No subject


Sat May 26 22:55:42 UTC 2012


much out of date than the latter.

However, It matters not that this is "just a mailing list." It's a piece of
software, and software should be designed securely from the get-go,
obviously the developers thought that this was an issue worth remedying in
2007. Yes, I appreciate that the only thing a malicious user could do with
this is alter my mailman settings, however my point is more about what this
implies about mailman's entire approach to security. If something as simple
as not storing every users password as plaintext in a database cannot be
adhered to, I'm not so sure that I could comfortably trust the rest of the
applications codebase. That, and the fact the box that this list runs on is
running software that is 6 years out of date. I wonder what vulns exist in
the other services on the box, and what kernel version it is.

On Mon, Aug 6, 2012 at 11:13 AM, Kevin Smith <
kevin.smith at thesoftwaresociety.org.uk> wrote:

> Seemingly this "feature" has been removed as of 2007
> http://wiki.list.org/display/DEV/2007/01/13/Passwords+done+right however
> I'm still getting the reminders as well. So either the plaintext part
> hasn't been removed or the instance running this list is massively out
> of date. Both are not good.
>
> However, from a security point of view, I'm not too concerned about the
> plaintext nature of password storage.
>
> 1. Its just a mailing list. Nothing of any real consequence. I doubt
> Finux et al would care to change your mailing preferences, his time is
> much more valuable (I assume)
> 2. Unless you deliberately make a password when subscribing, mailman
> generates one for you so password reuse is almost guaranteed not to happen
>
> --
> Kevin Smith
> For and on behalf of:
> The Software Society Limited
> 3 Ralston Business Centre,
> Newtyle,
> Blairgowrie
> Perthshire
> PH12 8TL
> SCOTLAND
>
> A Company Limited by Guarantee
> Registered in Scotland, Company Number SC413286
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at mailman.lug.org.uk  http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk
>



-- 

Nick Walker
President : The Linux Society
UAD Ethical Hacker

--e89a8fb1ed3cb97ec504c6965fc5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable



More information about the dundee mailing list