[fw-wiz] Sourceforge sending out passwords in the clear.

From: Anton J Aylward, CISSP (aja@si.on.ca)
Date: 08/02/02 

From: "Anton J Aylward, CISSP" <aja@si.on.ca>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Aug  2 09:56:16 2002

I understand this list is managed by "mailman". I just received
a mail message from Sourceforge, the open source development site.
Their list is managed by mailman as well. Being heads-up about security,
the people here have got this one right ;-)

> This is a password reminder sent via Mailman (http://www.list.org/),
> mailing list software used by SourceForge, every month.

Further down was my login ID and password in the clear.
I consider this to be an irresponsible breach of basic good
security practice. They should know better than to send such
things in the clear over an unsecured store-and-forward medium.

You don't have to be a developer to "join" sourceforge.

Being periodic, this is predictable. The consequent risks of that
are pretty obvious.

I'm told this is the default action for mailman,. If so, its a
bad default; Marcus isn't the only one who rails against such stupidity,
but as the saying goes, "even the Gods ...".

But I've also been on the sourceforge list for nearly a year and this
is the first time I've received this message, so "obviously" something
has changed. What happened? Some newbie sysadmin thinking he's being
smart and helpful?

Or perhaps I read the Risks Digest too often.

/anton 

--
Hardware has grown following Moore's Law, 
software seems to be stuck with Gresham's Law.
  -Jim Horning, Inside Risks 
         133 CACM 44, 7, July 2001
Loading