[sf-lug] Yes, Mailman stores and sends the passwords in the clear

[Rick Moen]

Quoting Akkana Peck (akkana at shallowsky.com):

> I'll never make it as the Moriarty of mailing list spoofing. :-)

Don't feel bad about that; security requires twisty thinking, and you're
a lot better at this than most coders are.

My former landlord and friend who ran the then-famous The CoffeeNet
(Linux-based) Internet care at 744 Harrison nr. 3rd Street -- where we
both lived above the cafe -- used to invoke my help whenever he wrote
utilities in C, in order to find all possible ways to break them by
doing command-lines startups of the utilties one wasn't supposed to do.
He'd fix a coding bug, tell me to try again, I'd find a mischievous way
to make it fail, he'd snarl & grin at the same time, and he'd stomp off
to fix _that_ coding bug, too.  Reiterate until even my twisty sysadmin
mind could find a way to break it.

As to spoofing, honestly, the real opportunities for spoofing don't lie
in mailing list managers like Mailman and Sympa, but rather in SMTP as a
standard.  Sending forgeries of someone else's e-mail address is still a
thing (though SPF and DKIM/DMARC are reducing it a lot), and there is
also always the evergreen method:  Send mail from a throwaway real
address but attach the forgery target's realname field to the forgery.  
This often works because far, _far_ too many people never stop to notice
the unexpectly new sending address and stop to think 'Is this forged?"

That really can't be fixed, because that's less a problem with SMTP than
it is with the recipients themselves.