Re: [fw-wiz] Sourceforge sending out passwords in the clear.

From: Paul Robertson (
Date: 08/02/02

From: Paul Robertson <>
To: "Anton J Aylward, CISSP" <>
Date: Fri Aug  2 10:36:01 2002

On 2 Aug 2002, Anton J Aylward, CISSP wrote:

> I understand this list is managed by "mailman". I just received
> a mail message from Sourceforge, the open source development site.
> Their list is managed by mailman as well. Being heads-up about security,
> the people here have got this one right ;-)
> > This is a password reminder sent via Mailman (,
> > mailing list software used by SourceForge, every month.
> Further down was my login ID and password in the clear.
> I consider this to be an irresponsible breach of basic good
> security practice. They should know better than to send such
> things in the clear over an unsecured store-and-forward medium.

I don't know what sourceforge does with its credentials- mailman's premise
is that the password should be unique (that is not used for "real" things)
and used only for list operations on your list settings.

Since "I forgot my password" is still about the most expensive IT cost,
and most lists aren't making any money- support in the form of "mail me my
password" is the norm if you don't want to get killed doing support.

> I'm told this is the default action for mailman,. If so, its a

If you have my mailman password, you can unsubscribe me from the list
(should be obvious when I stop receiving messages,) set me to digest, set
me to nomail, and maybe a handful of other things[1].

Granted, you could MITM my mailing list traffic and if I wasn't checking
headers, you'd probably get me- but overall, that's not a huge risk (it
sends list manager passwords too- a much higher risk, though that only
happens at list creation and is easy to mitigate by not making the list live or
populating it until after the password is changed.)

> But I've also been on the sourceforge list for nearly a year and this
> is the first time I've received this message, so "obviously" something
> has changed. What happened? Some newbie sysadmin thinking he's being
> smart and helpful?

Probably they moved to a new mailman installation that's set to do the
monthly reminder thing (that's the default.)

> Or perhaps I read the Risks Digest too often.

The alternative is a mail/web combination thing- and that would make
everything more difficult/complex- or a manual thing which would *suck*.

You'd be surprised at the administrative stuff I deal with now, and this
list holds a very high ratio of clueons.

[1] That's the theoretical generic me- the actual me is subscribed from
multiple accounts and reads headers.
Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: UNITE Source Code Repository
    ... I think it's a great choice for hosting the SCR. ... You can open an account, create a new project on SourceForge, and upload ... mailing lists, a news/blog facility, the TRAC bug/defect tracker, ... Information on releasing files for download and using ...
  • Re: SourceForge GWindows project
    ... SourceForge GWindows project. ... >> GNAVI provides a programming framework for applications written in ... those lists are archived and browse-able. ...
  • Re: send email from command line
    ... for postfix, on ubuntu 7.10, with "Internet site with smarthost" ... posts to sourceforge were being swallowed. ... relayhost = ... Can you post to lists at sourceforge? ...
  • Re: Problems compiling opencbm on Linux (also posted to comp.emulators.cbm)
    ... the sourceforge page and ... clicking on mailing lists and join and send a message to the list. ... Thanks Tom. ...
  • ~~~~~~~~~~~~~~ LIST MANAGER ~~~~~~~~~~~~~~
    ... finance analyst finance manager list conference ... case mailing list manager ... email list manager software free download ... collection manager lists create announce ...