[147430] in cryptography@c2.net mail archive
Re: [Cryptography] Why is emailing me my password?
daemon@ATHENA.MIT.EDU (Greg)
Tue Oct 1 22:40:12 2013
X-Original-To: cryptography@metzdowd.com
From: Greg <greg@kinostudios.com>
In-Reply-To: <CABrqyHzFfwsRnrV-jR0dEnO_v4i63NbPnasDLcEmFVeeii4BSA@mail.gmail.com>
Date: Tue, 1 Oct 2013 18:03:39 -0400
To: John Ioannidis <ji@tla.org>
Cc: Nick <cryptography-list@njw.me.uk>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>,
=?iso-8859-1?Q?Lodewijk_andr=E9_de_la_porte?= <l@odewijk.nl>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2304693655238484956==
Content-Type: multipart/signed; boundary="Apple-Mail=_2E86CD4B-274A-4388-A458-355A5C4B8D55"; protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_2E86CD4B-274A-4388-A458-355A5C4B8D55
Content-Type: multipart/alternative;
boundary="Apple-Mail=_679C901F-F995-4B85-BFAD-C77119A31AC8"
--Apple-Mail=_679C901F-F995-4B85-BFAD-C77119A31AC8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
> Actually, it's only *your* password that's being emailed in the clear. =
It's punishment for failing to observe the first rule of this list, =
which is DO NOT TOP POST.
Huh?
1. I don't know what "top post" means, and I see nothing here about it: =
http://www.metzdowd.com/mailman/listinfo/cryptography
2. The password was sent to me as part of a poorly configured mailing =
list bot, not any sort of "punishment".
3. Even if it was sent to me as "punishment", that is retarded.
> If you don't like the way this list is run, you are welcome to =
unsubscribe.
Yeah, I know. I might do that, as seeing the response to my request has =
convinced me there's little worth reading here anyway.
> The person running this list knows his job very well, and I'd suggest =
you be a bit more respectful of him.
What did I say that you feel was disrespectful? That he's failing at his =
job? That's not disrespectful, that's my opinion based on the fact that =
he is choosing to mail people their list passwords in the clear.
Running a mailing list is not hard work. There are only so many things =
one can fuck up. This is probably one of the biggest mistakes that can =
be made in running a mailing list, and on a list that's about software =
security. It's just ridiculous.
A mailing list shouldn't have any passwords to begin with. There is no =
need for passwords, and it shouldn't be possible for anyone to =
unsubscribe anyone else.
User: Unsubscribe [EMAIL] -> Server
Server: Are you sure? -> [EMAIL]
User@[EMAIL]: YES! -> Server.
No passwords, and no fake unsubscribes.
- Greg
--
Please do not email me anything that you are not comfortable also =
sharing with the NSA.
On Oct 1, 2013, at 4:56 PM, John Ioannidis <ji@tla.org> wrote:
> On Tue, Oct 1, 2013 at 12:56 PM, Greg <greg@kinostudios.com> wrote:
> There is nothing difficult about the right course of action here: =
Don't send the password. Disable this silly default.
>=20
> The attitude expressed in these replies is a disgrace to the =
profession of software security, and a disgrace to the list.
>=20
> It doesn't matter whether or not I "should" be using a unique =
password. I might not be, and even if I am, a nerd next to me shouldn't =
be able to change my subscription settings because of the listserv's =
idiotic setting.
>=20
> It is NOT the user's responsibility to compensate for the incompetence =
of sys admins or software developers. They are the ones who are failing =
their jobs.
>=20
>=20
> Actually, it's only *your* password that's being emailed in the clear. =
It's punishment for failing to observe the first rule of this list, =
which is DO NOT TOP POST.
>=20
> If you don't like the way this list is run, you are welcome to =
unsubscribe. The password for unsubscribing has been already emailed to =
you. The person running this list knows his job very well, and I'd =
suggest you be a bit more respectful of him.
>=20
> /ji
>=20
--Apple-Mail=_679C901F-F995-4B85-BFAD-C77119A31AC8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">Actually, it's only =
*your* password that's being emailed in the clear. It's punishment for =
failing to observe the first rule of this list, which is DO NOT TOP =
POST.</div></div></div></blockquote><div><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">Huh?</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">1. I don't know what "top post" means, and I see =
nothing here about it: <a =
href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.=
metzdowd.com/mailman/listinfo/cryptography</a></div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">2. The =
password was sent to me as part of a poorly configured mailing list bot, =
not any sort of "punishment".</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">3. Even if it =
was sent to me as "punishment", that is retarded.</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote"><blockquote =
type=3D"cite"><div dir=3D"ltr"><div class=3D"gmail_extra"><div =
class=3D"gmail_quote">If you don't like the way this list is run, you =
are welcome to unsubscribe.</div></div></div></blockquote><br></div><div =
class=3D"gmail_quote">Yeah, I know. I might do that, as seeing the =
response to my request has convinced me there's little worth reading =
here anyway.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote"><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">The person running this =
list knows his job very well, and I'd suggest you be a bit more =
respectful of him.</div></div></div></blockquote><br></div><div =
class=3D"gmail_quote">What did I say that you feel was disrespectful? =
That he's failing at his job? That's not disrespectful, that's my =
opinion based on the fact that he is choosing to mail people their list =
passwords in the clear.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">Running a mailing list is not hard work. There are =
only so many things one can fuck up. This is probably one of the biggest =
mistakes that can be made in running a mailing list, and on a list =
that's about software security. It's just ridiculous.</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">A mailing =
list shouldn't have any passwords to begin with. There is no need for =
passwords, and it shouldn't be possible for anyone to unsubscribe anyone =
else.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">User: Unsubscribe [EMAIL] -> Server</div><div =
class=3D"gmail_quote">Server: Are you sure? -> [EMAIL]</div><div =
class=3D"gmail_quote">User@[EMAIL]: YES! -> Server.</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">No passwords, =
and no fake unsubscribes.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">- Greg</div></div></div></div><div>
<br>--<br>Please do not email me anything that you are =
not comfortable also sharing with the NSA.<br>
</div>
<br><div><div>On Oct 1, 2013, at 4:56 PM, John Ioannidis <<a =
href=3D"mailto:ji@tla.org">ji@tla.org</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
dir=3D"ltr">On Tue, Oct 1, 2013 at 12:56 PM, Greg <span dir=3D"ltr"><<a=
href=3D"mailto:greg@kinostudios.com" =
target=3D"_blank">greg@kinostudios.com</a>></span> wrote:<br><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin: 0px 0px 0px 0.8ex; =
border-left-width: 1px; border-left-color: rgb(204, 204, 204); =
border-left-style: solid; padding-left: 1ex; position: static; z-index: =
auto; "><div style=3D"word-wrap:break-word">There is nothing difficult =
about the right course of action here: Don't send the password. Disable =
this silly default.<div>
<br></div><div>The attitude expressed in these replies is a disgrace to =
the profession of software security, and a disgrace to the =
list.</div><div><br></div><div>It doesn't matter whether or not I =
"should" be using a unique password. I <b>might not be, </b>and =
even if I am, a nerd next to me shouldn't be able to change my =
subscription settings because of the listserv's idiotic setting.</div>
<div><br></div><div>It is NOT the user's responsibility to compensate =
for the incompetence of sys admins or software developers. They are the =
ones who are failing their =
jobs.</div><div><br></div></div></blockquote><div>
<br></div><div>Actually, it's only *your* password that's being emailed =
in the clear. It's punishment for failing to observe the first rule of =
this list, which is DO NOT TOP POST.</div><div><br></div><div>If you =
don't like the way this list is run, you are welcome to unsubscribe. The =
password for unsubscribing has been already emailed to you. The person =
running this list knows his job very well, and I'd suggest you be a bit =
more respectful of him.</div>
<div><br></div><div>/ji</div><div><br></div></div></div></div>
</blockquote></div><br></body></html>=
--Apple-Mail=_679C901F-F995-4B85-BFAD-C77119A31AC8--
--Apple-Mail=_2E86CD4B-274A-4388-A458-355A5C4B8D55
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJSS0a+AAoJEKFrDougX6FkIh4IAIydS/uRw0CalD3cqbWOLuQA
Gcihb1hIBosEM6feIgfcQaLA3igiESQwQKQTsLKdthJiBH0Qnb28yU1iC1IHpaOP
56G9AdyjH1N4eQhDKN1H7b8EaQGXc1i9E4ytRQvHt0p/LqchRfKNUV53Q1QsyNgR
WSrtXdU90xtPX3doBD71+MwLku+GK55C51h+XRTE4K7ZUiQRnFO9bArosTOT1Pch
K+x9BIrEyKvHJPalRGGPjkrtVuOjrGbCP8xEtLLv1pVe4HFcny3tuBSi1Aex3Z/I
1EVAvi9VlWPZwNVgfUxOcYxA8Rd0mdTHbrx21n/TD8HPx5U/MhhxrjVPKI3rnD8=
=Vw4y
-----END PGP SIGNATURE-----
--Apple-Mail=_2E86CD4B-274A-4388-A458-355A5C4B8D55--
--===============2304693655238484956==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2304693655238484956==--
