Mailman "passwords" (was Re: [TriLUG] MASSIVE SECURITY BREACH)

Tanner Lovelace lovelace at wayfarer.org
Mon Mar 1 16:27:46 EST 2004 

Stanley A. Schultz said the following on 3/1/04 4:09 PM:

> WHAT ARE YOU PEOPLE THINKING? WHERE DO YOU KEEP YOUR BRAINS ANYWAY?
> 
> 
>>... If you have questions, problems, comments, etc, send them to
>>mailman-owner at trilug.org.  Thanks!
>>
>>Passwords for schultz at ucalgary.ca:
>>
>>List                                     Password // URL
>>----                                     --------
>>trilug at trilug.org                        XXXXXXX
>>http://www.trilug.org/mailman/options/trilug/schultz%40ucalgary.ca
> 
> 
> I have grave doubts about the sanity of any list owners/administrators who
> periodically, predictably broadcast, or allow to be broadcast, their
> members' passwords for any reason!
> 
> Who in Hell needs Microsoft's security holes when we have lists that do
> this?
> 
> 
> 
>  Peace, health, wisdom and wealth.
>  Live long and prosper.
> 
> 
>  Stan Schultz
>  Marguerite Schultz
>   4411 Edmonton Trail. NE
>   Calgary, Alberta T2E 3V7
>   CANADA
> 
>   Phone (days): (403) 220-8570 (Leave message.)
>   Phone (eves): (403) 230-1911 (Leave message.)
>   Phone (cell): (403) 667-6697 (Forget it! It's never on!)
>   FAX (24 hrs): (403) 270-8928
>   E-mail: schultz at ucalgary.ca
>   Web: http://www.ucalgary.ca/~schultz/
> 
> "We are *NOT* tourists! We've been here for just hours and hours!"
> 
> *****************************************************************
> 
> GREAT NEWS! You should visit http://www.ucalgary.ca/~schultz/motorhome.html.
> 
> *****************************************************************
> 
> 

Note, btw, what the subscribe web page
(http://www.trilug.org/mailman/listinfo/trilug)
says about the password entry:

   "You may enter a  privacy password below. This provides only mild security,
   but should prevent others from messing with your  subscription.  Do not use a
   valuable password as  it will occasionally be emailed back to you in
   cleartext.

   If you choose not to enter a password, one will be  automatically generated
   for you, and it will be sent to  you once you've confirmed your subscription.
   You can  always request a mail-back of your password when you edit  your
   personal options.  Once a month, your password will be emailed to you as a
   reminder."

So, as it says "DO NOT USE A VALUABLE PASSWORD" (hmm... perhaps I should change
that to be all caps?).  In fact, don't think of it as a password at all.  Think
of it as a subscription setting cookie.  You have to have the cookie to change
your information.

Note also, that I believe you can setup your notifications so it doesn't send
you this monthly reminder, but that way you also won't be reminded that your
subscribed to our list (not that you need to with the traffic we have :-).

Cheers,
Tanner
-- 
Tanner Lovelace       | Don't move! Or I'll fill ya full of... little
lovelace at wayfarer.org | yellow bolts of light! - Commander John Crichton

More information about the TriLUG mailing list