On Dec 20, 2007 10:57 PM, William Stein <[EMAIL PROTECTED]> wrote: > On Dec 20, 2007 6:24 PM, Robert Miller <[EMAIL PROTECTED]> wrote: > > > > As pointed out by Michael Abshoff, it seems like an information leak > > to list all the usernames on a notebook when you fail to use a valid > > one to log in. Thoughts? > > This exact question comes up about every other week. Are you talking > about a public notebook like sagenb.org or sagenb.com? If so, then > note that *anybody* can make a new account, and once they login > with that account, it is trivial for them -- in several different ways -- to > get > a list of all user names. If you're talking about a server that you > personally > run but with no user accounts, then there is just one name, i.e., "admin". > In both cases, security by obscuring the existing usernames is no security > at all. > > So maybe you are talking about semi-private servers that have a fixed list > of accounts and users, like a normal UNIX system say, where potential > users cannot sign up for a new account -- only an admin can create accounts. > In this case getting a list of users would be a security issue. But > you probably > don't mean this since it isn't implemented in sage (yet!).
I should have finished by adding that there is no point at all in not listing usernames in the scenarios in the first paragraph above -- that would just be security by obscurity. There is a point in not listing user names in paragraph two above. When Sage actually supports what is described in paragraph two, then when the notebook is in that mode it shouldn't list usernames. William --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
