On Wed, 2 Oct 2013 10:16:42 -0400
Greg wrote:
> > I'm interested in cases where Mailman passwords have been abused.
>
> "Show me one instance where a nuclear reactor was brought down by an
> earthquake! Just one! Then I'll consider spending the $$ on it!"
Assume for a moment that there are no o
On 10/2/13 at 7:16 AM, g...@kinostudios.com (Greg) wrote:
I'm interested in cases where Mailman passwords have been abused.
"Show me one instance where a nuclear reactor was brought down
by an earthquake! Just one! Then I'll consider spending the $$
on it!"
And while you're at it, show me
2013/10/2 Russ Nelson
> If you are proposing that something needs stronger encryption than
> ROT-26, please explain the threat model that justifies your choice of
> encryption and key distribution algorithms.
>
ROT-26 is fantastic for certain purposes. Like when encrypting for kids
that just lea
> Hm.. that's a nice idea, but I don't think it can work reliably. What if
> the send path changes in between? AFAIK there are legitimate reasons for
> that, like load balancers or weird greylisting setups.
You're right, I think I misunderstood you when you talked about a "one time
password". I t
On 10/02/2013 04:32 PM, Greg wrote:
> I agree, I apologize for the excessively negative tone. I think RL (and
> unrelated) agitation affected my writing and word choice. I've taken
> steps to prevent that from happening again (via magic of self-censoring
> software).
Cool. :-)
> I don't see why a
> While I agree in principle, I don't quite like the tone here.
I agree, I apologize for the excessively negative tone. I think RL (and
unrelated) agitation affected my writing and word choice. I've taken steps to
prevent that from happening again (via magic of self-censoring software).
> But I
> I'm interested in cases where Mailman passwords have been abused.
"Show me one instance where a nuclear reactor was brought down by an
earthquake! Just one! Then I'll consider spending the $$ on it!"
--
Please do not email me anything that you are not comfortable also sharing with
the NSA.
O
On 10/02/2013 12:03 AM, Greg wrote:
> Running a mailing list is not hard work. There are only so many things
> one can fuck up. This is probably one of the biggest mistakes that can
> be made in running a mailing list, and on a list that's about software
> security. It's just ridiculous.
While I a
On 10/02/2013 12:11 AM, Joshua Marpet wrote:
> Low security environment, minimal ability to inflict damage, clear
> instructions from the beginning.
Agreed.
There certainly are bigger problems on earth. And I really don't mind if
you move on and take care of any of those, first. :-)
> If the sy
On 10/01/2013 11:36 PM, R. Hirschfeld wrote:
> Your objections are understandable but aren't really an issue with
> mailman because if you don't enter a password then mailman will choose
> one for you (which I always let it do) and there's no need to remember
> it because if you ever need it (a rar
Greg writes:
> This falls somewhere in the land of beyond-the-absurd.
> So, my password, iPoopInYourHat, is being sent to me in the clear by your
> servers.
Repeat after me: "crypto without a threat model is like cookies without
milk."
If you are proposing that something needs stronger encryp
>> Actually, it's only *your* password that's being emailed in the clear. It's
>> punishment for failing to observe the first rule of this list, which is DO
>> NOT TOP POST.
>
Actually, my previous reply to this comment of yours did not adequately point
out the magnitude of its idiocy.
The re
Low security environment, minimal ability to inflict damage, clear
instructions from the beginning.
If the system and processes are not to your liking, that's understandable.
Everyone is different.
There are other choices. If you'd like to investigate them, determine an
appropriate one, and adv
> Actually, it's only *your* password that's being emailed in the clear. It's
> punishment for failing to observe the first rule of this list, which is DO
> NOT TOP POST.
Huh?
1. I don't know what "top post" means, and I see nothing here about it:
http://www.metzdowd.com/mailman/listinfo/crypt
On 10/1/13 at 1:43 PM, mar...@bluegap.ch (Markus Wanner) wrote:
Let's compare apples to apples: even if you manage to actually read the
instructions, you actually have to do so, have to come up with a
throw-away-password, and remember it. For no additional safety compared
to one-time tokens.
L
On 10/01/2013 10:26 PM, Kelly John Rose wrote:
> I think that's absurd to say that it gives a false sense of security. It
> only gives a sense of security if you didn't read the text when you
> entered the password in the first place.
Well, that applies to at least 90% of people for 90% the cases.
I think that's absurd to say that it gives a false sense of security. It
only gives a sense of security if you didn't read the text when you
entered the password in the first place. It keeps people from doing mass
unsubscribes trivially.
If someone was targeting you, yes, they would be able to del
On 10/01/2013 06:56 PM, Benjamin Kreuter wrote:
> 2. The password is sent just in case you forgot it and want to
>unsubscribe. Without the password, any troll might unsubscribe you
>from the list by simply forging headers. Were this to be encrypted,
>you would wind up with the classic
There is nothing difficult about the right course of action here: Don't send
the password. Disable this silly default.
The attitude expressed in these replies is a disgrace to the profession of
software security, and a disgrace to the list.
It doesn't matter whether or not I "should" be using a
On Tue, 1 Oct 2013 10:28:48 -0400
Greg wrote:
> So, my password, iPoopInYourHat, is being sent to me in the clear by
> your servers.
Two things to keep in mind:
1. The damage one can do to you with knowledge of this password is
beyond minimal. You might have your list subscriptions changed;
On 10/01/2013 10:28 AM, Greg wrote:
This falls somewhere in the land of beyond-the-absurd.
I noticed the password would be mailed in the clear when I signed up,
but even if I had not, I would not have been bothered to later discover
it. What is the harm? The sensitivity of this password is
It's reasonable as it's not a security sensitive environment. Please for
the love of god let some environments stay low-sec.
2013/10/1 Nick
> On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote:
> > So, my password, iPoopInYourHat, is being sent to me in the clear by
> your servers.
>
> All ma
On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote:
> So, my password, iPoopInYourHat, is being sent to me in the clear by your
> servers.
All mailman lists do this by default. It does tell you on the sign
up page that it will do so, and that you shouldn't use a 'valuable'
(e.g. used elsewhere)
On Tue, Oct 1, 2013 at 10:28 AM, Greg wrote:
> This falls somewhere in the land of beyond-the-absurd.
>
> Just got this message from your robot:
...
> So, my password, iPoopInYourHat, is being sent to me in the clear by your
> servers.
>
> Of all the places on the internet, this would be on the l
24 matches
Mail list logo