[147411] in cryptography@c2.net mail archive
Re: [Cryptography] Why is emailing me my password?
daemon@ATHENA.MIT.EDU (Greg)
Tue Oct 1 13:36:13 2013
X-Original-To: cryptography@metzdowd.com
From: Greg <greg@kinostudios.com>
In-Reply-To: <CAHWD2rJSUn3TY6K+J4VKwYHBxuFVc=Kq4kXzGgRfn9V1y58new@mail.gmail.com>
Date: Tue, 1 Oct 2013 12:56:04 -0400
To: =?iso-8859-1?Q?Lodewijk_andr=E9_de_la_porte?= <l@odewijk.nl>
Cc: Nick <cryptography-list@njw.me.uk>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5496452475905869120==
Content-Type: multipart/signed; boundary="Apple-Mail=_BDA04EB1-23FF-4949-A6BF-2DFBBBF6453D"; protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_BDA04EB1-23FF-4949-A6BF-2DFBBBF6453D
Content-Type: multipart/alternative;
boundary="Apple-Mail=_CDE26573-21E5-4868-A747-095A74B700A6"
--Apple-Mail=_CDE26573-21E5-4868-A747-095A74B700A6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
There is nothing difficult about the right course of action here: Don't =
send the password. Disable this silly default.
The attitude expressed in these replies is a disgrace to the profession =
of software security, and a disgrace to the list.
It doesn't matter whether or not I "should" be using a unique password. =
I might not be, and even if I am, a nerd next to me shouldn't be able to =
change my subscription settings because of the listserv's idiotic =
setting.
It is NOT the user's responsibility to compensate for the incompetence =
of sys admins or software developers. They are the ones who are failing =
their jobs.
- Greg
--
Please do not email me anything that you are not comfortable also =
sharing with the NSA.
On Oct 1, 2013, at 12:03 PM, Lodewijk andr=E9 de la porte <l@odewijk.nl> =
wrote:
> It's reasonable as it's not a security sensitive environment. Please =
for the love of god let some environments stay low-sec.
>=20
>=20
> 2013/10/1 Nick <cryptography-list@njw.me.uk>
> On Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote:
> > So, my password, iPoopInYourHat, is being sent to me in the clear by =
your servers.
>=20
> All mailman lists do this by default. It does tell you on the sign
> up page that it will do so, and that you shouldn't use a 'valuable'
> (e.g. used elsewhere) password - see
> http://www.metzdowd.com/mailman/listinfo/cryptography
>=20
> It is an annoying default, but so long as you don't use a password
> attached to anything else you care about, I don't think it should be
> too much of a worry.
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>=20
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
--Apple-Mail=_CDE26573-21E5-4868-A747-095A74B700A6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">There =
is nothing difficult about the right course of action here: Don't send =
the password. Disable this silly default.<div><br></div><div>The =
attitude expressed in these replies is a disgrace to the profession of =
software security, and a disgrace to the =
list.</div><div><br></div><div>It doesn't matter whether or not I =
"should" be using a unique password. I <b>might not be, </b>and =
even if I am, a nerd next to me shouldn't be able to change my =
subscription settings because of the listserv's idiotic =
setting.</div><div><br></div><div>It is NOT the user's responsibility to =
compensate for the incompetence of sys admins or software developers. =
They are the ones who are failing their jobs.</div><div><br></div><div>- =
Greg<br><div>
<br>--<br>Please do not email me anything that you are =
not comfortable also sharing with the NSA.<br>
</div>
<br><div><div>On Oct 1, 2013, at 12:03 PM, Lodewijk andr=E9 de la porte =
<<a href=3D"mailto:l@odewijk.nl">l@odewijk.nl</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
dir=3D"ltr">It's reasonable as it's not a security sensitive =
environment. Please for the love of god let some environments stay =
low-sec.</div><div class=3D"gmail_extra"><br><br><div =
class=3D"gmail_quote">2013/10/1 Nick <span dir=3D"ltr"><<a =
href=3D"mailto:cryptography-list@njw.me.uk" =
target=3D"_blank">cryptography-list@njw.me.uk</a>></span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=3D"im">On =
Tue, Oct 01, 2013 at 10:28:48AM -0400, Greg wrote:<br>
> So, my password, iPoopInYourHat, is being sent to me in the clear =
by your servers.<br>
<br>
</div>All mailman lists do this by default. It does tell you on the =
sign<br>
up page that it will do so, and that you shouldn't use a 'valuable'<br>
(e.g. used elsewhere) password - see<br>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" =
target=3D"_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a=
><br>
<br>
It is an annoying default, but so long as you don't use a password<br>
attached to anything else you care about, I don't think it should be<br>
too much of a worry.<br>
<div class=3D"HOEnZb"><div =
class=3D"h5">_______________________________________________<br>
The cryptography mailing list<br>
<a =
href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br=
>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" =
target=3D"_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a=
><br>
</div></div></blockquote></div><br></div>
_______________________________________________<br>The cryptography =
mailing list<br><a =
href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br=
>http://www.metzdowd.com/mailman/listinfo/cryptography</blockquote></div><=
br></div></body></html>=
--Apple-Mail=_CDE26573-21E5-4868-A747-095A74B700A6--
--Apple-Mail=_BDA04EB1-23FF-4949-A6BF-2DFBBBF6453D
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJSSv6kAAoJEKFrDougX6FksxwH/iLFpsSTMkCK7pYqpdl0YjSA
tsyzJE2JbUdgQHROx5PQ2K8SM+qpuy2puIcBfVOULrfSb67y3a6b4mofMdi/gDN1
HjHjNk99l51eNrAnGg5m8J8AhOu9rvePqLUDFtE+c/k1Ts+w3wkyLP77KTOC1swO
rSOAT1tROhl4A5GB5CIslmUuCTwXbuP0rF8rUuI5bB2wSgqbf+vfA9ssj61+34R8
Uy+9Z4n1wuhqqiO9+lF5bBd1GfwEQ4wrLXatGxbO7TpC/C2xZWmnMbFLoGarYLT6
MEe5ucrImoFDCQ9AZwkMEjMKnCUlJSNgf72UMUbB242J7RQVUJlR39jeVpuBSHY=
=0f+O
-----END PGP SIGNATURE-----
--Apple-Mail=_BDA04EB1-23FF-4949-A6BF-2DFBBBF6453D--
--===============5496452475905869120==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5496452475905869120==--
