On 10/2/13 at 7:16 AM, g...@kinostudios.com (Greg) wrote:
I'm interested in cases where Mailman passwords have been abused.
Show me one instance where a nuclear reactor was brought down
by an earthquake! Just one! Then I'll consider spending the $$
on it!
And while you're at it, show me
On Wed, 2 Oct 2013 10:16:42 -0400
Greg g...@kinostudios.com wrote:
I'm interested in cases where Mailman passwords have been abused.
Show me one instance where a nuclear reactor was brought down by an
earthquake! Just one! Then I'll consider spending the $$ on it!
Assume for a moment that
Greg writes:
This falls somewhere in the land of beyond-the-absurd.
So, my password, iPoopInYourHat, is being sent to me in the clear by your
servers.
Repeat after me: crypto without a threat model is like cookies without
milk.
If you are proposing that something needs stronger encryption
On 10/01/2013 11:36 PM, R. Hirschfeld wrote:
Your objections are understandable but aren't really an issue with
mailman because if you don't enter a password then mailman will choose
one for you (which I always let it do) and there's no need to remember
it because if you ever need it (a rare
On 10/02/2013 12:11 AM, Joshua Marpet wrote:
Low security environment, minimal ability to inflict damage, clear
instructions from the beginning.
Agreed.
There certainly are bigger problems on earth. And I really don't mind if
you move on and take care of any of those, first. :-)
If the
On 10/02/2013 12:03 AM, Greg wrote:
Running a mailing list is not hard work. There are only so many things
one can fuck up. This is probably one of the biggest mistakes that can
be made in running a mailing list, and on a list that's about software
security. It's just ridiculous.
While I
I'm interested in cases where Mailman passwords have been abused.
Show me one instance where a nuclear reactor was brought down by an
earthquake! Just one! Then I'll consider spending the $$ on it!
--
Please do not email me anything that you are not comfortable also sharing with
the NSA.
On
While I agree in principle, I don't quite like the tone here.
I agree, I apologize for the excessively negative tone. I think RL (and
unrelated) agitation affected my writing and word choice. I've taken steps to
prevent that from happening again (via magic of self-censoring software).
But I
On 10/02/2013 04:32 PM, Greg wrote:
I agree, I apologize for the excessively negative tone. I think RL (and
unrelated) agitation affected my writing and word choice. I've taken
steps to prevent that from happening again (via magic of self-censoring
software).
Cool. :-)
I don't see why a
Hm.. that's a nice idea, but I don't think it can work reliably. What if
the send path changes in between? AFAIK there are legitimate reasons for
that, like load balancers or weird greylisting setups.
You're right, I think I misunderstood you when you talked about a one time
password. I
2013/10/2 Russ Nelson nel...@crynwr.com
If you are proposing that something needs stronger encryption than
ROT-26, please explain the threat model that justifies your choice of
encryption and key distribution algorithms.
ROT-26 is fantastic for certain purposes. Like when encrypting for kids
On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote:
So, my password, iPoopInYourHat, is being sent to me in the clear by your
servers.
All mailman lists do this by default. It does tell you on the sign
up page that it will do so, and that you shouldn't use a 'valuable'
(e.g. used elsewhere)
On Tue, Oct 1, 2013 at 10:28 AM, Greg g...@kinostudios.com wrote:
This falls somewhere in the land of beyond-the-absurd.
Just got this message from your robot:
...
So, my password, iPoopInYourHat, is being sent to me in the clear by your
servers.
Of all the places on the internet, this
It's reasonable as it's not a security sensitive environment. Please for
the love of god let some environments stay low-sec.
2013/10/1 Nick cryptography-l...@njw.me.uk
On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote:
So, my password, iPoopInYourHat, is being sent to me in the clear by
On 10/01/2013 10:28 AM, Greg wrote:
This falls somewhere in the land of beyond-the-absurd.
I noticed the password would be mailed in the clear when I signed up,
but even if I had not, I would not have been bothered to later discover
it. What is the harm? The sensitivity of this password is
On Tue, 1 Oct 2013 10:28:48 -0400
Greg g...@kinostudios.com wrote:
So, my password, iPoopInYourHat, is being sent to me in the clear by
your servers.
Two things to keep in mind:
1. The damage one can do to you with knowledge of this password is
beyond minimal. You might have your list
There is nothing difficult about the right course of action here: Don't send
the password. Disable this silly default.
The attitude expressed in these replies is a disgrace to the profession of
software security, and a disgrace to the list.
It doesn't matter whether or not I should be using a
On 10/01/2013 06:56 PM, Benjamin Kreuter wrote:
2. The password is sent just in case you forgot it and want to
unsubscribe. Without the password, any troll might unsubscribe you
from the list by simply forging headers. Were this to be encrypted,
you would wind up with the classic
I think that's absurd to say that it gives a false sense of security. It
only gives a sense of security if you didn't read the text when you
entered the password in the first place. It keeps people from doing mass
unsubscribes trivially.
If someone was targeting you, yes, they would be able to
On 10/01/2013 10:26 PM, Kelly John Rose wrote:
I think that's absurd to say that it gives a false sense of security. It
only gives a sense of security if you didn't read the text when you
entered the password in the first place.
Well, that applies to at least 90% of people for 90% the cases.
On 10/1/13 at 1:43 PM, mar...@bluegap.ch (Markus Wanner) wrote:
Let's compare apples to apples: even if you manage to actually read the
instructions, you actually have to do so, have to come up with a
throw-away-password, and remember it. For no additional safety compared
to one-time tokens.
Actually, it's only *your* password that's being emailed in the clear. It's
punishment for failing to observe the first rule of this list, which is DO
NOT TOP POST.
Huh?
1. I don't know what top post means, and I see nothing here about it:
Low security environment, minimal ability to inflict damage, clear
instructions from the beginning.
If the system and processes are not to your liking, that's understandable.
Everyone is different.
There are other choices. If you'd like to investigate them, determine an
appropriate one, and
Actually, it's only *your* password that's being emailed in the clear. It's
punishment for failing to observe the first rule of this list, which is DO
NOT TOP POST.
Actually, my previous reply to this comment of yours did not adequately point
out the magnitude of its idiocy.
The reason I
24 matches
Mail list logo
