At 5:15 AM +0100 1/28/06, Jochen Kaechelin wrote: >The only thing I want to tell the people on the list is that there might be >some subscribers who use a mailsystem with a vulnability.
That's a laudable intent. Here's how I think it would have been better handled: * Get in touch with the administrators of the vulnerable host and help them to fix the problem in private, before anyone malicious has a chance to take advantage of the problem. * Mail, off-list, all of the addresses you can find in the archives from the affected host, warning them of the problem. You could also try mailing the css-d administrator address to ask that we pass a message along to all affected accounts in the subscriber database. The problem now is that, given the way you posted about this, you've potentially exposed a server vulnerability to the whole world, because all list messages are publicly archived. Maybe that won't make any difference, but maybe it will. Ordinarily, I'd have sent this reply off-list, but I decided it was better to respond publicly and establish guidelines for the future. I don't want to be a roadblock to improving security, but I also don't want to see security warnings on the list. It's just the wrong venue, and there are (as I said above) other ways to handle such situations. -- Eric A. Meyer (http://meyerweb.com/eric/), List Chaperone "CSS is much too interesting and elegant to be not taken seriously." -- Martina Kosloff (http://mako4css.com/) ______________________________________________________________________ css-discuss [EMAIL PROTECTED] http://www.css-discuss.org/mailman/listinfo/css-d List wiki/FAQ -- http://css-discuss.incutio.com/ Supported by evolt.org -- http://www.evolt.org/help_support_evolt/