[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Insidious Spam/swen/Garbage

On Sun, 26 Oct 2003 at 21:29 GMT, Wayne Topa penned:
> Monique Y. Herman(spam@bounceswoosh.org) is reported to have said:
>> 
>> Of course, your password will then be in plain-text in a file.  If
>> you are the only person with root access, this probably isn't a big
>> deal until your box gets hacked, but this sort of thing always gives
>> me the willies.
> 
> You runs mutt as root?  That would give me the wilies!  I assumed that
> no one would try that!   

Did I imply that?

I meant to say, anyone with root access could view your password.  If
you are the only person with root access, this probably doesn't matter.

I don't run mutt as root, but how would that be any more dangerous than
running, say, cat or vi as root?

> 
> I, of course, meant the instructions as a suggeation for the users
> .muttrc.  If you run mutt as root I have no advice other then, don't.
> 
> So what do you do about your /etc/ppp/pap-secrets file?  It has the
> same permissions as the your root .muttrc? Get hacked and it's just as
> bad.

Well, I don't use dialup, so it's not a problem.  I assume pap-secrets
has your dialup password or something in it?  If so, and if you use a
unique password for dialup, then I would think the worst that could
happen is that they could use the dialup access that is legitemately
yours.  If your ISP bundles email and web hosting, that would be a
problem, too.  Having someone steal my bandwidth doesn't frighten me
nearly as much as having someone read or destroy my mail.

It's the age-old problem of security vs. convenience.  I remember using
a vpn client for work that insisted on putting its configuration file
(including password) in /etc, and furthermore installed it
world-readable by default.  Fortunately, it still ran after you
restricted its permissions ... Now, sure, I did restrict its
permissions, and iirc we actually had access to the source, so I could
have modified it to read the configuration from elsewhere ... but still,
the default configuration was just bad, bad, bad.

It would probably be more secure (assuming some kind of encryption) to
enter your password every time you want to check mail, but most of us
are willing to sacrifice some security to avoid having to type our
passwords all the time.  Even so, it's better to make a conscious choice
*after understanding the implications* than to just blindly sally forth.


-- 
monique
Unless you need to share ultra-sensitive super-spy stuff with me, please
don't email me directly.  I will most likely see your post before I read
your mail, anyway.
Reply to: