Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes: > The best I can tell, the Mailman threat model is naive or unrealistic. It's neither. It merely corresponds to a very low level of security, and you are told that when you subscribe. > There are at least three threats which should be modeled. "Should". Why? And why just these? > First is unknown attackers who are breaking into systems and > harvesting {user name, email. password} tuples. As a user, I got > nailed when GNU's Savannah was hacked. > > I reused a password (bad dog!), Indeed, and AFAIK if you can get access to a database of as few as 100 MD5-encrypted passwords, a modern PC can probably crack at least one with a dictionary attack within a few hours. Given the quality of most of my own passwords, given an attacker with a $5000 machine I doubt that "salted SHA256" would make that stretch by more than a couple hours. Encryption only helps a little bit, most likely the people who reuse passwords also have relatively weak ones, and the password may not be the most valuable part of such a tuple in any case. > The second threat is the system administrator. I understand a sysadmin > must be trusted, but why is he or she trusted so much that they are > entitled to plain text passwords? Because they can get them anyway with wireshark or an appropriate Mailman Handler? (Avoiding this attack is left as an exercise for the reader, as well as identifying the security issues introduced or not handled at all by the more obvious "solutions".) > The third threat is government. Any government can compel a list > administrator to give up his or her {user name/email/password} list > *if* the list operated within its jurisdiction. And more secure password lists help here just how? Cf. http://www.jwz.org/gruntle/rbarip.html. > These are not theoretical threats. They happen in practice, and happen > too frequently. And the real solution is obvious. Don't use passwords at all, although that doesn't help with security of the user name and email lists. The fact is, Google and Savannah don't care about security of their users enough to provide more security than the users do themselves. RMS has been quite open about it on several occasions when push came to shove: it was more important that GNU systems use free software than that they be secure. And for Google, security is just a matter of financial calculus: if they screw up in public, it will cost them so many users and indirectly so much ad revenue, etc. If they *did* care more than the users do, they'd use a public key solution and prohibit passwords. > So to answer the security level question: store a salted hash of the > password using SHA-224/256 or Whirlpool. The use of SHA-2 or Whirlpool > stems from NIST [1,2] and ECRYPT [3] recommendations on algorithm > strengths. With a salted hash (using an appropriate hash function), > list managers don't need to do any research or configurations, and I > don't have to worry about hackers, system administrators, or most > government attacks. Speaking of "naive". The passwords are protected (but not fully protected against system admins), but the lists aren't. Do you realize just what kind of trouble some poor lady could be in if you let the addresses on your "battered wives" list leak? "Dead" is well within the realm of possibility! Now, that may not be *your* problem, but it does put "paid" to this claim: > Finally, it makes more sense to fix the problem in one place (Mailman > source code, by the Mailman developers) rather than 10,000 places > (each Mailman installation, by every Mailman list manager). That would be true if there were a "the problem". There isn't. There are 10,000 problems, each a little different. There are problems, each a little different, 10,000 of them. There are 10,000 problems, each differing a little. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On 11/2/2011 6:15 AM, Jeffrey Walton wrote: > On Wed, Nov 2, 2011 at 7:40 AM, Larry Stone > wrote: >> Jeffrey Walton writes: >> [Snip] >> . I was very naive. >> Mailman works with Mail. SMTP mail is very insecure with headers, etc. >> easily spoofed (by design - just as I can easily spoof the sender on a piece >> of paper mail I drop in a mailbox). What good does high security on Mailman >> do if it's trivial to step around the gate? >> > Agreed. I have no expectation that my messages to the list will be > private, or my email will be private. An attacker gains nothing from > reading my messages posted to a public mailing list. > > But the password database used by Mailman is not a public database. > Users have a reasonable expectation of security surrounding it. An > attacker gains a list of {user name, email, password} when the system > is compromised. I agree users have a reasonable expectation of security surrounding their password. However, when the user is informed about the level of security being used, the user's reasonable expectation shouldn't exceed what they were told. I have a reasonable expectation of security when I am told I can use a locker to put my equipment in. But when I am told the locker has no locks on it, my reasonable expectation of security for that locker is much, much lower than if it had a lock. > >>> Confer: list managers did not fix Mailman 2 (nor did they use other >>> software which was secure). Why would you expect them to research >>> and securely configure Mailman 3? >> List managers have nothing to do with this. Us "list managers" did not write >> the software. We're just higher level users of Mailman than the reader of a >> mailing list that uses Mailman. But we're still just users. > Both are at fault. First are the developers for using an insecure > system, and second are the folks who use it in production. In this > case "crowd security" failed - more eyeballs were not better and did > not lead to improvements. > >> If Mailman does not meet your needs due to it failing to meet the security >> requirements you personally have, don't use it. > Unrealistic. I have no control over what software a particular mailing > list uses. Its kind of like saying, "if you don't like the smog, don't > breathe the air". It isn't necessarily unrealistic, a bit abrupt maybe. You can also make changes to the source to increase the security requirement. I have had to make some minor modifications to Mailman for it to do what is required where I work. And, as some on this list can probably attest, I am not a Python coder. So, if Mailman doesn't meet your needs, you can use it as is and suffer, make any changes you feel necessary, or not use it. > > Jeff Thanks, Chris -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Wed, Nov 2, 2011 at 7:40 AM, Larry Stone wrote: > Jeffrey Walton writes: > >> The best I can tell, Mailman 2 did the wrong thing. > > The best I can tell, your expectations for Mailman's security and the > software authors' expectations are completely different. Agreed. I was very naive. > Mailman works with Mail. SMTP mail is very insecure with headers, etc. easily > spoofed (by design - just as I can easily spoof the sender on a piece of > paper mail I drop in a mailbox). What good does high security on Mailman do > if it's trivial to step around the gate? > Agreed. I have no expectation that my messages to the list will be private, or my email will be private. An attacker gains nothing from reading my messages posted to a public mailing list. But the password database used by Mailman is not a public database. Users have a reasonable expectation of security surrounding it. An attacker gains a list of {user name, email, password} when the system is compromised. >> Confer: list managers did not fix Mailman 2 (nor did they use other >> software which was secure). Why would you expect them to research >> and securely configure Mailman 3? > List managers have nothing to do with this. Us "list managers" did not write > the software. We're just higher level users of Mailman than the reader of a > mailing list that uses Mailman. But we're still just users. Both are at fault. First are the developers for using an insecure system, and second are the folks who use it in production. In this case "crowd security" failed - more eyeballs were not better and did not lead to improvements. > If Mailman does not meet your needs due to it failing to meet the security > requirements you personally have, don't use it. Unrealistic. I have no control over what software a particular mailing list uses. Its kind of like saying, "if you don't like the smog, don't breathe the air". Jeff -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Wed, Nov 2, 2011 at 6:00 AM, Stephen J. Turnbull wrote: > Jeffrey Walton writes: > > > The best I can tell, Mailman 2 did the wrong thing. > > Against what threats with what level of security do you have in mind? I found it interesting you brought a threat model into the discussion. The best I can tell, the Mailman threat model is naive or unrealistic. There are at least three threats which should be modeled. First is unknown attackers who are breaking into systems and harvesting {user name, email. password} tuples. As a user, I got nailed when GNU's Savannah was hacked. I reused a password (bad dog!), and the bad guys broke into an unrelated gmail account. That is, the attackers got {Jeffrey Walton, noloader/gmail.com, } from Savannah and used it to successfully compromise jeffrey.w.walton/gmail.com due to password reuse. They could not get noloader/gmail access, or banking access since the passwords are different. The second threat is the system administrator. I understand a sysadmin must be trusted, but why is he or she trusted so much that they are entitled to plain text passwords? The third threat is government. Any government can compel a list administrator to give up his or her {user name/email/password} list *if* the list operated within its jurisdiction. The government - as an adversary - can surreptitiously do the same things an attacker can do. In the US, the PATRIOT Act assures these things (full database access and the ability to act surreptitiously without oversight). These are not theoretical threats. They happen in practice, and happen too frequently. > > Confer: list managers did not fix Mailman 2 (nor did they use other > > software which was secure). Why would you expect them to research > > and securely configure Mailman 3? > > I don't expect them to do so, until they get embarrassed (or worse) > for not doing so. What else is new? > > Security inherently requires research and configuration. Asking for > "secure out of the box" is meaningless; it's what happens after it > comes out of the box that matters. Storing a salted hash is an accepted best practice. It should not require research nor configuration by the list manager. Another example: MD5 was compromised in the mid-1990s, and its security has only gotten worse over time. MD5 is not even close to its theoretical security level of 2^64. If a program uses a hash for security related functions, MD5 should not be used (some hand waiving). So to answer the security level question: store a salted hash of the password using SHA-224/256 or Whirlpool. The use of SHA-2 or Whirlpool stems from NIST [1,2] and ECRYPT [3] recommendations on algorithm strengths. With a salted hash (using an appropriate hash function), list managers don't need to do any research or configurations, and I don't have to worry about hackers, system administrators, or most government attacks. Finally, it makes more sense to fix the problem in one place (Mailman source code, by the Mailman developers) rather than 10,000 places (each Mailman installation, by every Mailman list manager). Jeff [1] http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf [2] http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf [3] www.ecrypt.eu.org/documents/D.SPA.7.pdf -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Tue, Nov 1, 2011 at 9:25 PM, Stephen J. Turnbull wrote: > Jeffrey Walton writes: > > > I wish these list managers would get a f**king clue and do things > > securely. > > By which you mean what? What we've learned over the last 30 years is > that when application developers try to do security, they generally > miss something. AFAICS Mailman 2 did the right thing for its time: > provide minimal security against idle mischief and admit that there > was no security against hell-bent miscreants. The best I can tell, Mailman 2 did the wrong thing. "Password Security: A Case History", www.cs.bell-labs.com/who/dmr/passwd.ps. Written in 1978. > Mailman 3 is taking > advantage of a decade of progress in security and network application > design, and providing the hooks needed to allow admins to configure > system security services. (This can be done with Mailman 2 as well, > but not as smoothly.) If Mailman 3 only provides hooks - as opposed to securely storing the secret - then Mailman 3 has problems out of the box. In this case, it would be no better than Mailman 2. Confer: list managers did not fix Mailman 2 (nor did they use other software which was secure). Why would you expect them to research and securely configure Mailman 3? Jeff -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes: > The best I can tell, Mailman 2 did the wrong thing. The best I can tell, your expectations for Mailman's security and the software authors' expectations are completely different. As has already been explained, it is a low level of security designed to prevent (maybe I should just say discourage) mischief. It is not intended to be as secure as what secures your bank accounts. If your Mailman password is compromised, what is the most damage that can be done? Very little. Mailman works with Mail. SMTP mail is very insecure with headers, etc. easily spoofed (by design - just as I can easily spoof the sender on a piece of paper mail I drop in a mailbox). What good does high security on Mailman do if it's trivial to step around the gate? A good comparison would be the lock on most home bathrooms. It is designed to prevent someone from accidently walking in on you. It is not designed to prevent someone who is determined to get in that bathroom even though it is locked. You normally do not use the same types of locks on a bathroom as you use on your front door. Heck, a bank does not secure their lobby as tightly as they secure their vault. Are they wrong for doing that? > Confer: list managers did not fix Mailman 2 (nor did they use other > software which was secure). Why would you expect them to research > and securely configure Mailman 3? List managers have nothing to do with this. Us "list managers" did not write the software. We're just higher level users of Mailman than the reader of a mailing list that uses Mailman. But we're still just users. If Mailman does not meet your needs due to it failing to meet the security requirements you personally have, don't use it. If you're just a reader of a list run through Mailman, then use a password you don't care about (by default, Mailman generates random passwords. I don't even bother to save them as I know I can recover it easily in the unlikely event I actually ever need it). -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes: > The best I can tell, Mailman 2 did the wrong thing. Against what threats with what level of security do you have in mind? > Confer: list managers did not fix Mailman 2 (nor did they use other > software which was secure). Why would you expect them to research > and securely configure Mailman 3? I don't expect them to do so, until they get embarrassed (or worse) for not doing so. What else is new? Security inherently requires research and configuration. Asking for "secure out of the box" is meaningless; it's what happens after it comes out of the box that matters. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes: > I wish these list managers would get a f**king clue and do things > securely. By which you mean what? What we've learned over the last 30 years is that when application developers try to do security, they generally miss something. AFAICS Mailman 2 did the right thing for its time: provide minimal security against idle mischief and admit that there was no security against hell-bent miscreants. Mailman 3 is taking advantage of a decade of progress in security and network application design, and providing the hooks needed to allow admins to configure system security services. (This can be done with Mailman 2 as well, but not as smoothly.) -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton wrote: >OK. I'm not the sysadmin, so I can't control the software. > >I can control my account settings. But I take it there is nothing I >can do as a user. As a list member, you can turn off password reminders for any list of which you are a member. As a list admin, you can turn off reminders for the entire list. This does not affect how passwords are stored, but at least you can suppress emailing them. [...] >I wish these list managers would get a f**king clue and do things securely. The storing and optional mailing of passwords in plain text is a long standing issue that the Mailman developers are well aware of. This will finally change in Mailman 3. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Hi Adam, On Tue, Nov 1, 2011 at 12:13 PM, Adam McGreggor wrote: > On Tue, Nov 01, 2011 at 07:52:08AM -0400, Jeffrey Walton wrote: >> Its the first of the month, and I'm receiving my passwords from Mailman >> servers. > > Happy Mailman Day! > > (I disable Mailman-day crontab entries.) :) >> I don't want my passwords stored in the plain text, and I don't want >> them stored with reversible encryption. > > Install Mailman 3. OK. I'm not the sysadmin, so I can't control the software. I can control my account settings. But I take it there is nothing I can do as a user. > Mark may have a more useful suggestion of what to patch, and there > could well be something in the archives about this. > >> How do I turn off this security hole (feature?). > > The standard listinfo text warns: > > You may enter a privacy password below. This provides only mild > security, but should prevent others from messing with your > subscription. Do not use a valuable password as it will > occasionally be emailed back to you in cleartext. > > You could, perhaps, edit the listinfo blurb, to give that greater > prominence? Well, between plain text passwords and non-authenticated users tampering, its really a no win situation for the user. I wish these list managers would get a f**king clue and do things securely. Jeff -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Tue, Nov 01, 2011 at 07:52:08AM -0400, Jeffrey Walton wrote: > Its the first of the month, and I'm receiving my passwords from Mailman > servers. Happy Mailman Day! (I disable Mailman-day crontab entries.) > I don't want my passwords stored in the plain text, and I don't want > them stored with reversible encryption. Install Mailman 3. Mark may have a more useful suggestion of what to patch, and there could well be something in the archives about this. > How do I turn off this security hole (feature?). The standard listinfo text warns: You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext. You could, perhaps, edit the listinfo blurb, to give that greater prominence? -- "Celebrity can be malign in that it becomes a form of idolatry, and people live their lives vicariously through the rich and famous rather than attending to their own lives." -- John Sentamu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] How to turn off plain text passwords?
Hi All, Its the first of the month, and I'm receiving my passwords from Mailman servers. I don't want my passwords stored in the plain text, and I don't want them stored with reversible encryption. How do I turn off this security hole (feature?). http://wiki.list.org/display/DOC/2+Help+for+mailing+list+members and http://wiki.list.org/display/DOC/3+List+administrator+tasks does not appear to address the topic. Jeff -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org