[147435] in cryptography@c2.net mail archive
Re: [Cryptography] Why is emailing me my password?
daemon@ATHENA.MIT.EDU (Greg)
Tue Oct 1 23:07:22 2013
X-Original-To: cryptography@metzdowd.com
From: Greg <greg@kinostudios.com>
In-Reply-To: <F63B5870-F5E6-4787-9141-878E759D01D7@kinostudios.com>
Date: Tue, 1 Oct 2013 18:16:26 -0400
To: John Ioannidis <ji@tla.org>
Cc: Nick <cryptography-list@njw.me.uk>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>,
=?iso-8859-1?Q?Lodewijk_andr=E9_de_la_porte?= <l@odewijk.nl>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============3072177897083930716==
Content-Type: multipart/signed; boundary="Apple-Mail=_9FDC5F76-02D0-4C28-B86A-311E71F46AEE"; protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_9FDC5F76-02D0-4C28-B86A-311E71F46AEE
Content-Type: multipart/alternative;
boundary="Apple-Mail=_3B13D2DC-0A20-4483-9BA0-3676395F71FE"
--Apple-Mail=_3B13D2DC-0A20-4483-9BA0-3676395F71FE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
>> Actually, it's only *your* password that's being emailed in the =
clear. It's punishment for failing to observe the first rule of this =
list, which is DO NOT TOP POST.
>=20
Actually, my previous reply to this comment of yours did not adequately =
point out the magnitude of its idiocy.
The reason I posted to the list in the first place was because the =
password was sent to me in the clear. This thread has been my sole =
contribution to the list so far.
- Greg
--
Please do not email me anything that you are not comfortable also =
sharing with the NSA.
On Oct 1, 2013, at 6:03 PM, Greg <greg@kinostudios.com> wrote:
>> Actually, it's only *your* password that's being emailed in the =
clear. It's punishment for failing to observe the first rule of this =
list, which is DO NOT TOP POST.
>=20
> Huh?
>=20
> 1. I don't know what "top post" means, and I see nothing here about =
it: http://www.metzdowd.com/mailman/listinfo/cryptography
>=20
> 2. The password was sent to me as part of a poorly configured mailing =
list bot, not any sort of "punishment".
>=20
> 3. Even if it was sent to me as "punishment", that is retarded.
>=20
>> If you don't like the way this list is run, you are welcome to =
unsubscribe.
>=20
> Yeah, I know. I might do that, as seeing the response to my request =
has convinced me there's little worth reading here anyway.
>=20
>> The person running this list knows his job very well, and I'd suggest =
you be a bit more respectful of him.
>=20
> What did I say that you feel was disrespectful? That he's failing at =
his job? That's not disrespectful, that's my opinion based on the fact =
that he is choosing to mail people their list passwords in the clear.
>=20
> Running a mailing list is not hard work. There are only so many things =
one can fuck up. This is probably one of the biggest mistakes that can =
be made in running a mailing list, and on a list that's about software =
security. It's just ridiculous.
>=20
> A mailing list shouldn't have any passwords to begin with. There is no =
need for passwords, and it shouldn't be possible for anyone to =
unsubscribe anyone else.
>=20
> User: Unsubscribe [EMAIL] -> Server
> Server: Are you sure? -> [EMAIL]
> User@[EMAIL]: YES! -> Server.
>=20
> No passwords, and no fake unsubscribes.
>=20
> - Greg
>=20
> --
> Please do not email me anything that you are not comfortable also =
sharing with the NSA.
>=20
> On Oct 1, 2013, at 4:56 PM, John Ioannidis <ji@tla.org> wrote:
>=20
>> On Tue, Oct 1, 2013 at 12:56 PM, Greg <greg@kinostudios.com> wrote:
>> There is nothing difficult about the right course of action here: =
Don't send the password. Disable this silly default.
>>=20
>> The attitude expressed in these replies is a disgrace to the =
profession of software security, and a disgrace to the list.
>>=20
>> It doesn't matter whether or not I "should" be using a unique =
password. I might not be, and even if I am, a nerd next to me shouldn't =
be able to change my subscription settings because of the listserv's =
idiotic setting.
>>=20
>> It is NOT the user's responsibility to compensate for the =
incompetence of sys admins or software developers. They are the ones who =
are failing their jobs.
>>=20
>>=20
>> Actually, it's only *your* password that's being emailed in the =
clear. It's punishment for failing to observe the first rule of this =
list, which is DO NOT TOP POST.
>>=20
>> If you don't like the way this list is run, you are welcome to =
unsubscribe. The password for unsubscribing has been already emailed to =
you. The person running this list knows his job very well, and I'd =
suggest you be a bit more respectful of him.
>>=20
>> /ji
>>=20
>=20
--Apple-Mail=_3B13D2DC-0A20-4483-9BA0-3676395F71FE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><blockquote type=3D"cite"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">Actually, it's only =
*your* password that's being emailed in the clear. It's punishment for =
failing to observe the first rule of this list, which is DO NOT TOP =
POST.</div></div></div></blockquote><div><div dir=3D"ltr"><div =
class=3D"gmail_extra"></div></div></div></div></blockquote><div><br =
class=3D"webkit-block-placeholder"></div><div>Actually, my previous =
reply to this comment of yours did not adequately point out the =
magnitude of its idiocy.</div><div><br></div><div>The reason I posted to =
the list in the first place was because the password was sent to me in =
the clear. This thread has been my sole contribution to the list so =
far.</div><div><br></div><div>- Greg</div><div>
<br>--<br>Please do not email me anything that you are =
not comfortable also sharing with the NSA.<br>
</div>
<br><div><div>On Oct 1, 2013, at 6:03 PM, Greg <<a =
href=3D"mailto:greg@kinostudios.com">greg@kinostudios.com</a>> =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">Actually, it's only =
*your* password that's being emailed in the clear. It's punishment for =
failing to observe the first rule of this list, which is DO NOT TOP =
POST.</div></div></div></blockquote><div><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">Huh?</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">1. I don't know what "top post" means, and I see =
nothing here about it: <a =
href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.=
metzdowd.com/mailman/listinfo/cryptography</a></div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">2. The =
password was sent to me as part of a poorly configured mailing list bot, =
not any sort of "punishment".</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">3. Even if it =
was sent to me as "punishment", that is retarded.</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote"><blockquote =
type=3D"cite"><div dir=3D"ltr"><div class=3D"gmail_extra"><div =
class=3D"gmail_quote">If you don't like the way this list is run, you =
are welcome to unsubscribe.</div></div></div></blockquote><br></div><div =
class=3D"gmail_quote">Yeah, I know. I might do that, as seeing the =
response to my request has convinced me there's little worth reading =
here anyway.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote"><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">The person running this =
list knows his job very well, and I'd suggest you be a bit more =
respectful of him.</div></div></div></blockquote><br></div><div =
class=3D"gmail_quote">What did I say that you feel was disrespectful? =
That he's failing at his job? That's not disrespectful, that's my =
opinion based on the fact that he is choosing to mail people their list =
passwords in the clear.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">Running a mailing list is not hard work. There are =
only so many things one can fuck up. This is probably one of the biggest =
mistakes that can be made in running a mailing list, and on a list =
that's about software security. It's just ridiculous.</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">A mailing =
list shouldn't have any passwords to begin with. There is no need for =
passwords, and it shouldn't be possible for anyone to unsubscribe anyone =
else.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">User: Unsubscribe [EMAIL] -> Server</div><div =
class=3D"gmail_quote">Server: Are you sure? -> [EMAIL]</div><div =
class=3D"gmail_quote">User@[EMAIL]: YES! -> Server.</div><div =
class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">No passwords, =
and no fake unsubscribes.</div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote">- Greg</div></div></div></div><div>
<br>--<br>Please do not email me anything that you are =
not comfortable also sharing with the NSA.<br>
</div>
<br><div><div>On Oct 1, 2013, at 4:56 PM, John Ioannidis <<a =
href=3D"mailto:ji@tla.org">ji@tla.org</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
dir=3D"ltr">On Tue, Oct 1, 2013 at 12:56 PM, Greg <span dir=3D"ltr"><<a=
href=3D"mailto:greg@kinostudios.com" =
target=3D"_blank">greg@kinostudios.com</a>></span> wrote:<br><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin: 0px 0px 0px 0.8ex; =
border-left-width: 1px; border-left-color: rgb(204, 204, 204); =
border-left-style: solid; padding-left: 1ex; position: static; z-index: =
auto; "><div style=3D"word-wrap:break-word">There is nothing difficult =
about the right course of action here: Don't send the password. Disable =
this silly default.<div>
<br></div><div>The attitude expressed in these replies is a disgrace to =
the profession of software security, and a disgrace to the =
list.</div><div><br></div><div>It doesn't matter whether or not I =
"should" be using a unique password. I <b>might not be, </b>and =
even if I am, a nerd next to me shouldn't be able to change my =
subscription settings because of the listserv's idiotic setting.</div>
<div><br></div><div>It is NOT the user's responsibility to compensate =
for the incompetence of sys admins or software developers. They are the =
ones who are failing their =
jobs.</div><div><br></div></div></blockquote><div>
<br></div><div>Actually, it's only *your* password that's being emailed =
in the clear. It's punishment for failing to observe the first rule of =
this list, which is DO NOT TOP POST.</div><div><br></div><div>If you =
don't like the way this list is run, you are welcome to unsubscribe. The =
password for unsubscribing has been already emailed to you. The person =
running this list knows his job very well, and I'd suggest you be a bit =
more respectful of him.</div>
<div><br></div><div>/ji</div><div><br></div></div></div></div>
</blockquote></div><br></div></blockquote></div><br></body></html>=
--Apple-Mail=_3B13D2DC-0A20-4483-9BA0-3676395F71FE--
--Apple-Mail=_9FDC5F76-02D0-4C28-B86A-311E71F46AEE
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJSS0m9AAoJEKFrDougX6FkAzkH/3fnrJD8sAYNwExI8JYKEl34
Z9uQUz5XmHx2LZ8MzgARPfo//Cr13jtLs/dESCJzrVTxXm9adGWxM5ivxLZZCqAm
QssNSUOeSigozUcG0k2g2g2t+BtaTdqQ8eCNfhZ24GSI1EnW2CAaxmPiZzPmixMO
SbPZbBKdqiaQxZx0o1yKnA5s92CBgF5aip4lPpX56LQ4RGkHmDi3rNHj9iUyDDxN
geI6trRGCYnwGHZ1KgWu7xaLiO45ssmJk+VDEb69GfSZRjWCs1quzNT/lgwF3kUO
eUlEhy4eujcjdEYOXz0FEketgHLGXD7gLeOEY5PJTayIUMNzHUcrcBVnABBEvyk=
=V8It
-----END PGP SIGNATURE-----
--Apple-Mail=_9FDC5F76-02D0-4C28-B86A-311E71F46AEE--
--===============3072177897083930716==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3072177897083930716==--
