On Oct 6, 1:05 am, "Timothy Clemans" <[EMAIL PROTECTED]>
wrote:
> Ok then here is how to collect all the email addresses for users of
> sagenb.com:
>
> g = load('/home/server2/nb1/sage_notebook/nb.sobj')
> j = g.users()
> for i in j.keys():
> print g.users()[i]._User__email
>
The above doesn't even come close to an exploit, much less a major
one, in my book. And subscribing to any google group nets you plenty
of email addresses to spam, so this seems to be an unlikely target.
Setting up a public Sage notebook is fundamentally about trust and
having a secure change rootable Sage installation lets you just wipe
it clean and restart from a clean state in case there are problems. I
would never run a public notebook because I do not trust users, much
less the general public.
> On 10/5/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
>
>
> > On Fri, 5 Oct 2007, Timothy Clemans wrote:
>
> > > Until there is a solid exploit for the Sage notebook I don't think
> > > this is a big deal.
>
> > This is the worst software practice to EVER come out of Redmond.
That isn't Redmond only by the way. Just have a look at Oracle
quarterly patches and you should either die laughing or run for the
hills to hide. I know a guy how gets payed to restart an Oracle server
on a very old version of Solaris every 42 days because of some
overflow issues in the software.
>> You should know better than that. With that attitude, you don't get
>> started on a fix until an exploit has been *discovered* in the wild -- that
>> discovery happens 6 months to a year after release. Then, it'll be another
>> month before a fix is published, and another year to two before the install
>> base (security n00bs like me) get around to upgrading to the secure edition.
>
> > By that time, you've cross-infected your entire internal network, and
> > you've assisted spammers and botnets in the infection of hundreds or
> > thousands of other boxen. Read the articles I posted. NONE of the linux
> > admins new that they'd been pwned, months after the fact. That's *scary*.
Yep, the whole "I am not a target" and "Who would think of that"
attitude toward security will get you in trouble. In order to care and
learn about security many people just need to get their virtual pants
pulled down a couple times before they get it.
Cheers,
Michael
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~----------~----~----~----~------~----~------~--~---
