|
Firewall Wizards
mailing list archives
Sourceforge sending out passwords in the clear.
From: "Anton J Aylward, CISSP" <aja () si on ca>
Date: 02 Aug 2002 07:16:49 -0400
I understand this list is managed by "mailman". I just received
a mail message from Sourceforge, the open source development site.
Their list is managed by mailman as well. Being heads-up about security,
the people here have got this one right ;-)
This is a password reminder sent via Mailman (http://www.list.org/),
mailing list software used by SourceForge, every month.
Further down was my login ID and password in the clear.
I consider this to be an irresponsible breach of basic good
security practice. They should know better than to send such
things in the clear over an unsecured store-and-forward medium.
You don't have to be a developer to "join" sourceforge.
Being periodic, this is predictable. The consequent risks of that
are pretty obvious.
I'm told this is the default action for mailman,. If so, its a
bad default; Marcus isn't the only one who rails against such stupidity,
but as the saying goes, "even the Gods ...".
But I've also been on the sourceforge list for nearly a year and this
is the first time I've received this message, so "obviously" something
has changed. What happened? Some newbie sysadmin thinking he's being
smart and helpful?
Or perhaps I read the Risks Digest too often.
/anton
--
Hardware has grown following Moore's Law,
software seems to be stuck with Gresham's Law.
-Jim Horning, Inside Risks
133 CACM 44, 7, July 2001
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Sourceforge sending out passwords in the clear. Anton J Aylward, CISSP (Aug 02)
|
Intro
