[sf-lug] Yes, Mailman stores and sends the passwords in the clear: Re: Anyone here had any contact with Linu xChix.org?

Rick Moen rick at linuxmafia.com
Sun Jun 9 14:32:32 PDT 2019


Quoting Ehud Kaldor (ehud.kaldor at gmail.com):

> So, what you're saying, Rick, is let's ignore the fact that it is a bad
> idea to have clear-text passwords (to which every security person agrees)
> because, for this specific is case, no one (yet? No one you ever had this
> discussion with?) 

That of course is not what I said.

I don't honestly thing that what I said was all that difficult to
understand, but I think we've been seeing a persistent unwillingness to
_think_, and instead just repeat platitudes over and over, while utterly
ignoring the point about no credible threat model existing in the matter
under discussion, as can be seen if one bothers to look at details.

Since I'm not a GNU Mailman developer, I feel absolutely no obligation
to argue to justify their architecture.  If you feel a desire to have
that argument, you know where to find them.


> To your point earlier - I'm sure those dworves at Moria had that
> discussion, and someone said "I cannot remember a single time, and I cannot
> rationalize in any way, that a Balrog will come at us if we dig here". If
> that what you are saying now?

I'm saying that further reinforcing the dwarf Narvi's door facing
towards Eregion and removing Celebrimbor's inscription 'Say "friend",
and enter' from the outer face of said door would obviously have been
pure pointless security theatre, as proven if nothing else by the fact
that the balrog didn't enter from there, but rather up from the roots of
the Misty Mountains.  http://tolkiengateway.net/wiki/Doors_of_Durin

That would qualify as clueless security theatre rather like tut-tutting
on mailing lists over how terrible it is for GNU Mailman to default to
storing a toothless 'password' token in plaintext and periodically
re-mailing it to users, and ignoring people who point out that it cannot be
credibly used for harm, even in the unlikely event of being intercepted.

I didn't think I would need to cluebat you with the parallel, but, there,
you required the cluebatting, I've typed it out for you.  Don't say I
never did you a favour.

Now, seriously, if you have an argument with the GNU Mailman developers,
go bother them and stop trying to argue with me.





More information about the sf-lug mailing list