Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes: The best I can tell, Mailman 2 did the wrong thing. Against what threats with what level of security do you have in mind? Confer: list managers did not fix Mailman 2 (nor did they use other software which was secure). Why would you expect them to research and securely configure Mailman 3? I don't expect them to do so, until they get embarrassed (or worse) for not doing so. What else is new? Security inherently requires research and configuration. Asking for secure out of the box is meaningless; it's what happens after it comes out of the box that matters. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes: The best I can tell, Mailman 2 did the wrong thing. The best I can tell, your expectations for Mailman's security and the software authors' expectations are completely different. As has already been explained, it is a low level of security designed to prevent (maybe I should just say discourage) mischief. It is not intended to be as secure as what secures your bank accounts. If your Mailman password is compromised, what is the most damage that can be done? Very little. Mailman works with Mail. SMTP mail is very insecure with headers, etc. easily spoofed (by design - just as I can easily spoof the sender on a piece of paper mail I drop in a mailbox). What good does high security on Mailman do if it's trivial to step around the gate? A good comparison would be the lock on most home bathrooms. It is designed to prevent someone from accidently walking in on you. It is not designed to prevent someone who is determined to get in that bathroom even though it is locked. You normally do not use the same types of locks on a bathroom as you use on your front door. Heck, a bank does not secure their lobby as tightly as they secure their vault. Are they wrong for doing that? Confer: list managers did not fix Mailman 2 (nor did they use other software which was secure). Why would you expect them to research and securely configure Mailman 3? List managers have nothing to do with this. Us list managers did not write the software. We're just higher level users of Mailman than the reader of a mailing list that uses Mailman. But we're still just users. If Mailman does not meet your needs due to it failing to meet the security requirements you personally have, don't use it. If you're just a reader of a list run through Mailman, then use a password you don't care about (by default, Mailman generates random passwords. I don't even bother to save them as I know I can recover it easily in the unlikely event I actually ever need it). -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Tue, Nov 1, 2011 at 9:25 PM, Stephen J. Turnbull step...@xemacs.org wrote: Jeffrey Walton writes: I wish these list managers would get a f**king clue and do things securely. By which you mean what? What we've learned over the last 30 years is that when application developers try to do security, they generally miss something. AFAICS Mailman 2 did the right thing for its time: provide minimal security against idle mischief and admit that there was no security against hell-bent miscreants. The best I can tell, Mailman 2 did the wrong thing. Password Security: A Case History, www.cs.bell-labs.com/who/dmr/passwd.ps. Written in 1978. Mailman 3 is taking advantage of a decade of progress in security and network application design, and providing the hooks needed to allow admins to configure system security services. (This can be done with Mailman 2 as well, but not as smoothly.) If Mailman 3 only provides hooks - as opposed to securely storing the secret - then Mailman 3 has problems out of the box. In this case, it would be no better than Mailman 2. Confer: list managers did not fix Mailman 2 (nor did they use other software which was secure). Why would you expect them to research and securely configure Mailman 3? Jeff -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Wed, Nov 2, 2011 at 6:00 AM, Stephen J. Turnbull step...@xemacs.org wrote:
Jeffrey Walton writes:
The best I can tell, Mailman 2 did the wrong thing.
Against what threats with what level of security do you have in mind?
I found it interesting you brought a threat model into the discussion.
The best I can tell, the Mailman threat model is naive or unrealistic.
There are at least three threats which should be modeled. First is
unknown attackers who are breaking into systems and harvesting {user
name, email. password} tuples. As a user, I got nailed when GNU's
Savannah was hacked.
I reused a password (bad dog!), and the bad guys broke into an
unrelated gmail account. That is, the attackers got {Jeffrey Walton,
noloader/gmail.com, } from Savannah and used it to successfully
compromise jeffrey.w.walton/gmail.com due to password reuse. They
could not get noloader/gmail access, or banking access since the
passwords are different.
The second threat is the system administrator. I understand a sysadmin
must be trusted, but why is he or she trusted so much that they are
entitled to plain text passwords?
The third threat is government. Any government can compel a list
administrator to give up his or her {user name/email/password} list
*if* the list operated within its jurisdiction. The government - as an
adversary - can surreptitiously do the same things an attacker can do.
In the US, the PATRIOT Act assures these things (full database access
and the ability to act surreptitiously without oversight).
These are not theoretical threats. They happen in practice, and happen
too frequently.
Confer: list managers did not fix Mailman 2 (nor did they use other
software which was secure). Why would you expect them to research
and securely configure Mailman 3?
I don't expect them to do so, until they get embarrassed (or worse)
for not doing so. What else is new?
Security inherently requires research and configuration. Asking for
secure out of the box is meaningless; it's what happens after it
comes out of the box that matters.
Storing a salted hash is an accepted best practice. It should not
require research nor configuration by the list manager.
Another example: MD5 was compromised in the mid-1990s, and its
security has only gotten worse over time. MD5 is not even close to its
theoretical security level of 2^64. If a program uses a hash for
security related functions, MD5 should not be used (some hand
waiving).
So to answer the security level question: store a salted hash of the
password using SHA-224/256 or Whirlpool. The use of SHA-2 or Whirlpool
stems from NIST [1,2] and ECRYPT [3] recommendations on algorithm
strengths. With a salted hash (using an appropriate hash function),
list managers don't need to do any research or configurations, and I
don't have to worry about hackers, system administrators, or most
government attacks.
Finally, it makes more sense to fix the problem in one place (Mailman
source code, by the Mailman developers) rather than 10,000 places
(each Mailman installation, by every Mailman list manager).
Jeff
[1]
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
[2] http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
[3] www.ecrypt.eu.org/documents/D.SPA.7.pdf
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Wed, Nov 2, 2011 at 7:40 AM, Larry Stone lston...@stonejongleux.com wrote:
Jeffrey Walton writes:
The best I can tell, Mailman 2 did the wrong thing.
The best I can tell, your expectations for Mailman's security and the
software authors' expectations are completely different.
Agreed. I was very naive.
Mailman works with Mail. SMTP mail is very insecure with headers, etc. easily
spoofed (by design - just as I can easily spoof the sender on a piece of
paper mail I drop in a mailbox). What good does high security on Mailman do
if it's trivial to step around the gate?
Agreed. I have no expectation that my messages to the list will be
private, or my email will be private. An attacker gains nothing from
reading my messages posted to a public mailing list.
But the password database used by Mailman is not a public database.
Users have a reasonable expectation of security surrounding it. An
attacker gains a list of {user name, email, password} when the system
is compromised.
Confer: list managers did not fix Mailman 2 (nor did they use other
software which was secure). Why would you expect them to research
and securely configure Mailman 3?
List managers have nothing to do with this. Us list managers did not write
the software. We're just higher level users of Mailman than the reader of a
mailing list that uses Mailman. But we're still just users.
Both are at fault. First are the developers for using an insecure
system, and second are the folks who use it in production. In this
case crowd security failed - more eyeballs were not better and did
not lead to improvements.
If Mailman does not meet your needs due to it failing to meet the security
requirements you personally have, don't use it.
Unrealistic. I have no control over what software a particular mailing
list uses. Its kind of like saying, if you don't like the smog, don't
breathe the air.
Jeff
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On 11/2/2011 6:15 AM, Jeffrey Walton wrote:
On Wed, Nov 2, 2011 at 7:40 AM, Larry Stone lston...@stonejongleux.com
wrote:
Jeffrey Walton writes:
[Snip]
. I was very naive.
Mailman works with Mail. SMTP mail is very insecure with headers, etc.
easily spoofed (by design - just as I can easily spoof the sender on a piece
of paper mail I drop in a mailbox). What good does high security on Mailman
do if it's trivial to step around the gate?
Agreed. I have no expectation that my messages to the list will be
private, or my email will be private. An attacker gains nothing from
reading my messages posted to a public mailing list.
But the password database used by Mailman is not a public database.
Users have a reasonable expectation of security surrounding it. An
attacker gains a list of {user name, email, password} when the system
is compromised.
I agree users have a reasonable expectation of security surrounding
their password. However, when the user is informed about the level of
security being used, the user's reasonable expectation shouldn't exceed
what they were told. I have a reasonable expectation of security when I
am told I can use a locker to put my equipment in. But when I am told
the locker has no locks on it, my reasonable expectation of security for
that locker is much, much lower than if it had a lock.
Confer: list managers did not fix Mailman 2 (nor did they use other
software which was secure). Why would you expect them to research
and securely configure Mailman 3?
List managers have nothing to do with this. Us list managers did not write
the software. We're just higher level users of Mailman than the reader of a
mailing list that uses Mailman. But we're still just users.
Both are at fault. First are the developers for using an insecure
system, and second are the folks who use it in production. In this
case crowd security failed - more eyeballs were not better and did
not lead to improvements.
If Mailman does not meet your needs due to it failing to meet the security
requirements you personally have, don't use it.
Unrealistic. I have no control over what software a particular mailing
list uses. Its kind of like saying, if you don't like the smog, don't
breathe the air.
It isn't necessarily unrealistic, a bit abrupt maybe. You can also make
changes to the source to increase the security requirement. I have had
to make some minor modifications to Mailman for it to do what is
required where I work. And, as some on this list can probably attest, I
am not a Python coder. So, if Mailman doesn't meet your needs, you can
use it as is and suffer, make any changes you feel necessary, or not use
it.
Jeff
Thanks,
Chris
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes:
The best I can tell, the Mailman threat model is naive or unrealistic.
It's neither. It merely corresponds to a very low level of security,
and you are told that when you subscribe.
There are at least three threats which should be modeled.
Should. Why? And why just these?
First is unknown attackers who are breaking into systems and
harvesting {user name, email. password} tuples. As a user, I got
nailed when GNU's Savannah was hacked.
I reused a password (bad dog!),
Indeed, and AFAIK if you can get access to a database of as few as 100
MD5-encrypted passwords, a modern PC can probably crack at least one
with a dictionary attack within a few hours. Given the quality of
most of my own passwords, given an attacker with a $5000 machine I
doubt that salted SHA256 would make that stretch by more than a
couple hours. Encryption only helps a little bit, most likely the
people who reuse passwords also have relatively weak ones, and the
password may not be the most valuable part of such a tuple in any case.
The second threat is the system administrator. I understand a sysadmin
must be trusted, but why is he or she trusted so much that they are
entitled to plain text passwords?
Because they can get them anyway with wireshark or an appropriate
Mailman Handler? (Avoiding this attack is left as an exercise for the
reader, as well as identifying the security issues introduced or not
handled at all by the more obvious solutions.)
The third threat is government. Any government can compel a list
administrator to give up his or her {user name/email/password} list
*if* the list operated within its jurisdiction.
And more secure password lists help here just how?
Cf. http://www.jwz.org/gruntle/rbarip.html.
These are not theoretical threats. They happen in practice, and happen
too frequently.
And the real solution is obvious. Don't use passwords at all,
although that doesn't help with security of the user name and email
lists.
The fact is, Google and Savannah don't care about security of their
users enough to provide more security than the users do themselves.
RMS has been quite open about it on several occasions when push came
to shove: it was more important that GNU systems use free software
than that they be secure. And for Google, security is just a matter
of financial calculus: if they screw up in public, it will cost them
so many users and indirectly so much ad revenue, etc.
If they *did* care more than the users do, they'd use a public key
solution and prohibit passwords.
So to answer the security level question: store a salted hash of the
password using SHA-224/256 or Whirlpool. The use of SHA-2 or Whirlpool
stems from NIST [1,2] and ECRYPT [3] recommendations on algorithm
strengths. With a salted hash (using an appropriate hash function),
list managers don't need to do any research or configurations, and I
don't have to worry about hackers, system administrators, or most
government attacks.
Speaking of naive. The passwords are protected (but not fully
protected against system admins), but the lists aren't. Do you
realize just what kind of trouble some poor lady could be in if you
let the addresses on your battered wives list leak? Dead is well
within the realm of possibility!
Now, that may not be *your* problem, but it does put paid to this claim:
Finally, it makes more sense to fix the problem in one place (Mailman
source code, by the Mailman developers) rather than 10,000 places
(each Mailman installation, by every Mailman list manager).
That would be true if there were a the problem. There isn't. There
are 10,000 problems, each a little different. There are problems,
each a little different, 10,000 of them. There are 10,000 problems,
each differing a little.
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
On Tue, Nov 01, 2011 at 07:52:08AM -0400, Jeffrey Walton wrote: Its the first of the month, and I'm receiving my passwords from Mailman servers. Happy Mailman Day! (I disable Mailman-day crontab entries.) I don't want my passwords stored in the plain text, and I don't want them stored with reversible encryption. Install Mailman 3. Mark may have a more useful suggestion of what to patch, and there could well be something in the archives about this. How do I turn off this security hole (feature?). The standard listinfo text warns: You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext. You could, perhaps, edit the listinfo blurb, to give that greater prominence? -- Celebrity can be malign in that it becomes a form of idolatry, and people live their lives vicariously through the rich and famous rather than attending to their own lives. -- John Sentamu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Hi Adam, On Tue, Nov 1, 2011 at 12:13 PM, Adam McGreggor adam-mail...@amyl.org.uk wrote: On Tue, Nov 01, 2011 at 07:52:08AM -0400, Jeffrey Walton wrote: Its the first of the month, and I'm receiving my passwords from Mailman servers. Happy Mailman Day! (I disable Mailman-day crontab entries.) :) I don't want my passwords stored in the plain text, and I don't want them stored with reversible encryption. Install Mailman 3. OK. I'm not the sysadmin, so I can't control the software. I can control my account settings. But I take it there is nothing I can do as a user. Mark may have a more useful suggestion of what to patch, and there could well be something in the archives about this. How do I turn off this security hole (feature?). The standard listinfo text warns: You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext. You could, perhaps, edit the listinfo blurb, to give that greater prominence? Well, between plain text passwords and non-authenticated users tampering, its really a no win situation for the user. I wish these list managers would get a f**king clue and do things securely. Jeff -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton wrote: OK. I'm not the sysadmin, so I can't control the software. I can control my account settings. But I take it there is nothing I can do as a user. As a list member, you can turn off password reminders for any list of which you are a member. As a list admin, you can turn off reminders for the entire list. This does not affect how passwords are stored, but at least you can suppress emailing them. [...] I wish these list managers would get a f**king clue and do things securely. The storing and optional mailing of passwords in plain text is a long standing issue that the Mailman developers are well aware of. This will finally change in Mailman 3. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton writes: I wish these list managers would get a f**king clue and do things securely. By which you mean what? What we've learned over the last 30 years is that when application developers try to do security, they generally miss something. AFAICS Mailman 2 did the right thing for its time: provide minimal security against idle mischief and admit that there was no security against hell-bent miscreants. Mailman 3 is taking advantage of a decade of progress in security and network application design, and providing the hooks needed to allow admins to configure system security services. (This can be done with Mailman 2 as well, but not as smoothly.) -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
