Re: [Cryptography] Why is emailing me my password?
On 10/2/13 at 7:16 AM, g...@kinostudios.com (Greg) wrote: I'm interested in cases where Mailman passwords have been abused. Show me one instance where a nuclear reactor was brought down by an earthquake! Just one! Then I'll consider spending the $$ on it! And while you're at it, show me the cost of the abuse. Cheers - Bill - Bill Frantz| When it comes to the world | Periwinkle (408)356-8506 | around us, is there any choice | 16345 Englewood Ave www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos, CA 95032 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On Wed, 2 Oct 2013 10:16:42 -0400 Greg g...@kinostudios.com wrote: I'm interested in cases where Mailman passwords have been abused. Show me one instance where a nuclear reactor was brought down by an earthquake! Just one! Then I'll consider spending the $$ on it! Assume for a moment that there are no other systems involved, and compare the failure of a nuclear power plant to a leaked mailman password. On its own, a failure at a nuclear power plant can render tens of thousands of square miles uninhabitable. On its own, a leaked mailman password causes a few minutes of annoyance. Really, the issue here is not mailman. Mailman passwords address a very minor security issue and mailing them in plaintext has no effect on said security. The real issue is that passwords are being used in places where security really does matter, and that someone might have used the same password for mailman as they did for one of those systems. If you ask me, the problem is not mailman sending out the passwords, nor the fact that people often use the same password everywhere; the problem is that passwords are being used to secure important things. -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
Greg writes: This falls somewhere in the land of beyond-the-absurd. So, my password, iPoopInYourHat, is being sent to me in the clear by your servers. Repeat after me: crypto without a threat model is like cookies without milk. If you are proposing that something needs stronger encryption than ROT-26, please explain the threat model that justifies your choice of encryption and key distribution algorithms. -- --my blog is athttp://blog.russnelson.com Crynwr supports open source software 521 Pleasant Valley Rd. | +1 315-600-8815 Potsdam, NY 13676-3213 | Sheepdog ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/01/2013 11:36 PM, R. Hirschfeld wrote: Your objections are understandable but aren't really an issue with mailman because if you don't enter a password then mailman will choose one for you (which I always let it do) and there's no need to remember it because if you ever need it (a rare occasion!) and don't happen to have a monthly password reminder to hand, clicking the link at the bottom of each list message will take you to a page where you can have it mailed to you. Mailman choosing a random password for you is certainly better, yes. And closer to the email based OTP solution. It's still a permanent password, though. By definition, a single interception suffices for an attacker to be able to (ab)use it until you modify it. As opposed to the mail based OTP scheme. And the monthly reminder essentially makes an interception even more likely. Granted, the worst an attacker can do with an intercepted password (permanent or OTP) is just a tad annoying - given it's not used elsewhere. The real danger is that those who don't read the instructions might enter a password that they use elsewhere and want to keep secure. Agreed. It's opposed to good practice and common sense of password handling. Regards Markus Wanner ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/02/2013 12:11 AM, Joshua Marpet wrote: Low security environment, minimal ability to inflict damage, clear instructions from the beginning. Agreed. There certainly are bigger problems on earth. And I really don't mind if you move on and take care of any of those, first. :-) If the system and processes are not to your liking, that's understandable. Everyone is different. Please read my arguments, I'm not opposed to it based on personal preference. Quite the opposite, I actually like web front-ends better than email commands. But in this case, I think a mail based OTP solution is better from a security perspective. There are other choices. If you'd like to investigate them, determine an appropriate one, and advocate a move to it, that would be welcomed, I presume? I did investigate. And I'm currently using smartlist. Whether or not you or anybody else moves is entirely up to you or them. If you use mailman, your users better be aware it doesn't follow best practice regarding password handling, though. And yes, smartlist certainly has its issues as well. If you know of any, please let me know as well. No offense meant, in any way. Please forgive me if offense is given. No offense taken. And if it were, you're hereby forgiven. ;-) Regards Markus Wanner ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/02/2013 12:03 AM, Greg wrote: Running a mailing list is not hard work. There are only so many things one can fuck up. This is probably one of the biggest mistakes that can be made in running a mailing list, and on a list that's about software security. It's just ridiculous. While I agree in principle, I don't quite like the tone here. But I liked your password, though. ;-) And no: there certainly are bigger mistakes an admin of a mailing list can do. Think: members list, spam, etc.. A mailing list shouldn't have any passwords to begin with. There is no need for passwords, and it shouldn't be possible for anyone to unsubscribe anyone else. User: Unsubscribe [EMAIL] - Server Server: Are you sure? - [EMAIL] User@[EMAIL]: YES! - Server. No passwords, and no fake unsubscribes. For that to be as secure as you make it sound, you still need a password or token. Hopefully a one-time, randomly generated one, but it's still a password. And it still crosses the wires unencrypted and can thus be intercepted by a MITM. The gain of that approach really is that there's no danger of a user inadvertently revealing a valuable password. The limited life time of the OTP may also make it a tad harder for an attacker, but given the (absence of) value for an attacker, that's close to irrelevant. Regards Markus Wanner ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
I'm interested in cases where Mailman passwords have been abused. Show me one instance where a nuclear reactor was brought down by an earthquake! Just one! Then I'll consider spending the $$ on it! -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 1, 2013, at 6:38 PM, Bill Frantz fra...@pwpconsult.com wrote: On 10/1/13 at 1:43 PM, mar...@bluegap.ch (Markus Wanner) wrote: Let's compare apples to apples: even if you manage to actually read the instructions, you actually have to do so, have to come up with a throw-away-password, and remember it. For no additional safety compared to one-time tokens. Let Mailman assign you a password. Then you don't have to worry about someone collecting all your mailing list passwords and reverse engineering your password generation algorithm. You'll find out what the password is in a month. Save that email so you can make changes. Get on with life. Lets not increase the level of user work in cases where there isn't, in fact, a security problem. I'm interested in cases where Mailman passwords have been abused. Cheers - Bill --- Bill Frantz| If the site is supported by | Periwinkle (408)356-8506 | ads, you are the product.| 16345 Englewood Ave www.pwpconsult.com | | Los Gatos, CA 95032 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
While I agree in principle, I don't quite like the tone here. I agree, I apologize for the excessively negative tone. I think RL (and unrelated) agitation affected my writing and word choice. I've taken steps to prevent that from happening again (via magic of self-censoring software). But I liked your password, though. ;-) Thanks! ^_^ For that to be as secure as you make it sound, you still need a password or token. Hopefully a one-time, randomly generated one, but it's still a password. And it still crosses the wires unencrypted and can thus be intercepted by a MITM. The gain of that approach really is that there's no danger of a user inadvertently revealing a valuable password. The limited life time of the OTP may also make it a tad harder for an attacker, but given the (absence of) value for an attacker, that's close to irrelevant. I don't see why a one-time-password is necessary. Just check the headers to verify that the send-path was the same as it was on the original request. Somebody used the phrase repeat after me previously. I'll give it a shot too: Repeat after me: Sending *any* user password (no matter how unimportant /you/ think it is) in the clear is extremely poor practice and should never be done. And, if a password is completely unnecessary, it should not be used. On a side-note (Re: Russ's email and others), I can't believe people are talking about encryption and key distribution algorithms in reference to this topic. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 2, 2013, at 3:58 AM, Markus Wanner mar...@bluegap.ch wrote: On 10/02/2013 12:03 AM, Greg wrote: Running a mailing list is not hard work. There are only so many things one can fuck up. This is probably one of the biggest mistakes that can be made in running a mailing list, and on a list that's about software security. It's just ridiculous. While I agree in principle, I don't quite like the tone here. But I liked your password, though. ;-) And no: there certainly are bigger mistakes an admin of a mailing list can do. Think: members list, spam, etc.. A mailing list shouldn't have any passwords to begin with. There is no need for passwords, and it shouldn't be possible for anyone to unsubscribe anyone else. User: Unsubscribe [EMAIL] - Server Server: Are you sure? - [EMAIL] User@[EMAIL]: YES! - Server. No passwords, and no fake unsubscribes. For that to be as secure as you make it sound, you still need a password or token. Hopefully a one-time, randomly generated one, but it's still a password. And it still crosses the wires unencrypted and can thus be intercepted by a MITM. The gain of that approach really is that there's no danger of a user inadvertently revealing a valuable password. The limited life time of the OTP may also make it a tad harder for an attacker, but given the (absence of) value for an attacker, that's close to irrelevant. Regards Markus Wanner signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/02/2013 04:32 PM, Greg wrote: I agree, I apologize for the excessively negative tone. I think RL (and unrelated) agitation affected my writing and word choice. I've taken steps to prevent that from happening again (via magic of self-censoring software). Cool. :-) I don't see why a one-time-password is necessary. Just check the headers to verify that the send-path was the same as it was on the original request. Hm.. that's a nice idea, but I don't think it can work reliably. What if the send path changes in between? AFAIK there are legitimate reasons for that, like load balancers or weird greylisting setups. Plus: why should that part of the header be more trustworthy than any other part? Granted, at least the last IP is added by a trusted server. But doesn't that boil down to IP-based authentication? I'm not saying it's impossible, I just don't think it's as good as a one-time token. Do you know of a mailing list software implementing such a thing? Regards Markus Wanner signature.asc Description: OpenPGP digital signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
Hm.. that's a nice idea, but I don't think it can work reliably. What if the send path changes in between? AFAIK there are legitimate reasons for that, like load balancers or weird greylisting setups. You're right, I think I misunderstood you when you talked about a one time password. I thought you were referring to something users would have to come up with. If by one time password you mean a server-generated token, then yes, that would be far better. That's standard practice for most mailing lists. The token is usually a unique challenge link sent back to the user, and they can either click on it or reply to the message while quoting the link in the body. Sometimes it's also a unique number in the subject line. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 2, 2013, at 10:40 AM, Markus Wanner mar...@bluegap.ch wrote: On 10/02/2013 04:32 PM, Greg wrote: I agree, I apologize for the excessively negative tone. I think RL (and unrelated) agitation affected my writing and word choice. I've taken steps to prevent that from happening again (via magic of self-censoring software). Cool. :-) I don't see why a one-time-password is necessary. Just check the headers to verify that the send-path was the same as it was on the original request. Hm.. that's a nice idea, but I don't think it can work reliably. What if the send path changes in between? AFAIK there are legitimate reasons for that, like load balancers or weird greylisting setups. Plus: why should that part of the header be more trustworthy than any other part? Granted, at least the last IP is added by a trusted server. But doesn't that boil down to IP-based authentication? I'm not saying it's impossible, I just don't think it's as good as a one-time token. Do you know of a mailing list software implementing such a thing? Regards Markus Wanner signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
2013/10/2 Russ Nelson nel...@crynwr.com If you are proposing that something needs stronger encryption than ROT-26, please explain the threat model that justifies your choice of encryption and key distribution algorithms. ROT-26 is fantastic for certain purposes. Like when encrypting for kids that just learned how to read. For anything else than no encryption you should have a good understanding of why you're employing the cryptography, and why in this way. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote: So, my password, iPoopInYourHat, is being sent to me in the clear by your servers. All mailman lists do this by default. It does tell you on the sign up page that it will do so, and that you shouldn't use a 'valuable' (e.g. used elsewhere) password - see http://www.metzdowd.com/mailman/listinfo/cryptography It is an annoying default, but so long as you don't use a password attached to anything else you care about, I don't think it should be too much of a worry. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On Tue, Oct 1, 2013 at 10:28 AM, Greg g...@kinostudios.com wrote: This falls somewhere in the land of beyond-the-absurd. Just got this message from your robot: ... So, my password, iPoopInYourHat, is being sent to me in the clear by your servers. Of all the places on the internet, this would be on the last places I would expect this to happen. From http://www.metzdowd.com/mailman/listinfo/cryptography === You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext. === You can also turn off password reminders, but the password will be kept in plaintext. -- Eitan Adler ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
It's reasonable as it's not a security sensitive environment. Please for the love of god let some environments stay low-sec. 2013/10/1 Nick cryptography-l...@njw.me.uk On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote: So, my password, iPoopInYourHat, is being sent to me in the clear by your servers. All mailman lists do this by default. It does tell you on the sign up page that it will do so, and that you shouldn't use a 'valuable' (e.g. used elsewhere) password - see http://www.metzdowd.com/mailman/listinfo/cryptography It is an annoying default, but so long as you don't use a password attached to anything else you care about, I don't think it should be too much of a worry. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/01/2013 10:28 AM, Greg wrote: This falls somewhere in the land of beyond-the-absurd. I noticed the password would be mailed in the clear when I signed up, but even if I had not, I would not have been bothered to later discover it. What is the harm? The sensitivity of this password is extremely limited. That is, unless you are someone who recycles one password in other places. You wouldn't do that, though, would you? -kb ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On Tue, 1 Oct 2013 10:28:48 -0400 Greg g...@kinostudios.com wrote: So, my password, iPoopInYourHat, is being sent to me in the clear by your servers. Two things to keep in mind: 1. The damage one can do to you with knowledge of this password is beyond minimal. You might have your list subscriptions changed; so what? 2. The password is sent just in case you forgot it and want to unsubscribe. Without the password, any troll might unsubscribe you from the list by simply forging headers. Were this to be encrypted, you would wind up with the classic problem of lost private keys, leaving people who forgot their password unable to unsubscribe (at least in any automated fashion). -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
There is nothing difficult about the right course of action here: Don't send the password. Disable this silly default. The attitude expressed in these replies is a disgrace to the profession of software security, and a disgrace to the list. It doesn't matter whether or not I should be using a unique password. I might not be, and even if I am, a nerd next to me shouldn't be able to change my subscription settings because of the listserv's idiotic setting. It is NOT the user's responsibility to compensate for the incompetence of sys admins or software developers. They are the ones who are failing their jobs. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 1, 2013, at 12:03 PM, Lodewijk andré de la porte l...@odewijk.nl wrote: It's reasonable as it's not a security sensitive environment. Please for the love of god let some environments stay low-sec. 2013/10/1 Nick cryptography-l...@njw.me.uk On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote: So, my password, iPoopInYourHat, is being sent to me in the clear by your servers. All mailman lists do this by default. It does tell you on the sign up page that it will do so, and that you shouldn't use a 'valuable' (e.g. used elsewhere) password - see http://www.metzdowd.com/mailman/listinfo/cryptography It is an annoying default, but so long as you don't use a password attached to anything else you care about, I don't think it should be too much of a worry. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/01/2013 06:56 PM, Benjamin Kreuter wrote: 2. The password is sent just in case you forgot it and want to unsubscribe. Without the password, any troll might unsubscribe you from the list by simply forging headers. Were this to be encrypted, you would wind up with the classic problem of lost private keys, leaving people who forgot their password unable to unsubscribe (at least in any automated fashion). Agreed, that's a good point against PKI in this case. However, why use a password at all? I'd also argue it gives a false sense of security. For that very reason I prefer mailing list software that works via email (rather than web interface) and authenticates by the ability to receive mails under the given email. Forging headers doesn't quite suffice there, either. Regards Markus Wanner ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
I think that's absurd to say that it gives a false sense of security. It only gives a sense of security if you didn't read the text when you entered the password in the first place. It keeps people from doing mass unsubscribes trivially. If someone was targeting you, yes, they would be able to delete your subscription, but that would likely be true with little effort to begin with if you are of the type that doesn't read that your password is stored insecurely and sent in plain text when you enter it. On 01/10/2013 2:17 PM, Markus Wanner wrote: On 10/01/2013 06:56 PM, Benjamin Kreuter wrote: 2. The password is sent just in case you forgot it and want to unsubscribe. Without the password, any troll might unsubscribe you from the list by simply forging headers. Were this to be encrypted, you would wind up with the classic problem of lost private keys, leaving people who forgot their password unable to unsubscribe (at least in any automated fashion). Agreed, that's a good point against PKI in this case. However, why use a password at all? I'd also argue it gives a false sense of security. For that very reason I prefer mailing list software that works via email (rather than web interface) and authenticates by the ability to receive mails under the given email. Forging headers doesn't quite suffice there, either. Regards Markus Wanner ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography -- Kelly John Rose Mississauga, ON Phone: +1 647 638-4104 Twitter: @kjrose Document contents are confidential between original recipients and sender. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/01/2013 10:26 PM, Kelly John Rose wrote: I think that's absurd to say that it gives a false sense of security. It only gives a sense of security if you didn't read the text when you entered the password in the first place. Well, that applies to at least 90% of people for 90% the cases. Yes, often enough including myself. It keeps people from doing mass unsubscribes trivially. As I pointed out, there are other ways to achieve that, without the need for a password. Or actually rather with one-time passwords, instead. If someone was targeting you, yes, they would be able to delete your subscription, Sure. That's the case either way. but that would likely be true with little effort to begin with if you are of the type that doesn't read that your password is stored insecurely and sent in plain text when you enter it. Let's compare apples to apples: even if you manage to actually read the instructions, you actually have to do so, have to come up with a throw-away-password, and remember it. For no additional safety compared to one-time tokens. The positive point I see for the web front-end is that people are more used to it. And have a hard time reading instructions on emails and hitting reply to send back a confirmation token. But your hypothesis is that people do read instructions, so... Regards Markus Wanner ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On 10/1/13 at 1:43 PM, mar...@bluegap.ch (Markus Wanner) wrote: Let's compare apples to apples: even if you manage to actually read the instructions, you actually have to do so, have to come up with a throw-away-password, and remember it. For no additional safety compared to one-time tokens. Let Mailman assign you a password. Then you don't have to worry about someone collecting all your mailing list passwords and reverse engineering your password generation algorithm. You'll find out what the password is in a month. Save that email so you can make changes. Get on with life. Lets not increase the level of user work in cases where there isn't, in fact, a security problem. I'm interested in cases where Mailman passwords have been abused. Cheers - Bill --- Bill Frantz| If the site is supported by | Periwinkle (408)356-8506 | ads, you are the product.| 16345 Englewood Ave www.pwpconsult.com | | Los Gatos, CA 95032 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
Actually, it's only *your* password that's being emailed in the clear. It's punishment for failing to observe the first rule of this list, which is DO NOT TOP POST. Huh? 1. I don't know what top post means, and I see nothing here about it: http://www.metzdowd.com/mailman/listinfo/cryptography 2. The password was sent to me as part of a poorly configured mailing list bot, not any sort of punishment. 3. Even if it was sent to me as punishment, that is retarded. If you don't like the way this list is run, you are welcome to unsubscribe. Yeah, I know. I might do that, as seeing the response to my request has convinced me there's little worth reading here anyway. The person running this list knows his job very well, and I'd suggest you be a bit more respectful of him. What did I say that you feel was disrespectful? That he's failing at his job? That's not disrespectful, that's my opinion based on the fact that he is choosing to mail people their list passwords in the clear. Running a mailing list is not hard work. There are only so many things one can fuck up. This is probably one of the biggest mistakes that can be made in running a mailing list, and on a list that's about software security. It's just ridiculous. A mailing list shouldn't have any passwords to begin with. There is no need for passwords, and it shouldn't be possible for anyone to unsubscribe anyone else. User: Unsubscribe [EMAIL] - Server Server: Are you sure? - [EMAIL] User@[EMAIL]: YES! - Server. No passwords, and no fake unsubscribes. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 1, 2013, at 4:56 PM, John Ioannidis j...@tla.org wrote: On Tue, Oct 1, 2013 at 12:56 PM, Greg g...@kinostudios.com wrote: There is nothing difficult about the right course of action here: Don't send the password. Disable this silly default. The attitude expressed in these replies is a disgrace to the profession of software security, and a disgrace to the list. It doesn't matter whether or not I should be using a unique password. I might not be, and even if I am, a nerd next to me shouldn't be able to change my subscription settings because of the listserv's idiotic setting. It is NOT the user's responsibility to compensate for the incompetence of sys admins or software developers. They are the ones who are failing their jobs. Actually, it's only *your* password that's being emailed in the clear. It's punishment for failing to observe the first rule of this list, which is DO NOT TOP POST. If you don't like the way this list is run, you are welcome to unsubscribe. The password for unsubscribing has been already emailed to you. The person running this list knows his job very well, and I'd suggest you be a bit more respectful of him. /ji signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
Low security environment, minimal ability to inflict damage, clear instructions from the beginning. If the system and processes are not to your liking, that's understandable. Everyone is different. There are other choices. If you'd like to investigate them, determine an appropriate one, and advocate a move to it, that would be welcomed, I presume? The move may not be made, but the effort would be respected. And if you succeed in advocating a move to a new, better system, you would have an impressive new entry on your CV. After all, herding cats is nothing on moving an entire mailing list of geeks and cryptographers to a new system. :) No offense meant, in any way. Please forgive me if offense is given. Joshua Marpet ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
Actually, it's only *your* password that's being emailed in the clear. It's punishment for failing to observe the first rule of this list, which is DO NOT TOP POST. Actually, my previous reply to this comment of yours did not adequately point out the magnitude of its idiocy. The reason I posted to the list in the first place was because the password was sent to me in the clear. This thread has been my sole contribution to the list so far. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 1, 2013, at 6:03 PM, Greg g...@kinostudios.com wrote: Actually, it's only *your* password that's being emailed in the clear. It's punishment for failing to observe the first rule of this list, which is DO NOT TOP POST. Huh? 1. I don't know what top post means, and I see nothing here about it: http://www.metzdowd.com/mailman/listinfo/cryptography 2. The password was sent to me as part of a poorly configured mailing list bot, not any sort of punishment. 3. Even if it was sent to me as punishment, that is retarded. If you don't like the way this list is run, you are welcome to unsubscribe. Yeah, I know. I might do that, as seeing the response to my request has convinced me there's little worth reading here anyway. The person running this list knows his job very well, and I'd suggest you be a bit more respectful of him. What did I say that you feel was disrespectful? That he's failing at his job? That's not disrespectful, that's my opinion based on the fact that he is choosing to mail people their list passwords in the clear. Running a mailing list is not hard work. There are only so many things one can fuck up. This is probably one of the biggest mistakes that can be made in running a mailing list, and on a list that's about software security. It's just ridiculous. A mailing list shouldn't have any passwords to begin with. There is no need for passwords, and it shouldn't be possible for anyone to unsubscribe anyone else. User: Unsubscribe [EMAIL] - Server Server: Are you sure? - [EMAIL] User@[EMAIL]: YES! - Server. No passwords, and no fake unsubscribes. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 1, 2013, at 4:56 PM, John Ioannidis j...@tla.org wrote: On Tue, Oct 1, 2013 at 12:56 PM, Greg g...@kinostudios.com wrote: There is nothing difficult about the right course of action here: Don't send the password. Disable this silly default. The attitude expressed in these replies is a disgrace to the profession of software security, and a disgrace to the list. It doesn't matter whether or not I should be using a unique password. I might not be, and even if I am, a nerd next to me shouldn't be able to change my subscription settings because of the listserv's idiotic setting. It is NOT the user's responsibility to compensate for the incompetence of sys admins or software developers. They are the ones who are failing their jobs. Actually, it's only *your* password that's being emailed in the clear. It's punishment for failing to observe the first rule of this list, which is DO NOT TOP POST. If you don't like the way this list is run, you are welcome to unsubscribe. The password for unsubscribing has been already emailed to you. The person running this list knows his job very well, and I'd suggest you be a bit more respectful of him. /ji signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography