Ondrej Certik wrote: > On Dec 21, 2007 9:33 AM, William Stein <[EMAIL PROTECTED]> wrote: >> On Dec 20, 2007 11:33 PM, <[EMAIL PROTECTED]> wrote: >>> That was my initial reaction, too. In a closed system, it makes sense -- >>> for the public notebook, it doesn't immediately seem like such a bad thing, >>> but it lends to a scary attack. >>> >>> Robert makes an account on the public notebook. >>> Robert sees William's account on the failure page, so creates an account -- >>> then from the notebook, Robert launches a zero-latency brute-force attack >>> to discover William's password. >>> Now, Robert logs into William's account. From there, he inserts malicious >>> javascript into William's most-recently edited worksheet. >>> Next time William opens his favorite worksheet, Robert pwns his machine, >>> logs in, and edits the grade chart for William's Math 581 class, scoring >>> himself a well-deserved 4.1... >>> >>> >> Some remarks: >> Above Robert has an account on the public notebook already, so there are >> many ways he find my login name -- there is no need to view the failure page. >> Anyway, my login name is very easy to guess -- it is always either >> was, wstein, or >> william_stein. You're assuming my password is easy to brute-force >> crack. Since it was actually >> just generated randomly, this assumption is perhaps not valid. >> >> With wiki's user names are also very easy to see, since edits to the >> changelog are >> annoted by user names. Likewise with mailing lists, the trac server, etc. >> >> It would be a really good idea to put an n-second pause in after a failed >> login >> attempt and/or to even put a simple math problem in... :-) This would >> provide > > Yes, like factoring some huge integer, that can only be done through Sage.
Of course, they'll have to type the integer and the factors in by hand... Jason --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
