[sf-lug] Yes, Mailman stores and sends the passwords in the clear: Re: Anyone here had any contact with Linu xChix.org?

Bobbie Sellers bliss-sf4ever at dslextreme.com
Sun Jun 9 16:13:15 PDT 2019



On 6/9/19 2:32 PM, Rick Moen wrote:
> Quoting Ehud Kaldor (ehud.kaldor at gmail.com):
>
>> So, what you're saying, Rick, is let's ignore the fact that it is a bad
>> idea to have clear-text passwords (to which every security person agrees)
>> because, for this specific is case, no one (yet? No one you ever had this
>> discussion with?)
> That of course is not what I said.
>
> I don't honestly thing that what I said was all that difficult to
> understand, but I think we've been seeing a persistent unwillingness to
> _think_, and instead just repeat platitudes over and over, while utterly
> ignoring the point about no credible threat model existing in the matter
> under discussion, as can be seen if one bothers to look at details.
>
> Since I'm not a GNU Mailman developer, I feel absolutely no obligation
> to argue to justify their architecture.  If you feel a desire to have
> that argument, you know where to find them.

     Of course I know nothing about the operation of Mailman and I used
a throw-away password when I was asked to do so.
>
> To your point earlier - I'm sure those dworves at Moria had that
> discussion, and someone said "I cannot remember a single time, and I cannot
> rationalize in any way, that a Balrog will come at us if we dig here". If
> that what you are saying now?
> I'm saying that further reinforcing the dwarf Narvi's door facing
> towards Eregion and removing Celebrimbor's inscription 'Say "friend",
> and enter' from the outer face of said door would obviously have been
> pure pointless security theatre, as proven if nothing else by the fact
> that the balrog didn't enter from there, but rather up from the roots of
> the Misty Mountains.  http://tolkiengateway.net/wiki/Doors_of_Durin

         The Balrog had been hiding at the root of the mountain since he
hid from the Gods at Morgoth's final overthrow and expulsion from the
Universe.  Now the Dwarfs had probably never seen a Balrog when
they decided to delve to the roots of the mountain, and the Dwarfs with
the Quest likely had no idea why the mountain had been abandoned to
the Orcs.   Some people of course think that the stuff published after
the LOTR trilogy is unreadable but I really enjoyed those older stories.
>
> That would qualify as clueless security theatre rather like tut-tutting
> on mailing lists over how terrible it is for GNU Mailman to default to
> storing a toothless 'password' token in plaintext and periodically
> re-mailing it to users, and ignoring people who point out that it cannot be
> credibly used for harm, even in the unlikely event of being intercepted.
>
> I didn't think I would need to cluebat you with the parallel, but, there,
> you required the cluebatting, I've typed it out for you.  Don't say I
> never did you a favour.
>
> Now, seriously, if you have an argument with the GNU Mailman developers,
> go bother them and stop trying to argue with me.
>

     Bobbie Sellers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190609/12ca5a87/attachment.html>


More information about the sf-lug mailing list