[Cryptography] Why is emailing me my password?

Greg greg at kinostudios.com
Tue Oct 1 18:03:39 EDT 2013 

> Actually, it's only *your* password that's being emailed in the clear. It's punishment for failing to observe the first rule of this list, which is DO NOT TOP POST.

Huh?

1. I don't know what "top post" means, and I see nothing here about it: http://www.metzdowd.com/mailman/listinfo/cryptography

2. The password was sent to me as part of a poorly configured mailing list bot, not any sort of "punishment".

3. Even if it was sent to me as "punishment", that is retarded.

> If you don't like the way this list is run, you are welcome to unsubscribe.

Yeah, I know. I might do that, as seeing the response to my request has convinced me there's little worth reading here anyway.

> The person running this list knows his job very well, and I'd suggest you be a bit more respectful of him.

What did I say that you feel was disrespectful? That he's failing at his job? That's not disrespectful, that's my opinion based on the fact that he is choosing to mail people their list passwords in the clear.

Running a mailing list is not hard work. There are only so many things one can fuck up. This is probably one of the biggest mistakes that can be made in running a mailing list, and on a list that's about software security. It's just ridiculous.

A mailing list shouldn't have any passwords to begin with. There is no need for passwords, and it shouldn't be possible for anyone to unsubscribe anyone else.

User: Unsubscribe [EMAIL] -> Server
Server: Are you sure? -> [EMAIL]
User@[EMAIL]: YES! -> Server.

No passwords, and no fake unsubscribes.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Oct 1, 2013, at 4:56 PM, John Ioannidis <ji at tla.org> wrote:

> On Tue, Oct 1, 2013 at 12:56 PM, Greg <greg at kinostudios.com> wrote:
> There is nothing difficult about the right course of action here: Don't send the password. Disable this silly default.
> 
> The attitude expressed in these replies is a disgrace to the profession of software security, and a disgrace to the list.
> 
> It doesn't matter whether or not I "should" be using a unique password. I might not be, and even if I am, a nerd next to me shouldn't be able to change my subscription settings because of the listserv's idiotic setting.
> 
> It is NOT the user's responsibility to compensate for the incompetence of sys admins or software developers. They are the ones who are failing their jobs.
> 
> 
> Actually, it's only *your* password that's being emailed in the clear. It's punishment for failing to observe the first rule of this list, which is DO NOT TOP POST.
> 
> If you don't like the way this list is run, you are welcome to unsubscribe. The password for unsubscribing has been already emailed to you. The person running this list knows his job very well, and I'd suggest you be a bit more respectful of him.
> 
> /ji
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131001/3753c220/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131001/3753c220/attachment.pgp>

More information about the cryptography mailing list