On Dec 20, 2007 11:33 PM, <[EMAIL PROTECTED]> wrote: > > That was my initial reaction, too. In a closed system, it makes sense -- > for the public notebook, it doesn't immediately seem like such a bad thing, > but it lends to a scary attack. > > Robert makes an account on the public notebook. > Robert sees William's account on the failure page, so creates an account -- > then from the notebook, Robert launches a zero-latency brute-force attack to > discover William's password. > Now, Robert logs into William's account. From there, he inserts malicious > javascript into William's most-recently edited worksheet. > Next time William opens his favorite worksheet, Robert pwns his machine, logs > in, and edits the grade chart for William's Math 581 class, scoring himself a > well-deserved 4.1... > >
Some remarks: Above Robert has an account on the public notebook already, so there are many ways he find my login name -- there is no need to view the failure page. Anyway, my login name is very easy to guess -- it is always either was, wstein, or william_stein. You're assuming my password is easy to brute-force crack. Since it was actually just generated randomly, this assumption is perhaps not valid. With wiki's user names are also very easy to see, since edits to the changelog are annoted by user names. Likewise with mailing lists, the trac server, etc. It would be a really good idea to put an n-second pause in after a failed login attempt and/or to even put a simple math problem in... :-) This would provide better security against the attack described above than hiding user names. So, good idea! -- William --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
