Mailing List Archive

On 9/1/23 12:16?PM, Randy Bush wrote:
> and i just have to wonder about sending passords over the net in
> cleartext in 2023. really?

There's a reason that I have configured all the Mailman mailing lists to
not send me monthly password reminders.

I do wish that such was the default. Sadly it wasn't the last time I
looked.



--
Grant. . . .
unix || die

What cleartext ? Opportunistic encryption and/or DANE FTW.

Rubens

On Fri, Sep 1, 2023 at 2:19?PM Randy Bush <randy@psg.com> wrote:
>
> and i just have to wonder about sending passords over the net in
> cleartext in 2023. really?
>
> randy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 2023-09-01 at 10:16 -0700, Randy Bush wrote:
+AD4 and i just have to wonder about sending passords over the net in
+AD4 cleartext in 2023.+AKA really?
+AD4
+AD4 randy

For those that wish to do something about it...


+ACQ +AH4-/mailman/debian/patches+ACQ cat 21-mask-mailpasswds.patch
+AD0APQA9 modified file 'cron/mailpasswds'
- --- cron/mailpasswds 2018-06-04 19:52:31.850899000 +-0000
+-+-+- cron/mailpasswds 2018-04-24 11:14:10.770128000 +-0000
+AEAAQA -141,7 +-141,9 +AEAAQA
for host in byhost.keys():
+ACM Site owner is +AGA-mailman+AEA-dom.ain'
userinfo +AD0 +AHsAfQ
+- virtlist +AD0 +AHsAfQ
for mlist in byhost+AFs-host+AF0:
+- virtlist +AD0 mlist
listaddr +AD0 mlist.GetListEmail()
for member in mlist.getMembers():
+ACM The user may have disabled reminders for this list
+AEAAQA -184,7 +-186,7 +AEAAQA
fmt +AD0 '+ACU-s+AFw-n +ACU--10s+AFw-n+ACU-s+AFw-n'
else:
fmt +AD0 '+ACU--40s +ACU--10s+AFw-n+ACU-s+AFw-n'
- - table.append(fmt +ACU (listaddr, password, optionsurl))
+- table.append(fmt +ACU (listaddr, +ACIAKgAqACoAKgAqACoAKgAqACI, optionsurl))
+ACM Figure out which language to use
langcnt +AD0 0
poplang +AD0 None
+AEAAQA -218,7 +-220,7 +AEAAQA
+ACM Add the table to the end so it doesn't get wrapped/filled
text +-+AD0 (header +- '+AFw-n' +- NL.join(table))
msg +AD0 Message.UserNotification(
- - addr, siteowner,
+- addr, sitebounce,
+AF8('+ACU(host)s mailing list memberships reminder'),
text.encode(enc, 'replace'), poplang)
+ACM Note that text must be encoded into 'enc' because unicode
+AEAAQA -228,11 +-230,7 +AEAAQA
msg+AFs'X-No-Archive'+AF0 +AD0 'yes'
del msg+AFs'auto-submitted'+AF0
msg+AFs'Auto-Submitted'+AF0 +AD0 'auto-generated'
- - +ACM We want to make this look like it's coming from the siteowner's
- - +ACM list, but we also want to be sure that the apparent host name is
- - +ACM the current virtual host. Look in CookHeaders.py for why this
- - +ACM trick works. Blarg.
- - msg.send(sitelist, +ACoAKgB7'errorsto': sitebounce,
+- msg.send(virtlist, +ACoAKgB7'errorsto': sitebounce,
'+AF8-nolist' : 1,
'verp' : mm+AF8-cfg.VERP+AF8-PASSWORD+AF8-REMINDERS,
+AH0)



-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAdFiEE3RmV4WutJ2KyCS2zPcxbabkKGJ8FAmTyNN0ACgkQPcxbabkK
GJ93Kg/49K27NUwr2K7LV69h+UgdzlBbr4tEiIFj/7pVcZGwWnSHaOpPDo40IUMl
pPt2KqRlnz6t0b8FnZbQljp8gVVDgWdkbrzY35PSStSzJ3K5z+c6GBfZx37mms9O
TROO8ztj95+hEjfjINW/MBtSABAyNbztnZAidNTYJ0SrVqVp8HifoRcN7SIg1uzC
EcftLs/jRs8ghC0pSyNcZd8Bjrym+2q37a8bJpQU06vqLNbrjgf+/vaxSu8HurdI
9Iw2+tYHeZ/PyiuqhAK2RBTgsqLv1zawv+khsGndpT6XbhKMJ91ySPMEWvkd8iyb
oL4kaYT0pfzXtjaex7Ezxi1qaMUZFZSFSIufkLYDEf31iRiBuuU3TAed6Lh+5UPF
nFlGHFzUYvaCOecycVToAx0QfqORGpcWdPs8k0dZOsjTTXAiTwhZU7IY1PxKuN34
shRXG5CL4Y1xc1Sn6ohGO4E1urhDATAqFHwSh39w/aKhI23d4udOZhivTKCk8zlb
7P3795tfA1XFKReXUNwoFnwq2cvSjbusDg5Q2epBsuntMS70ZvJ25wM4uY9Bzg0K
3PLlzmmRNFhUnLMDD450uaGtQmQCgfQtEXIIgPiEQtk0zol2O3Zzx/TW+QmqfrYX
81fegq1UhuyTkNRDqgWjskFd2zUYlW/0u5CLdGYtmTdn6lJ51Q==
=jjjM
-----END PGP SIGNATURE-----

On Fri, Sep 01, 2023 at 10:16:05AM -0700, Randy Bush wrote:
> and i just have to wonder about sending passords over the net in
> cleartext in 2023. really?

This is a non-issue.

Given that pretty much every SMTP connection is encrypted and that
the worst thing that an attacker in possession of one of your Mailman
passwords can do is unsubscribe you (in which case you and the list
manager will be notified, and you can solve the problem quite rapidly),
no, this isn't a problem that anyone needs to worry about.

I've run (and am running) a lot of mailing lists with Mailman including
some large-ish ones for what's now approaching 20 years. The scenario
above has never happened. Nobody's even tried, which isn't surprising
given that such an attack is increasingly difficult and yields little,
if any, benefit to the attacker. Moreover, any hypothetical attacker
possessing the resources and expertise required to pull this off could
certainly find far more effective things to do.

---rsk

I donno Rich...a couple of decades ago I lost my Slashdot account because someone was able to access it.
I used the password in two places...Slashdot and all the blasted mailman instances I was signed up with.

To this day, I still use the same password on all my mailman subscriptions because I consider mailman insecure for emailing out passwords. I just obviously don't use the password anywhere else. So you're right that all anyone can do is unsubscribe me from something...which isn't a big deal, but it makes me wonder just how many people have terrible mailman passwords and maybe use them elsewhere...and wouldn't report a compromise because...well...it'd make me look stupid. ????

Ignoring all of that—it's just a horrible practice to not encrypt passwords and to email them out. You don't really even need a mailman password. You just put in your email address and hit 'unsubscribe'...and it'll send you a link to click as authorization...so why not drop passwords altogether and just reply on click-to-authorize? Or just encrypt the passwords and have a "forgot password" click-to-reset like every other app on the planet?

-A

On Sat Sep 2, 2023, 07:57 AM GMT, Rich Kulawiec <mailto:rsk@gsp.org> wrote:
> On Fri, Sep 01, 2023 at 10:16:05AM -0700, Randy Bush wrote:
>> and i just have to wonder about sending passords over the net in
>> cleartext in 2023. really?
>
> This is a non-issue.
>
> Given that pretty much every SMTP connection is encrypted and that
> the worst thing that an attacker in possession of one of your Mailman
> passwords can do is unsubscribe you (in which case you and the list
> manager will be notified, and you can solve the problem quite rapidly),
> no, this isn't a problem that anyone needs to worry about.
>
> I've run (and am running) a lot of mailing lists with Mailman including
> some large-ish ones for what's now approaching 20 years. The scenario
> above has never happened. Nobody's even tried, which isn't surprising
> given that such an attack is increasingly difficult and yields little,
> if any, benefit to the attacker. Moreover, any hypothetical attacker
> possessing the resources and expertise required to pull this off could
> certainly find far more effective things to do.
>
> ---rsk
>

It appears that Rich Kulawiec <rsk@gsp.org> said:
>On Fri, Sep 01, 2023 at 10:16:05AM -0700, Randy Bush wrote:
>> and i just have to wonder about sending passords over the net in
>> cleartext in 2023. really?
>
>This is a non-issue.

It's like changing your password, it sort of made sense in the 1980s
when networks meant coax Ethernets and bored students could sniff
passwords, and now it's cargo cult security. These days the only
sniffable shared media left is passwordless wifi and even there as you
note, mail all goes through TLS tunnels.

It appears that Aaron de Bruyn via NANOG <aaron@heyaaron.com> said:
>-=-=-=-=-=-
>
>I donno Rich...a couple of decades ago I lost my Slashdot account because someone was able to access it.
>I used the password in two places...Slashdot and all the blasted mailman instances I was signed up with.

I can believe that your Slashdot account got hacked, but why do you
think that's because someone read a monthly mailing list reminder,
figured out how to connect that list to your Slashdot account, and
broke in? That's quite a stretch.

More likely some Slashdot subcontractor sold it*, or you logged in
from a device that was compromised somehow. Or maybe it was just brute
forced.

R's,
John

* - I use tagged email on all my subscriptions and it's amazing how
passwords leak from places like the Wall Street Journal and the
Economist who really should know better. On the other hand, the NY
Times and WaPo don't leak, so pick your subcontractors carefully.

On Sat, 2023-09-02 at 13:10 -0400, John Levine wrote:
+AD4
+AD4 It's like changing your password, it sort of made sense in the 1980s
+AD4 when networks meant coax Ethernets and bored students could sniff
+AD4 passwords, and now it's cargo cult security. These days the only
+AD4 sniffable shared media left is passwordless wifi and even there as you
+AD4 note, mail all goes through TLS tunnels.
+AD4

Mail in transit is mostly TLS transport these days, BUT mail in storage
and idle state isn't always secured. I'm sure that most any of us could
find a public s3 bucket with an mbox file on it if we cared to look.

-Jim P.

> Mail in transit is mostly TLS transport these days,

yep. mostly. opsec folk are not fond of 'mostly.'

> BUT mail in storage and idle state isn't always secured. I'm sure
> that most any of us could find a public s3 bucket with an mbox file on
> it if we cared to look.

sigh

randy

Pouring kerosine on fire? *flame me back if warranted*

Voice networks have no POTS left in them? *mostly?* ?.

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: NANOG <nanog-bounces+richard=pedantictheory.com@nanog.org> on behalf of Randy Bush <randy@psg.com>
Sent: Saturday, September 2, 2023 4:30:07 PM
To: Jim Popovitch via NANOG <nanog@nanog.org>
Subject: Re: it's mailman time again

> Mail in transit is mostly TLS transport these days,

yep. mostly. opsec folk are not fond of 'mostly.'

> BUT mail in storage and idle state isn't always secured. I'm sure
> that most any of us could find a public s3 bucket with an mbox file on
> it if we cared to look.

sigh

randy

You didn't lose your /. account because of a mailing list config.
You lost it due to the bad practices or knowledge at the time.
\o/
-- J. Hellenthal
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

On Sep 2, 2023, at 17:08, Richard Porter <richard@pedantictheory.com> wrote:

? Pouring kerosine on fire? *flame me back if warranted*
Voice networks have no POTS left in them? *mostly?* ….
Get https://aka.ms/o0ukef"]Outlook for iOS

---

From: NANOG <nanog-bounces+richard=pedantictheory.com@nanog.org> on behalf of Randy Bush <randy@psg.com>
Sent: Saturday, September 2, 2023 4:30:07 PM
To: Jim Popovitch via NANOG <nanog@nanog.org>
Subject: Re: it's mailman time again > Mail in transit is mostly TLS transport these days,

yep. mostly. opsec folk are not fond of 'mostly.'

> BUT mail in storage and idle state isn't always secured. I'm sure
> that most any of us could find a public s3 bucket with an mbox file on
> it if we cared to look.

sigh

randy