[openssl-users] Fwd: CONGRATULATION____REF#87670
Johann v. Preußen
jvp at forthepolls.org
Mon Apr 4 22:21:23 UTC 2016
if this list was for tex-mex cooking recipes or ES vacation rentals, i would
agree that expectations for privacy might be very low and individual subscribers
are responsible to be as circumspect as they personally feel they must be.
however, this is a list of people in the fore-front of addressing global
security issues and -- i would think -- subscribers would certainly want their
personal info (U.S. Title XIII PII) to be as secure as the issues they are
grappling with rather than having it published in the clear. the security issue
re the subscriber email addr spreads beyond the actual person as well. suppose
we have henrietta schmidt who is the email security officer for xyz corp who is
addressed as h.schmidt at xyz.com. since most large firms and almost all gov
agencies have rigid mailbox addressing schemes, it is quite possible to
extrapolate from this one email addr to a much wider range. like xyz's CIO joe
blow who is most likely to be found at j.blow at xyz.com or some close variant.
the payoffs for the successful breaching of systems of large firms and
governments is huge and it does not require much imagination to deduce that the
pantheon of perpetrators is large, their diligence is intense, and their numbers
are not confined to a bunch of "script kiddies". quite plainly, i do not believe
that openssl should be making their job easier.
Johann v. Preußen
On 2016.Apr.04 14:49, Jeffrey Walton wrote:
> On Mon, Apr 4, 2016 at 5:32 PM, Johann v. Preußen <jvp at forthepolls.org> wrote:
>> right now our conversation is bi-directional since the listserv is off-line.
>> i also looked at the headers and they do seem to originate within google
>> itself ( bogon receipts). so, are you telling me that the mere fact that an
>> email is addressed to the list will get it published without verifying that
>> the sender is a subscriber?
>> everything else i mention relate to the needless exposure of the
>> subscriber's real name and email addr and the permitting of private anchors.
>> obviously, i believe that these practices greatly increase security risks
>> for the subscriber and will subject them to a potential flood of noxious
> Yes, I agree Johann. The thing I would point out is there's usually no
> expectation of privacy with a mailing list, so users should not be
> surprised if their email address shows up in a traditional email
> header or an X-header somewhere.
> What piqued my interest was that sudden spurt of spam. Something was
> not right, but I could not finger it.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3825 bytes
Desc: S/MIME Cryptographic Signature
More information about the openssl-users