Great Circle Associates List-Managers
(February 2003)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Majordomo hole my rear end!
From: Nick Simicich <njs @ scifi . squawk . com>
Date: Sat, 08 Feb 2003 01:07:09 -0500
To: list-managers <list-managers @ greatcircle . com>
In-reply-to: <p05111b96ba69d4ad7507 @ [10 . 0 . 1 . 2]>
References: <5 . 1 . 0 . 14 . 2 . 20030207144827 . 23da88a0 @ 199 . 74 . 151 . 1> <5 . 1 . 0 . 14 . 2 . 20030207144827 . 23da88a0 @ 199 . 74 . 151 . 1>

At 11:33 AM 2003-02-07 -1000, Vince Sabio wrote:

** Sometime around 15:06 -0500 02/07/2003, Nick Simicich sent everyone:

You know, I have another alert: You might have meant for no one to sign up for this list, but the default is to let people sign up! The most restrictive defaults should be picked in all cases, of course, so the default should be to not let people sign up! And to not let people use the list at all! And to restrict all English words from being in a posting, because if people are allowed to use language in mailing list postings, they could accidentally give away secrets!

Nick,

I agree with your overall assessment that the "security alert" is B.S. However, default settings should be reasonable.

And, they made the false claim that the vendor had agreed and released patches for Mj1, when the patches were actually created by the reporter. As to whether or not Mj2 agreed, I think that they did, only to shut the reporter up. I would argue that was a bad tactic.

Again, Majordomo has not been updated for quite a while - the last update was done when there was an actual vulnerability in the package, which was some time ago. People have released patches, but that is not germane to the code base. Anyone applying source patches is also likely to read the doc. The patch released by the reporter will not be incorporated into any code bases, as I believe that the license on the code prohibits releasing modified versions.

For example, setting defaults so that no one can sign up for a new list is arguably not particularly useful in most cases [1]; OTOH, defaulting which_access to closed/list/private/something-anything other than "open" is probably smarter than defaulting it to open.

I agree. However, my point is that the real alert is "read the manual". And my point is that I agree, you should read the manual, and that the defaults may not be appropriate no matter what they are set to.

Other comments still apply, including RTFM/RTFDOC when setting up a server of any sort. And as we all know, sysadmins have nothing but time on their hands... ;-)

And if they do not have the time, and they still try to do the job, guess what: They are likely to configure systems incorrectly and leave all sorts of holes and they will be a lot more damaging than the release of subscriber lists.

--
SPAM: Trademark for spiced, chopped ham manufactured by Hormel.
spam: Unsolicited, Bulk E-mail, where e-mail can be interpreted generally to mean electronic messages designed to be read by an individual, and it can include Usenet, SMS, AIM, etc. But if it is not all three of Unsolicited, Bulk, and E-mail, it simply is not spam. Misusing the term plays into the hands of the spammers, since it causes confusion, and spammers thrive on confusion. Spam is not speech, it is an action, like theft, or vandalism. If you were not confused, would you patronize a spammer?
Nick Simicich - njs @
scifi .
squawk .
com - http://scifi.squawk.com/njs.html
Stop by and light up the world!


References:
Indexed By Date Previous: Re: Majordomo hole my rear end!
From: Mitch Collinsworth <mitch @ ccmr . cornell . edu>
Next: Announcing: Mailman 2.0.13 gets eVoting capabilities with add on utility
From: "Mark Rauterkus" <Mark @ Rauterkus . com>
Indexed By Thread Previous: Re: Majordomo hole my rear end!
From: Al Iverson <iverson @ mnjazz . com>
Next: Re: Majordomo hole my rear end!
From: "Steve Werby" <steve-lists @ befriend . com>

Google
 
Search Internet Search www.greatcircle.com