On Dec 21, 2007 9:33 AM, William Stein <[EMAIL PROTECTED]> wrote:
>
> On Dec 20, 2007 11:33 PM,  <[EMAIL PROTECTED]> wrote:
> >
> > That was my initial reaction, too.  In a closed system, it makes sense --
> > for the public notebook, it doesn't immediately seem like such a bad thing, 
> > but it lends to a scary attack.
> >
> > Robert makes an account on the public notebook.
> > Robert sees William's account on the failure page, so creates an account -- 
> > then from the notebook, Robert launches a zero-latency brute-force attack 
> > to discover William's password.
> > Now, Robert logs into William's account.  From there, he inserts malicious 
> > javascript into William's most-recently edited worksheet.
> > Next time William opens his favorite worksheet, Robert pwns his machine, 
> > logs in, and edits the grade chart for William's Math 581 class, scoring 
> > himself a well-deserved 4.1...
> >
> >
>
> Some remarks:
> Above Robert has an account on the public notebook already, so there are
> many ways he find my login name -- there is no need to view the failure page.
> Anyway, my login name is very easy to guess -- it is always either
> was, wstein, or
> william_stein.  You're assuming my password is easy to brute-force
> crack.  Since it was actually
> just generated randomly, this assumption is perhaps not valid.
>
> With wiki's user names are also very easy to see, since edits to the
> changelog are
> annoted by user names.  Likewise with mailing lists, the trac server, etc.
>
> It would be a really good idea to put an n-second pause in after a failed 
> login
> attempt and/or to even put a simple math problem in...  :-)  This would 
> provide

Yes, like factoring some huge integer, that can only be done through Sage.

Ondrej

--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~----------~----~----~----~------~----~------~--~---

Reply via email to