On Dec 20, 2007, at 21:58 , William Stein wrote:
>
> On Dec 20, 2007 10:57 PM, William Stein <[EMAIL PROTECTED]> wrote:
>> On Dec 20, 2007 6:24 PM, Robert Miller <[EMAIL PROTECTED]> wrote:
>>>
>>> As pointed out by Michael Abshoff, it seems like an information leak
>>> to list all the usernames on a notebook when you fail to use a valid
>>> one to log in. Thoughts?
>>
>> This exact question comes up about every other week. Are you
>> talking
>> about a public notebook like sagenb.org or sagenb.com? If so, then
>> note that *anybody* can make a new account, and once they login
>> with that account, it is trivial for them -- in several different
>> ways -- to get
>> a list of all user names. If you're talking about a server that
>> you personally
>> run but with no user accounts, then there is just one name, i.e.,
>> "admin".
>> In both cases, security by obscuring the existing usernames is no
>> security
>> at all.
>>
>> So maybe you are talking about semi-private servers that have a
>> fixed list
>> of accounts and users, like a normal UNIX system say, where potential
>> users cannot sign up for a new account -- only an admin can create
>> accounts.
>> In this case getting a list of users would be a security issue. But
>> you probably
>> don't mean this since it isn't implemented in sage (yet!).
>
> I should have finished by adding that there is no point at all in
> not listing usernames in the scenarios in the first paragraph above
> -- that
> would just be security by obscurity.
I think that obscurity is a fine component of a good security
program. What obscurity gets you is minimization of malicious
mischief ("attractive nuisances" maybe :-}).
It's certainly a bad idea to make obscurity a core feature, but
anything one can do to cut down on the pests is a plus.
Justin
--
Justin C. Walker, Curmudgeon-At-Large
Institute for the Absorption of Federal Funds
--------
If you're not confused,
You're not paying attention
--------
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~----------~----~----~----~------~----~------~--~---
