On Dec 21, 2007 9:33 AM, William Stein <[EMAIL PROTECTED]> wrote: > > On Dec 20, 2007 11:33 PM, <[EMAIL PROTECTED]> wrote: > > > > That was my initial reaction, too. In a closed system, it makes sense -- > > for the public notebook, it doesn't immediately seem like such a bad thing, > > but it lends to a scary attack. > > > > Robert makes an account on the public notebook. > > Robert sees William's account on the failure page, so creates an account -- > > then from the notebook, Robert launches a zero-latency brute-force attack > > to discover William's password. > > Now, Robert logs into William's account. From there, he inserts malicious > > javascript into William's most-recently edited worksheet. > > Next time William opens his favorite worksheet, Robert pwns his machine, > > logs in, and edits the grade chart for William's Math 581 class, scoring > > himself a well-deserved 4.1... > > > > > > Some remarks: > Above Robert has an account on the public notebook already, so there are > many ways he find my login name -- there is no need to view the failure page. > Anyway, my login name is very easy to guess -- it is always either > was, wstein, or > william_stein. You're assuming my password is easy to brute-force > crack. Since it was actually > just generated randomly, this assumption is perhaps not valid. > > With wiki's user names are also very easy to see, since edits to the > changelog are > annoted by user names. Likewise with mailing lists, the trac server, etc. > > It would be a really good idea to put an n-second pause in after a failed > login > attempt and/or to even put a simple math problem in... :-) This would > provide
Yes, like factoring some huge integer, that can only be done through Sage. Ondrej --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
