LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: can LISTSERV be hacked? (was Re: Privacy of postings?)

Ben Parker <[log in to unmask]>

Sun, 4 Apr 2004 22:22:33 -0600

text/plain (37 lines)

On Sun, 4 Apr 2004 20:02:10 -0400, David Arthur <[log in to unmask]>
wrote:

>What concerns me is that there may be a way to bypass the subscription
>requirement, so that those we have decided to remove, and there are very
>few, can not find an alternate way onto the list.

Strictly speaking that is not 'hacking' of LISTSERV(R).  What it is, is a bad
person successfully using a false identity.  It is not LISTSERV's job to
verify identity in general.  If an email address is correctly subscribed to a
list, then LISTSERV will verify that posts come from that address.   For
browsing private archives via WWW, LISTSERV will verify an email address and
user password.  But if the address is known and the password is easily
guessed, LISTSERV can be satisifed even though it is a false person.  This is
true of any situation, such as where people poste their password on a
Postit(R) note on their monitor.  There are limits to the level of security
that LISTSERV (or any other program) can impose before all access for all
users becomes impossible.  Note however, that LISTSERV log files will record
the IP address used to perform an access and this can be used later to verify
whether or not it was the 'proper' person or an imposter.

In such cases LISTSERV is functioning correctly to the limit of its ability,
and has not been 'hacked'.  Rather, the identity of the person has been
compromised, which is a different thing, outside of LISTSERV.  This then is
not a failure of LISTSERV itself, but rather the entire sysytem of identity.

I have had a list where a user tried many times to re-subscribe under various
assumed/false identities.  I was able in every case to catch them and prevent
re-subscription, but it took a LOT of work.  A List Owner, faced with such an
obstinate person attempting to break back into a list, must be prepared to be
at least equally or even more diligent in keeping them out.  This can be very
time consuming and difficult, and may require much technical knowledge to
thwart a serious crasher.

It is the job of the human List Owner to verify identity of another human, a
prospective subscriber.  LISTSERV should not be expected to do this.

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM