From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ben Finney Subject: Re: Gmane readers - please subscribe Date: Tue, 27 Apr 2010 20:02:50 +1000 Message-ID: <87ljc9jjqt.fsf@benfinney.id.au> References: <87wrvtkawl.fsf@benfinney.id.au> <87k4rtod4o.fsf@eku238261.eku.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1O6hdw-0000zW-CY for emacs-orgmode@gnu.org; Tue, 27 Apr 2010 06:03:52 -0400 Received: from [140.186.70.92] (port=55941 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1O6hdr-0000wQ-CY for emacs-orgmode@gnu.org; Tue, 27 Apr 2010 06:03:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1O6hda-0001if-Pc for emacs-orgmode@gnu.org; Tue, 27 Apr 2010 06:03:39 -0400 Received: from lo.gmane.org ([80.91.229.12]:45256) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1O6hda-0001iH-FN for emacs-orgmode@gnu.org; Tue, 27 Apr 2010 06:03:30 -0400 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1O6hdY-00010a-IQ for emacs-orgmode@gnu.org; Tue, 27 Apr 2010 12:03:28 +0200 Received: from eth595.vic.adsl.internode.on.net ([150.101.214.82]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 27 Apr 2010 12:03:28 +0200 Received: from ben+emacs by eth595.vic.adsl.internode.on.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 27 Apr 2010 12:03:28 +0200 List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org To: emacs-orgmode@gnu.org Tyler Smith writes: > Ben Finney writes: > > > A large part of my reason for reading via Gmane is to avoid yet > > another set of authentication credentials. Especially one that I > > never use; that's a security nightmare waiting to happen. So I'm not > > interested in increasing my security exposure by making a Mailman > > account on yet another site. > > Yikes! What nightmare awaits those of us who've foolishly gone ahead > and subscribed? What's my exposure, beyond some nefarious cracker > impersonating me on emacs-orgmode? The assumption here is that logging into the mailing list account is something done infrequently to never for any given user. That's certainly the case for just about any list I've subscribed to. For an infrequently-to-never used passphrase, one of two things is the case: either it's unique, or it is identical to the passphrase that accesses some other set of services for the user. Since it's an infrequently-to-never accessed service, it's an unreasonable burden to expect the user to maintain unique passphrases for every such service. If for this list, why not for every such list? So what usually ends up happening is they're identical for a given person across many different services. But the more that's the case, the greater the exposure: any one of those services could manage their security poorly, or simply be unlucky enough to attract a bored and/or motivated cracker; and a compromise on any one of them removes any expectation of security on any of the rest of the services where the user has the same passphrase. The sensible policy, therefore, is to cull the proliferation of such passphrase-requiring infrequently-to-never-accessed accounts. Which, in turn, means saying a polite “no thank you” to most requests to set up new accounts. -- \ “The greatest tragedy in mankind's entire history may be the | `\ hijacking of morality by religion.” —Arthur C. Clarke, 1991 | _o__) | Ben Finney