[ML-General] Anyone else having trouble changing their Mailman settings?

WebDawg webdawg at gmail.com
Mon May 9 10:15:24 CDT 2016 

I hope this is not too off topic, I just felt I needed to respond to this.

On Sun, May 8, 2016 at 11:00 PM, Hunter Fuller <hfuller at pixilic.com> wrote:
> Arthur,
>
> I'll write to you under separate cover wrt your first issue, since I
> am unable to reproduce it (the button lists my mailing list
> subscriptions). For future reference, you can find the netadmin
> contact information here:
> https://256.makerslocal.org/wiki/Network#Delegates_and_Contact_Information
>
> With regards to the privacy concerns, email is sent over the Internet
> in plain text, so it doesn't bother me much that the page contents are
> not sent using TLS. The password thing does bother me a bit, I'll
> admit, but all an attacker could do is change your settings and read
> the archives - not send mail as you. In the meantime, I will add a
> correct TLS certificate to the roadmap. It will be possible now that
> Let's Encrypt exists; before, it was cost prohibitive.
>

Not meant to offend but it is always funny to read when someone
brushes off X level of security.  You state "this is all they could do
with the password" but statements like this never think about the next
exploit.

You are not the only one, and like I said none of this is directed at you.

The CA system is broken and Let's encrypt is a way to combat that.  I
am so glad we finally did something about it.

SSL needs to be everywhere so APTs have more to decrypt if they want
to try and decrypt it all.  All traffic should be encrypted, even
Google believes that as https sites now have higher ranking then lower
ones.  They are now encrypting the transport layers of email.

I hope full email encryption becomes a standard.  PGP was released in
1991...and hardly anyone sends encrypted email because why?

> The password being stored in plain text isn't a serious vulnerability
> in this case (in my opinion). An attacker could use a stolen password
> database to access the archives . . . but they also could have just
> stolen the archives while they were stealing your password.
> Nevertheless, it is not possible to "update" to Mailman 3. There is no
> upgrade path between Mailman 2 and 3 at this time.
>
> I hope this assuages some of your concerns.

A lot of people use different passwords for all of their accounts, but
most people are too lazy to do something like this.

I access the mailman list through some exploit, then I have X amount
of email / pw combos.

Passwords do not get stored in plain text for this reason too.

I then leverage those combos to hopefully access the email account it self, etc.

The only reason I am commenting is because talk about security does
not matter or X level of encryption is good enough has never given
good results and generally should be discouraged.  I spent years
reading about people arguing about how no one needs X level of high
encryption because of bla statement.

Statements against raising any security should be discouraged because
it was exactly this talk that has provided so many SSL and TLS
exploits over the last few years.  Leaving bad code in because other
countries need it.  Purposely keeping encryption levels low because
'no one' has X amount of resources to crack X encryption.

Except that 'no one' has the exploits, enough supercomputers to
simulate AI, and power to control the conversation.

The conversation should be to secure all the things!

I hope this does not seem like a rant or philosophic insanity.

>
> --
> Hunter Fuller
> root

More information about the general mailing list