No subject


Sat May 26 22:55:42 UTC 2012


very much out of date than the latter.<div><br></div><div>However, It matte=
rs not that this is &quot;just a mailing list.&quot; It&#39;s a piece of so=
ftware, and software should be designed securely from the get-go, obviously=
 the developers thought that this was an issue worth remedying in 2007. Yes=
, I appreciate that the only thing a malicious user could do with this is a=
lter my mailman settings, however my point is more about what this implies =
about mailman&#39;s entire approach to security. If something as simple as =
not storing every users password as plaintext in a database cannot be adher=
ed to, I&#39;m not so sure that I could comfortably trust the rest of the a=
pplications codebase. That, and the fact the box that this list runs on is =
running software that is 6 years out of date. I wonder what vulns exist in =
the other services on the box, and what kernel version it is.<br>
<br><div class=3D"gmail_quote">On Mon, Aug 6, 2012 at 11:13 AM, Kevin Smith=
 <span dir=3D"ltr">&lt;<a href=3D"mailto:kevin.smith at thesoftwaresociety.org=
.uk" target=3D"_blank">kevin.smith at thesoftwaresociety.org.uk</a>&gt;</span>=
 wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Seemingly this &quot;feature&quot; has been =
removed as of 2007<br>
<a href=3D"http://wiki.list.org/display/DEV/2007/01/13/Passwords+done+right=
" target=3D"_blank">http://wiki.list.org/display/DEV/2007/01/13/Passwords+d=
one+right</a> however<br>
I&#39;m still getting the reminders as well. So either the plaintext part<b=
r>
hasn&#39;t been removed or the instance running this list is massively out<=
br>
of date. Both are not good.<br>
<br>
However, from a security point of view, I&#39;m not too concerned about the=
<br>
plaintext nature of password storage.<br>
<br>
1. Its just a mailing list. Nothing of any real consequence. I doubt<br>
Finux et al would care to change your mailing preferences, his time is<br>
much more valuable (I assume)<br>
2. Unless you deliberately make a password when subscribing, mailman<br>
generates one for you so password reuse is almost guaranteed not to happen<=
br>
<br>
--<br>
Kevin Smith<br>
For and on behalf of:<br>
The Software Society Limited<br>
3 Ralston Business Centre,<br>
Newtyle,<br>
Blairgowrie<br>
Perthshire<br>
PH12 8TL<br>
SCOTLAND<br>
<br>
A Company Limited by Guarantee<br>
Registered in Scotland, Company Number SC413286<br>
<br>
_______________________________________________<br>
dundee GNU/Linux Users Group mailing list<br>
<a href=3D"mailto:dundee at mailman.lug.org.uk">dundee at mailman.lug.org.uk</a> =
=A0<a href=3D"http://dundeelug.org.uk" target=3D"_blank">http://dundeelug.o=
rg.uk</a><br>
<a href=3D"https://mailman.lug.org.uk/mailman/listinfo/dundee" target=3D"_b=
lank">https://mailman.lug.org.uk/mailman/listinfo/dundee</a><br>
Chat on IRC, #tlug on <a href=3D"http://irc.lug.org.uk" target=3D"_blank">i=
rc.lug.org.uk</a><br>
</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br><br>Nick Wal=
ker<br>President : The Linux Society<br>UAD Ethical Hacker<br>
</div>

--e89a8fb1ed3cb97ec504c6965fc5--



More information about the dundee mailing list