On Tue, Apr 29, 2014 at 12:50 AM, Matthew Senate <mattsenate(a)gmail.com> wrote:
create your own account on the
dev.sudoroom.org site
using:
user: sudoer
pass: superuserdoroom
I appreciate all your hard work on this, but I would advocate for a
more security-conscious approach to this. My two concerns are:
1) We should not share a wordpress admin account passwords on a public
mailing list. Admin accounts are able to modify files on the server
and execute arbitrary code. This creates a very easy way for anybody
on the internet to pwn our entire web server and attack our users.
2) We should not serve the dev site on http or encourage users to
create accounts in cleartext. I can move it seamlessly to
https://sudoroom.org/dev/ with your consent.
I think we owe our users better than this, especially since we've
taught some of them to use Tor at our cryptoparties. They have trusted
us with email addresses and passwords in (among other things) the
blog, wiki, and mailman. This puts them and us at risk. It also
nullifies a lot of past time and effort that's gone into keeping our
server secure.