Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
Thanks for the info.
Do we know if nonpublic information was accessed such as hidden email subscribers and the email contents of private lists?
Will subscriber passwords be reset?
Thanks, Pine On Nov 12, 2015 9:08 PM, "Daniel Zahn" dzahn@wikimedia.org wrote:
Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
On Thu, Nov 12, 2015 at 9:16 PM, Pine W wiki.pine@gmail.com wrote:
Do we know if nonpublic information was accessed such as hidden email subscribers and the email contents of private lists?
We don't know that but should assume it's possible because it was an account with legitimate shell access to the server.
Will subscriber passwords be reset?
Yes.
Hi all, emails send to "list admins" are also received by "list moderators", who are not supposed to have access to the "list admin" password, and do not have access to the email adresses of everyone on the list. By sending the admin password by mail, you have given access to everyone's email adress to the list moderators. Just thought I should let you know. All the best, Mike (Taketa) Date: Thu, 12 Nov 2015 21:08:00 -0800 From: dzahn@wikimedia.org To: listadmins@lists.wikimedia.org Subject: [List admins] reset list and moderator passwords
Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
On Thu, Nov 12, 2015 at 11:02 PM, Mike Nicolaije taketawiki@hotmail.com wrote:
emails send to "list admins" are also received by "list moderators", who are not supposed to have access to the "list admin"
We exlusively mailed the list _owner_ address of each list and only that.
Thankyou for your vigilance on this. Is this security breach related to the one on enwiki last week that led to administrator accounts being compromised?
Cheers, Craig
2015-11-13 15:08 GMT+10:00 Daniel Zahn dzahn@wikimedia.org:
Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Hey Craig,
As far as we know, no, we have not seen any connection between the two.
Sent from my iPhone
James Alexander Manager, Trust & Safety Wikimedia Foundation +1 415-839-6885 x6716
On Nov 12, 2015, at 23:52, Craig Franklin craig.franklin@wikimedia.org.au wrote:
Thankyou for your vigilance on this. Is this security breach related to the one on enwiki last week that led to administrator accounts being compromised?
Cheers, Craig
2015-11-13 15:08 GMT+10:00 Daniel Zahn dzahn@wikimedia.org:
Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
On Fri, Nov 13, 2015 at 9:05 AM, James Alexander jalexander@wikimedia.org wrote:
Hey Craig,
As far as we know, no, we have not seen any connection between the two.
Sent from my iPhone
James Alexander Manager, Trust & Safety Wikimedia Foundation +1 415-839-6885 x6716
On Nov 12, 2015, at 23:52, Craig Franklin craig.franklin@wikimedia.org.au wrote:
Thankyou for your vigilance on this. Is this security breach related to the one on enwiki last week that led to administrator accounts being compromised?
Cheers, Craig
2015-11-13 15:08 GMT+10:00 Daniel Zahn dzahn@wikimedia.org:
Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
I have already forgot my password before .... On 13 Nov 2015 17:23, "Lodewijk" lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
On Fri, Nov 13, 2015 at 9:05 AM, James Alexander <jalexander@wikimedia.org
wrote:
Hey Craig,
As far as we know, no, we have not seen any connection between the two.
Sent from my iPhone
James Alexander Manager, Trust & Safety Wikimedia Foundation +1 415-839-6885 x6716
On Nov 12, 2015, at 23:52, Craig Franklin < craig.franklin@wikimedia.org.au> wrote:
Thankyou for your vigilance on this. Is this security breach related to the one on enwiki last week that led to administrator accounts being compromised?
Cheers, Craig
2015-11-13 15:08 GMT+10:00 Daniel Zahn dzahn@wikimedia.org:
Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
All passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords
Yes, remembering short passwords is easier. But nowadays you might have like 400 passwords, and they should all be different (or you do not manage them by yourselve (alone)).
LastPass is one of the tools out there that can handle that for you, among others. I now use LastPass for several years, it's free, I believe it's safe (safer then 123passw everywhere) and it never let me down.
Edo
2015-11-13 11:16 GMT+01:00 James Alexander jalexander@wikimedia.org:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
All passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
+1 for LastPass. Write it down and stick it on your desk if you need to—the likelihood that your passwords will be compromised by someone physically breaking into your home is minuscule (and if so, you have much larger things to worry about). More conveniently, use password management software like LastPass, KeePassword, or 1Password. The days of using one password for everything should be far, far in the past.
– Molly (GorillaWarfare)
On Fri, Nov 13, 2015 at 7:06 AM, Edo de Roo edoderoo@gmail.com wrote:
https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords
Yes, remembering short passwords is easier. But nowadays you might have like 400 passwords, and they should all be different (or you do not manage them by yourselve (alone)).
LastPass is one of the tools out there that can handle that for you, among others. I now use LastPass for several years, it's free, I believe it's safe (safer then 123passw everywhere) and it never let me down.
Edo
2015-11-13 11:16 GMT+01:00 James Alexander jalexander@wikimedia.org:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
All passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
-- [I don't print e-mails. Do you?] http://gplus.to/edoderoo _-=-_ edoderoo.nl
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
The days of using one password for everything should be far, far in the past.
That's precisely what you do when using "default" LastPass. One master password to rule them all. For LastPass in particular there's a variety of supported multi factor authentication, like Google Authenticator to Yubikey. See https://helpdesk.lastpass.com/multifactor-authentication-options/
Christoph
2015-11-13 13:12 GMT+01:00 GorillaWarfare <gorillawarfarewikipedia@gmail.com
:
+1 for LastPass. Write it down and stick it on your desk if you need to—the likelihood that your passwords will be compromised by someone physically breaking into your home is minuscule (and if so, you have much larger things to worry about). More conveniently, use password management software like LastPass, KeePassword, or 1Password. The days of using one password for everything should be far, far in the past.
– Molly (GorillaWarfare)
On Fri, Nov 13, 2015 at 7:06 AM, Edo de Roo edoderoo@gmail.com wrote:
https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords
Yes, remembering short passwords is easier. But nowadays you might have like 400 passwords, and they should all be different (or you do not manage them by yourselve (alone)).
LastPass is one of the tools out there that can handle that for you, among others. I now use LastPass for several years, it's free, I believe it's safe (safer then 123passw everywhere) and it never let me down.
Edo
2015-11-13 11:16 GMT+01:00 James Alexander jalexander@wikimedia.org:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
All passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
-- [I don't print e-mails. Do you?] http://gplus.to/edoderoo _-=-_ edoderoo.nl
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Good tach Christoph. The two factor options for lastpass are both useful and necessary for good security.
Brian/NF
On Fri, Nov 13, 2015 at 4:40 AM, Christoph Braun < christoph.braun.de@gmail.com> wrote:
The days of using one password for everything should be far, far in the
past.
That's precisely what you do when using "default" LastPass. One master password to rule them all. For LastPass in particular there's a variety of supported multi factor authentication, like Google Authenticator to Yubikey. See https://helpdesk.lastpass.com/multifactor-authentication-options/
Christoph
2015-11-13 13:12 GMT+01:00 GorillaWarfare < gorillawarfarewikipedia@gmail.com>:
+1 for LastPass. Write it down and stick it on your desk if you need to—the likelihood that your passwords will be compromised by someone physically breaking into your home is minuscule (and if so, you have much larger things to worry about). More conveniently, use password management software like LastPass, KeePassword, or 1Password. The days of using one password for everything should be far, far in the past.
– Molly (GorillaWarfare)
On Fri, Nov 13, 2015 at 7:06 AM, Edo de Roo edoderoo@gmail.com wrote:
https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords
Yes, remembering short passwords is easier. But nowadays you might have like 400 passwords, and they should all be different (or you do not manage them by yourselve (alone)).
LastPass is one of the tools out there that can handle that for you, among others. I now use LastPass for several years, it's free, I believe it's safe (safer then 123passw everywhere) and it never let me down.
Edo
2015-11-13 11:16 GMT+01:00 James Alexander jalexander@wikimedia.org:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
All passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
-- [I don't print e-mails. Do you?] http://gplus.to/edoderoo _-=-_ edoderoo.nl
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
LastPass's salted master password* plus 2FA is far preferable to using a single password on every site you visit.
*https://lastpass.com/support.php?cmd=showfaq&id=1116
– Molly (GorillaWarfare)
No one else using Roboform? Doug
On Fri, Nov 13, 2015 at 12:52 PM, GorillaWarfare < gorillawarfarewikipedia@gmail.com> wrote:
LastPass's salted master password* plus 2FA is far preferable to using a single password on every site you visit.
*https://lastpass.com/support.php?cmd=showfaq&id=1116
– Molly (GorillaWarfare)
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
+1 on LastPass.
1Password for Mac has seen some problems lately
http://appleinsider.com/articles/15/10/20/1password-to-change-file-formats-a...
-Andrew Lih Associate professor of journalism, American University Email: andrew@andrewlih.com WEB: http://www.andrewlih.com BOOK: The Wikipedia Revolution: http://www.wikipediarevolution.com PROJECT: Wiki Makes Video http://en.wikipedia.org/wiki/Wikipedia:WikiProject_Wiki_Makes_Video
On Fri, Nov 13, 2015 at 7:52 AM, GorillaWarfare < gorillawarfarewikipedia@gmail.com> wrote:
LastPass's salted master password* plus 2FA is far preferable to using a single password on every site you visit.
*https://lastpass.com/support.php?cmd=showfaq&id=1116
– Molly (GorillaWarfare)
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Surprised about this discussion. While in general this is a good discussion, we are talking about mailman, where you don't really have a good AAA model, you have one admin password per list and one moderator password, which needs to be shared amongst admins/moderators, so will never be changed because it is difficult to coordinate and where passwords are just send plain text. That is a level of security that is the same level as the post-it note on the bottom of you keyboard.
Effort with mailman should go into a proper authentication method, so that for one mailman instance, I have one account where I am simply manage my lists, either just as a reader, or as a moderator/admin, where only I indeed need the password, and then as a bonus with single signon support so that I could configure to login with my google account, or in our case with our wikimedia password.
Regards,
Andre Koopal
On Fri, Nov 13, 2015 at 1:58 PM, Andrew Lih andrew@andrewlih.com wrote:
+1 on LastPass.
1Password for Mac has seen some problems lately
http://appleinsider.com/articles/15/10/20/1password-to-change-file-formats-a...
-Andrew Lih Associate professor of journalism, American University Email: andrew@andrewlih.com WEB: http://www.andrewlih.com BOOK: The Wikipedia Revolution: http://www.wikipediarevolution.com PROJECT: Wiki Makes Video http://en.wikipedia.org/wiki/Wikipedia:WikiProject_Wiki_Makes_Video
On Fri, Nov 13, 2015 at 7:52 AM, GorillaWarfare < gorillawarfarewikipedia@gmail.com> wrote:
LastPass's salted master password* plus 2FA is far preferable to using a single password on every site you visit.
*https://lastpass.com/support.php?cmd=showfaq&id=1116
– Molly (GorillaWarfare)
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
2015-11-13 14:09 GMT+01:00 Andre Koopal andre@molens.org:
we are talking about mailman, where you don't really have a good AAA model, you have one admin password per list and one moderator password, which needs to be shared amongst admins/moderators, so will never be changed because it is difficult to coordinate and where passwords are just send plain text. That is a level of security that is the same level as the post-it note on the bottom of you keyboard.
Effort with mailman should go into a proper authentication method, so that for one mailman instance, I have one account where I am simply manage my lists, either just as a reader, or as a moderator/admin, where only I indeed need the password, and then as a bonus with single signon support so that I could configure to login with my google account, or in our case with our wikimedia password.
Can't agree more. The security model of mailman bugs me so much…
Hi Andre,
Op 13-11-2015 om 14:09 schreef Andre Koopal:
Effort with mailman should go into a proper authentication method, so that for one mailman instance, I have one account where I am simply manage my lists, either just as a reader, or as a moderator/admin, where only I indeed need the password, and then as a bonus with single signon support so that I could configure to login with my google account, or in our case with our wikimedia password.
This has been bugging me too. Filed https://phabricator.wikimedia.org/T118641 to keep track.
Maarten
On Fri, Nov 13, 2015 at 4:06 AM, Edo de Roo edoderoo@gmail.com wrote:
https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords
Software recommendations are generally more convincing when not done via a "get a free month of premium access when someone subscribes through it" link :)
On Fri, Nov 13, 2015 at 8:15 AM, Gergo Tisza gtisza@wikimedia.org wrote:
On Fri, Nov 13, 2015 at 4:06 AM, Edo de Roo edoderoo@gmail.com wrote:
https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords
Software recommendations are generally more convincing when not done via a "get a free month of premium access when someone subscribes through it" link :)
Though to be fair, you as the new subscriber also get a free month.
Mentioning it in the interest of transparency would have been best, I agree.
I pay for "premium" access on LastPass for 2-3 years already. Not because you need premium access, because you don't .. more because LastPass is worth the $12 per year. So if you are more easily convinced by just using LastPass without my referral, or someone else's, I don't care too much ... It would save me $1 maybe
2015-11-13 14:41 GMT+01:00 Andrew Lih andrew@andrewlih.com:
On Fri, Nov 13, 2015 at 8:15 AM, Gergo Tisza gtisza@wikimedia.org wrote:
On Fri, Nov 13, 2015 at 4:06 AM, Edo de Roo edoderoo@gmail.com wrote:
https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords
Software recommendations are generally more convincing when not done via a "get a free month of premium access when someone subscribes through it" link :)
Though to be fair, you as the new subscriber also get a free month.
Mentioning it in the interest of transparency would have been best, I agree.
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Call me old fashioned, but the way I save passwords is to put them into a document, print it, and put that sheet of paper in my safe and delete the doc on the computer. Probably one of the most secure ways to deal with passwords. (And on a side note, this is damn cheap!) - I've also an encrypted USB drive with those passwords if I ever need them somewhere...
Paul
Am 13.11.2015 um 15:02 schrieb Edo de Roo:
I pay for "premium" access on LastPass for 2-3 years already. Not because you need premium access, because you don't .. more because LastPass is worth the $12 per year. So if you are more easily convinced by just using LastPass without my referral, or someone else's, I don't care too much ... It would save me $1 maybe
2015-11-13 14:41 GMT+01:00 Andrew Lih <andrew@andrewlih.com mailto:andrew@andrewlih.com>:
On Fri, Nov 13, 2015 at 8:15 AM, Gergo Tisza <gtisza@wikimedia.org <mailto:gtisza@wikimedia.org>> wrote: On Fri, Nov 13, 2015 at 4:06 AM, Edo de Roo <edoderoo@gmail.com <mailto:edoderoo@gmail.com>> wrote: https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords Software recommendations are generally more convincing when not done via a "get a free month of premium access when someone subscribes through it" link :) Though to be fair, you as the new subscriber also get a free month. Mentioning it in the interest of transparency would have been best, I agree. _______________________________________________ Listadmins mailing list Listadmins@lists.wikimedia.org <mailto:Listadmins@lists.wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/listadmins-- [I don't print e-mails. Do you?] http://gplus.to/edoderoo _-=-_ edoderoo.nl http://edoderoo.nl
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
2015-11-13 16:37 GMT+01:00 Paul S. barras@email.de:
Call me old fashioned, but the way I save passwords is to put them into a document, print it, and put that sheet of paper in my safe and delete the doc on the computer. Probably one of the most secure ways to deal with passwords. (And on a side note, this is damn cheap!) - I've also an encrypted USB drive with those passwords if I ever need them somewhere...
Call me pedantic, but unless you saved your file on an encrypted filesystem or used shred() instead of unlink() to delete the document, it's still available for recovery on your computer (eg. on Linux, a simple grep directly on the block device could suffice). Also shred() only works if your filesystem and the underlying device both use in-place overwriting (which is less and less true nowadays).
:-p
Yeah, should probably have made clear in the initial email or blog post that subscribers password were also changed. Thanks for the clarification though.
KTC
On 13/11/2015 10:16, James Alexander wrote:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk <lodewijk@effeietsanders.org mailto:lodewijk@effeietsanders.org> wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)? LodewijkAll passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
I might have missed it in all the emails but can you check whether arbcom-en-b was changed. I definitely got emails as an admin for arbcom-l and arbcom-en-c.
*---Chris McKenna (Thryduulf)* thryduulf.wiki@gmail.com
Unless otherwise noted, opinions expressed in this email are solely my own and do not necessarily represent the views of the Arbitration Committee as a whole.
On 13 November 2015 at 14:08, Katie Chan ktc@ktchan.info wrote:
Yeah, should probably have made clear in the initial email or blog post that subscribers password were also changed. Thanks for the clarification though.
KTC
On 13/11/2015 10:16, James Alexander wrote:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk <lodewijk@effeietsanders.org mailto:lodewijk@effeietsanders.org> wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)? LodewijkAll passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
-- Katie Chan Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent the view of any organisation the author is associated with or employed by.
Experience is a good school but the fees are high. - Heinrich Heine
This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Admin-B was changed. Funny, I thought I was just a moderator dealing with email, looks like I'm an Admin/
On Fri, Nov 13, 2015 at 2:12 PM, Chris McKenna thryduulf.wiki@gmail.com wrote:
I might have missed it in all the emails but can you check whether arbcom-en-b was changed. I definitely got emails as an admin for arbcom-l and arbcom-en-c.
*---Chris McKenna (Thryduulf)* thryduulf.wiki@gmail.com
Unless otherwise noted, opinions expressed in this email are solely my own and do not necessarily represent the views of the Arbitration Committee as a whole.
On 13 November 2015 at 14:08, Katie Chan ktc@ktchan.info wrote:
Yeah, should probably have made clear in the initial email or blog post that subscribers password were also changed. Thanks for the clarification though.
KTC
On 13/11/2015 10:16, James Alexander wrote:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk <lodewijk@effeietsanders.org mailto:lodewijk@effeietsanders.org> wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)? LodewijkAll passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
-- Katie Chan Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent the view of any organisation the author is associated with or employed by.
Experience is a good school but the fees are high. - Heinrich Heine
This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
The problem now is I can't login to the panel and I am only admin of wikivoyage-zh, there are no moderator... On 13 Nov 2015 22:08, "Katie Chan" ktc@ktchan.info wrote:
Yeah, should probably have made clear in the initial email or blog post that subscribers password were also changed. Thanks for the clarification though.
KTC
On 13/11/2015 10:16, James Alexander wrote:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk <lodewijk@effeietsanders.org mailto:lodewijk@effeietsanders.org> wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)? LodewijkAll passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
-- Katie Chan Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent the view of any organisation the author is associated with or employed by.
Experience is a good school but the fees are high. - Heinrich Heine
This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Gabriel, if you are admin then you have full control:
There are two ownership roles associated with each mailing list. The list administrators are the people who have ultimate control over all parameters of this mailing list. They are able to change any list configuration variable available through these administration web pages.
The list moderators have more limited permissions; they are not able to change any list configuration variable, but they are allowed to tend to pending administration requests, including approving or rejecting held subscription requests, and disposing of held postings. Of course, the list administrators can also tend to pending requests.
On Fri, Nov 13, 2015 at 2:17 PM, Gabriel Chi Hong Lee < chihonglee777@gmail.com> wrote:
The problem now is I can't login to the panel and I am only admin of wikivoyage-zh, there are no moderator... On 13 Nov 2015 22:08, "Katie Chan" ktc@ktchan.info wrote:
Yeah, should probably have made clear in the initial email or blog post that subscribers password were also changed. Thanks for the clarification though.
KTC
On 13/11/2015 10:16, James Alexander wrote:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk <lodewijk@effeietsanders.org mailto:lodewijk@effeietsanders.org> wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)? LodewijkAll passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
-- Katie Chan Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent the view of any organisation the author is associated with or employed by.
Experience is a good school but the fees are high. - Heinrich Heine
This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
On 13 November 2015 at 05:16, James Alexander jalexander@wikimedia.org wrote:
On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Were only the admin passwords compromised, or also the passwords of the list members (who can set a password to view the membership etc)?
Lodewijk
All passwords were reset, including list member passwords. Because list member passwords can go through a "retrieve password" + they get periodic reminders automatically mass emails about those resets were not sent out however. (I believe we may be adding a note in the auto reminder about how they were reset... but not entirely sure, I will leave that for ops)
Hold on. As a list administrator for 3 lists, I received emails to change the listadmin password for all three, and have done so and shared the new password with the rest of the list admins.
However, as a list subscriber, I have yet to receive an email telling me that there is a forced password change for any WMF-based list to which I subscribe. Some questions are in order about this element, which is not mentioned in the blog, and will affect tens of thousands of users.
- Do subscribers have to change their password for each WMF-based mailman mailing list separately, or can they use the "one password for all lists" function that currently exists to change all of the passwords at once? (Keep in mind that most of the mailing lists are at least semi-public, so this is not really a big deal.) - If not, what happens to those subscriptions? are they discontinued if the user does not update his or her password, or do they just continue?
I think that there are a lot of valid points being made about the inherent problem of having listadmin passwords that are not user-specific. At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well.
Risker/Anne
On 13 November 2015 at 17:06, Risker risker.wp@gmail.com wrote:
At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well.
As I understand it, *subscribers* used their regular passwords for mailman, and mailman stores passwords *unhashed* on the server (!).
On Friday, November 13, 2015 at 11:39 AM, Merlijn van Deen wrote:
On 13 November 2015 at 17:06, Risker <risker.wp@gmail.com (mailto:risker.wp@gmail.com)> wrote:
At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well.
As I understand it, *subscribers* used their regular passwords for mailman, and mailman stores passwords *unhashed* on the server (!).
And not only that, the passwords are routinely emailed—in plain text, without me prompting it. Email is not secure. I use a throwaway password for Mailman for that reason. Frankly, it’s embarrassing we still use this software.
Regards, James Hare
Hi -- am posting this on mobile and thus must be terse, but Mailman 3 https://lwn.net/Articles/638090/ hashes passwords before storing them and does not by default send passwords monthly (it cannot) to users. I believe WMF Ops is aware of this and will upgrade as soon as is practical, although of course I don't know for sure.
On Fri Nov 13 11:42:05 2015 GMT-0500, James Hare wrote:
On Friday, November 13, 2015 at 11:39 AM, Merlijn van Deen wrote:
On 13 November 2015 at 17:06, Risker <risker.wp@gmail.com (mailto:risker.wp@gmail.com)> wrote:
At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well.
As I understand it, *subscribers* used their regular passwords for mailman, and mailman stores passwords *unhashed* on the server (!).
And not only that, the passwords are routinely emailed—in plain text, without me prompting it. Email is not secure. I use a throwaway password for Mailman for that reason. Frankly, it’s embarrassing we still use this software.
Regards, James Hare
Sumana Harihareswara
On Fri, 2015-11-13 at 16:51 +0000, Sumana Harihareswara wrote:
Hi -- am posting this on mobile and thus must be terse, but Mailman 3 https://lwn.net/Articles/638090/%C2%A0%C2%A0hashes passwords before storing them and does not by default send passwords monthly (it cannot) to users. I believe WMF Ops is aware of this and will upgrade as soon as is practical, although of course I don't know for sure.
Sumana! Hey!
Yes, plan is to upgrade: https://phabricator.wikimedia.org/T52864
Cheers, andre
While my list is not affected, the problem that I have is that I forgot my list admin password and there's no way to recover it (the recovery mechanism only works for subscriber)
Andrew
"Fill the world with children who care and things start looking up."
Date: Fri, 13 Nov 2015 11:42:05 -0500 From: james.hare@wikidc.org To: listadmins@lists.wikimedia.org Subject: Re: [List admins] reset list and moderator passwords
On Friday, November 13, 2015 at 11:39 AM, Merlijn van Deen wrote:
On 13 November 2015 at 17:06, Risker risker.wp@gmail.com wrote:
At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well. As I understand it, *subscribers* used their regular passwords for mailman, and mailman stores passwords *unhashed* on the server (!).
And not only that, the passwords are routinely emailed—in plain text, without me prompting it. Email is not secure. I use a throwaway password for Mailman for that reason. Frankly, it’s embarrassing we still use this software.
Regards,James Hare
_______________________________________________ Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
On Fri, Nov 13, 2015 at 2:51 PM, Andrew Leung andrewcleung@hotmail.com wrote:
While my list is not affected, the problem that I have is that I forgot my list admin password and there's no way to recover it (the recovery mechanism only works for subscriber)
Yes, for user passwords there is a self-service "forgot password" feature than anyone can use who is missing their user (subscriber) password.
For list admin passwords there is no such form but you should have recently received an email with it that we generated with a script when we had to reset all list admin passwords.
Sending passwords to other Admins is done on the en.wiki ArbCom lists via Skype or SMS on the basis that email isn't secure enough. Doug
On Sat, Nov 14, 2015 at 1:30 AM, Daniel Zahn dzahn@wikimedia.org wrote:
On Fri, Nov 13, 2015 at 2:51 PM, Andrew Leung andrewcleung@hotmail.com wrote:
While my list is not affected, the problem that I have is that I forgot my list admin password and there's no way to recover it (the recovery mechanism only works for subscriber)
Yes, for user passwords there is a self-service "forgot password" feature than anyone can use who is missing their user (subscriber) password.
For list admin passwords there is no such form but you should have recently received an email with it that we generated with a script when we had to reset all list admin passwords.
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Hello, I 'm an admin of mailing list "wikipedia-as". I received your email with a new password but was unable to log in with it. Kindly look into the matter.
On Sat, Nov 14, 2015 at 7:00 AM, Daniel Zahn dzahn@wikimedia.org wrote:
On Fri, Nov 13, 2015 at 2:51 PM, Andrew Leung andrewcleung@hotmail.com wrote:
While my list is not affected, the problem that I have is that I forgot my list admin password and there's no way to recover it (the recovery mechanism only works for subscriber)
Yes, for user passwords there is a self-service "forgot password" feature than anyone can use who is missing their user (subscriber) password.
For list admin passwords there is no such form but you should have recently received an email with it that we generated with a script when we had to reset all list admin passwords.
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
On Sat, Nov 14, 2015 at 10:33 AM, Gitartha Bordoloi < gitartha.bordoloi@gmail.com> wrote:
I 'm an admin of mailing list "wikipedia-as". I received your email with a new password but was unable to log in with it. Kindly look into the matter.
I reset the password for wikipedia-as one more time. You should have received mail at wikipedia-as-owner@lists.wikimedia.org which forwards to all three admin addresses listed as "Wikipedia-AS https://lists.wikimedia.org/mailman/listinfo/wikipedia-as list run by psneog at gmail.com, gitartha.bordoloi at gmail.com, wikichaipau at gmail.com wikipedia-as-owner@lists.wikimedia.org"
Please let me know off list or via a ticket if any other issues or lists need support to keep the volume of this large announcement list down.
Best regards,
Daniel
On 14/11/15 19:33, Gitartha Bordoloi wrote:
Hello, I 'm an admin of mailing list "wikipedia-as". I received your email with a new password but was unable to log in with it. Kindly look into the matter.
wikipedia-as was one of the lists whose password was reset *twice*. So you need to make sure to use the password from the _second_ email.
That will be the one with subject «Your new wikipedia-as list password», saying «The site administrator at lists.wikimedia.org has changed the password for your mailing list…», not the one titled «Password reset for list wikpedia-as»
Best regards
Daniel, can you please reset wikivoyage-zh for me please? On 15 Nov 2015 03:40, "Platonides" platonides@gmail.com wrote:
On 14/11/15 19:33, Gitartha Bordoloi wrote:
Hello, I 'm an admin of mailing list "wikipedia-as". I received your email with a new password but was unable to log in with it. Kindly look into the matter.
wikipedia-as was one of the lists whose password was reset *twice*. So you need to make sure to use the password from the _second_ email.
That will be the one with subject «Your new wikipedia-as list password», saying «The site administrator at lists.wikimedia.org has changed the password for your mailing list…», not the one titled «Password reset for list wikpedia-as»
Best regards
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
On Sun, 2015-11-15 at 07:00 +0800, Gabriel Chi Hong Lee wrote:
Daniel, can you please reset wikivoyage-zh for me please?
Please let Daniel know off list or via a ticket to keep the volume of this large announcement list down.
Thanks, andre
On 13/11/15 17:39, Merlijn van Deen wrote:
As I understand it, *subscribers* used their regular passwords for mailman, and mailman stores passwords *unhashed* on the server (!).
Yes. mailman stores the subscribers passwords unhashed. The list admin passwords are hashed, however.
It is clearly explained on the subscription page: «You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. *Do not use a valuable password* as it will occasionally be emailed back to you in cleartext»
So although list passwords were not in so much risk, it's much easier to change these, as the list admins is a better user base than sending a message like that to every wmf list subscriber.
I would cross-check the old subscribers passwords with their Wikimedia account, and if they matched (as it did for these staff), send them an email, too.
I would have expected better for someone with a staff account, though. ☹
Best regards
Hi,
On Nov 13, 2015 11:06, "Risker" risker.wp@gmail.com wrote:
However, as a list subscriber, I have yet to receive an email telling me
that there is a forced password change for any WMF-based list to which I subscribe. Some questions are in order about this element, which is not mentioned in the blog, and will affect tens of thousands of users.
for your typical list with no sensitive content I imagine many people would just leave the automatically set (random) passwd. many won't even keep a record of it and will just reset it when they need to use it.
note, however, that James' point about monthly reminders doesn't hold because our lists typically have that disabled. (I get reminders for 2 lists each month. I subscribe to many more than that.)
it's trivial to reset subscriber passwd (and is self-service) and also to set a new password passwd once you have logged in; when you set a new one after logged in to the web interface there's a checkbox for making the change on all your lists or only that one.
Do subscribers have to change their password for each WMF-based mailman
mailing list separately, or can they use the "one password for all lists" function that currently exists to change all of the passwords at once? (Keep in mind that most of the mailing lists are at least semi-public, so this is not really a big deal.)
I'm not sure exactly what you mean. See above. Passwords have been changed but the software behaves the same as before AFAIK.
If not, what happens to those subscriptions? are they discontinued if the
user does not update his or her password, or do they just continue?
users don't need to do anything if they don't want to change anything.
I think that there are a lot of valid points being made about
the inherent problem of having listadmin passwords that are not user-specific.
That's not a Wikimedia specific problem. Nothing about that authentication system is locally customized (except maybe a couple lists with an extra layer of auth on top of mailman)
There's an upstream and a large user base. I would say patches welcome but maybe they prefer people upgrade to mailman 3. (and maybe that fixes the auth model)
At the same time, we should keep in mind that the core issue here is that
a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts.
+1
-Jeremy
Thanks for doing this.
Generally speaking, I doubt that most lists ever get around to changing their admin passwords. Would there be an appetite to mass change passwords once a year?
Fae
On 13 November 2015 at 05:08, Daniel Zahn dzahn@wikimedia.org wrote:
Hello list admins,
due to http://blog.wikimedia.org/2015/11/12/mailman-security-incident/
we have reset all list admin passwords. You should have already received a new pass in the mail earlier.
I just wanted to add that we also changed all _moderator_ passwords, but as opposed to admin passwords we could not just mail the owner address.
We don't expect that many lists actually use a separate moderator role where people moderate who are _not_ also the list admin, but if this is the case for one your lists, please change it to something new and let your moderators know the new password.
Best regards,
-- Daniel Zahn dzahn@wikimedia.org Operations Engineer
For a "How to store and collect your passwords" discussion PLEASE consider moving that to a separate thread. Or (at least) change the email summary line. I am not interested in that topic but I cannot unsubscribe from this thread, because there might still be messages that actually ARE related to handling the outcome of the actual security breach.
Thank you for your understanding. And my inbox also waves and would like to say thanks to y'all! :)
Cheerio, andre
listadmins@lists.wikimedia.org