On Dec 20, 2007 6:24 PM, Robert Miller <[EMAIL PROTECTED]> wrote: > > As pointed out by Michael Abshoff, it seems like an information leak > to list all the usernames on a notebook when you fail to use a valid > one to log in. Thoughts?
This exact question comes up about every other week. Are you talking about a public notebook like sagenb.org or sagenb.com? If so, then note that *anybody* can make a new account, and once they login with that account, it is trivial for them -- in several different ways -- to get a list of all user names. If you're talking about a server that you personally run but with no user accounts, then there is just one name, i.e., "admin". In both cases, security by obscuring the existing usernames is no security at all. So maybe you are talking about semi-private servers that have a fixed list of accounts and users, like a normal UNIX system say, where potential users cannot sign up for a new account -- only an admin can create accounts. In this case getting a list of users would be a security issue. But you probably don't mean this since it isn't implemented in sage (yet!). -- William --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
