, the operators need to take reasonable care to
prevent disclosure, and I don't expect a one-time warning would be
sufficient... but IANAL___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Tom Hughes 

On 25/11/17 16:45, Colin Smale wrote:

On 2017-11-25 17:31, Tom Hughes wrote:


On 25/11/17 15:37, Colin Smale wrote:



On 25 November 2017 16:04:45 CET, "Éric Gillet" > wrote:

Another point : This password is not secure, but what the worst that
could
happen with it ? As long as one don't reuse it on other applications
(as
warned during registration), the only action an attacker could do would
be
to unsubscribe you. Not really catastrophic

...until it is hacked and thousands of passwords are stolen. If even one of those leads 
to something serious, I am not sure that saying "I told you so 10 years ago when you 
signed up" will be enough to absolve the operators of liability.

I will open a ticket as suggested.


There's really not much point - we will upgrade as and when the 
packages in Ubuntu are upgraded. We're not going to be installing from 
source.
In that case I won't bother. I can't help thinking: what a sorry state 
of affairs.

When you say "we", who are you referring to exactly Tom?


The system administrators that are responsible for running it.

I would also add that most sites are sticking with mailman 2 for now 
which is likely why the distros haven't upgraded.


The only site I know of that uses mailman 3 is Fedora and from my 
experience of it I would say it's still a bit rough around the edges for 
now.


Everybody knows the whole password thing with mailman 2 is not ideal and 
is basically a major pain but there are no easy solutions to it.


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Frederik Ramm 
Hi,

On 11/25/2017 11:12 AM, Colin Smale wrote:
> I just got an email from the mailing list system that my
> account/membership had been disabled due to "excessive bounces". I have
> no idea why, but that is not the point I want to make here. My point is
> that the email I received contained my password to that account, in
> plain text!

Why don't we simply nuke all mailman passwords, they're not needed
anyway. (All the lists I signed up for, I can't remember, either I
didn't set a password, or Mailman assigned a random one, so it never
occurred to me that there was anything to protect.)

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Colin Smale 
On 2017-11-25 17:31, Tom Hughes wrote:

> On 25/11/17 15:37, Colin Smale wrote: 
> 
> On 25 November 2017 16:04:45 CET, "Éric Gillet"  
> wrote: Another point : This password is not secure, but what the worst that
> could
> happen with it ? As long as one don't reuse it on other applications
> (as
> warned during registration), the only action an attacker could do would
> be
> to unsubscribe you. Not really catastrophic ...until it is hacked and 
> thousands of passwords are stolen. If even one of those leads to something 
> serious, I am not sure that saying "I told you so 10 years ago when you 
> signed up" will be enough to absolve the operators of liability.
> 
> I will open a ticket as suggested.

There's really not much point - we will upgrade as and when the packages
in Ubuntu are upgraded. We're not going to be installing from source. 

In that case I won't bother. I can't help thinking: what a sorry state
of affairs. 

When you say "we", who are you referring to exactly Tom?___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Tom Hughes 

On 25/11/17 15:37, Colin Smale wrote:



On 25 November 2017 16:04:45 CET, "Éric Gillet"  
wrote:

Another point : This password is not secure, but what the worst that
could
happen with it ? As long as one don't reuse it on other applications
(as
warned during registration), the only action an attacker could do would
be
to unsubscribe you. Not really catastrophic

...until it is hacked and thousands of passwords are stolen. If even one of those leads 
to something serious, I am not sure that saying "I told you so 10 years ago when you 
signed up" will be enough to absolve the operators of liability.

I will open a ticket as suggested.


There's really not much point - we will upgrade as and when the packages 
in Ubuntu are upgraded. We're not going to be installing from source.


Upgrading to mailman 3 is a massive job anyway - it's basically a 
completely different piece of software. Or rather it's now about five 
separate pieces of software that you have to install and connect up.


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Colin Smale 


On 25 November 2017 16:04:45 CET, "Éric Gillet"  
wrote:
> Another point : This password is not secure, but what the worst that
>could
>happen with it ? As long as one don't reuse it on other applications
>(as
>warned during registration), the only action an attacker could do would
>be
>to unsubscribe you. Not really catastrophic
...until it is hacked and thousands of passwords are stolen. If even one of 
those leads to something serious, I am not sure that saying "I told you so 10 
years ago when you signed up" will be enough to absolve the operators of 
liability.

I will open a ticket as suggested.

//colin

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Éric Gillet 
Hmm it seams released in April 2015, but anyway it's been some time since
the release.
It's not mentionned in the Operations issue tracker
, maybe you could open
an issue there to suggest upgrading to mailman 3.
But it seems to be a rewrite of mailman, so it may be not trivial to
migrate to this version.

Another point : This password is not secure, but what the worst that could
happen with it ? As long as one don't reuse it on other applications (as
warned during registration), the only action an attacker could do would be
to unsubscribe you. Not really catastrophic

2017-11-25 12:55 GMT+01:00 Colin Smale :

> On 2017-11-25 11:53, Éric Gillet wrote:
>
> This is non-ideal, but you were warned during your account creation that
> this password is to be considered non-secure :
>
> > You may enter a privacy password below. This provides only mild
> security, but should prevent others from messing with your subscription. Do
> not use a valuable password as it will occasionally be emailed back to you
> in cleartext.
>
>
> Thanks Éric, I admit that "I was warned" but I still find it scandalous in
> this day and age... It seems this shortcoming in mailman was fixed in V3,
> released in 2014. I read here that V3 no longer stores
> unencrypted/decryptable passwords:
>
> https://mail.python.org/pipermail/mailman-users/2014-July/077411.html
>
> Are we still running V2.1?
>
> //colin
>
> ___
> talk mailing list
> talk@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk
>
>
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Colin Smale 
On 2017-11-25 11:53, Éric Gillet wrote: 

> This is non-ideal, but you were warned during your account creation that this 
> password is to be considered non-secure : 
> 
>> You may enter a privacy password below. This provides only mild security, 
>> but should prevent others from messing with your subscription. Do not use a 
>> valuable password as it will occasionally be emailed back to you in 
>> cleartext.

Thanks Éric, I admit that "I was warned" but I still find it scandalous
in this day and age... It seems this shortcoming in mailman was fixed in
V3, released in 2014. I read here that V3 no longer stores
unencrypted/decryptable passwords: 

https://mail.python.org/pipermail/mailman-users/2014-July/077411.html 

Are we still running V2.1? 

//colin___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Richard 
On Sat, Nov 25, 2017 at 11:12:19AM +0100, Colin Smale wrote:
> I just got an email from the mailing list system that my
> account/membership had been disabled due to "excessive bounces". I have
> no idea why, but that is not the point I want to make here. My point is
> that the email I received contained my password to that account, in
> plain text! 

you mean the useless password to modify your list membership and 
options? I never set one, it will generate one for me and email 
to to me anyway. It is not supposed to be secure at all.

Problem would be if someone sets the password and uses a "valuable"
one, perhaps mistakenly thinking he should enter his OSM password
there.

> WTF#1: Why is it remembering the cleartext password and not a
> non-reversible hash? 
> 
> WTF#2: Why is it sending my password around in the email? 

IMHO the password is useless for 97% of users and should cease to
exist. Where some authentication to the list server is needed send 
a link or code via email or more secure methods.

Richard

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] Mailing list security

2017-11-25 Thread Éric Gillet 
2017-11-25 11:12 GMT+01:00 Colin Smale :

> My point is that the email I received contained my password to that
> account, in plain text!
>
> WTF#1: Why is it remembering the cleartext password and not a
> non-reversible hash?
>
> WTF#2: Why is it sending my password around in the email?
>
> My feeling is that this needs fixing, and quick.
>
This is non-ideal, but you were warned during your account creation that
this password is to be considered non-secure :

> You may enter a privacy password below. This provides only mild security,
but should prevent others from messing with your subscription. Do not use a
valuable password as it will occasionally be emailed back to you in
cleartext.

https://lists.openstreetmap.org/listinfo/talk

I don't think that this mailing-list software (mailman
) can work with hashed
passwords.
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

[OSM-talk] Mailing list security

2017-11-25 Thread Colin Smale 
I just got an email from the mailing list system that my
account/membership had been disabled due to "excessive bounces". I have
no idea why, but that is not the point I want to make here. My point is
that the email I received contained my password to that account, in
plain text! 

WTF#1: Why is it remembering the cleartext password and not a
non-reversible hash? 

WTF#2: Why is it sending my password around in the email? 

My feeling is that this needs fixing, and quick. 

//colin___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk