On Jun 27, 6:32 pm, "J. McConnell" <jdo...@gmail.com> wrote: > On Jun 27, 2009, at 12:28 PM, Four of Seventeen <fsevent...@gmail.com> > wrote: > > Regardless, it's a security problem that someone other than Rich was > > able to bring clojure.org down for tens of minutes last night at the > > push of a button. > > No, it's not, whatsoever.
Yes, it is. It's Rich's site. If someone else is able to substitute arbitrary replacement content for the pages he wrote, that's a huge security vulnerability, no matter who can do it and why. It goes beyond being able to take down someone else's site without cause; whoever it is can put words in Rich's mouth too. What if he'd changed the pages not to an obviously bogus message but to a subtly-altered version of the Clojure pages, perhaps full of errors or snide asides aimed at Common Lisp or at Java or something? Clearly, whoever did this had the capability. We're not talking a simple case of the ISP goes down, the page simply becomes unreachable for a while, which would be unpleasant but not very avoidable or worse than a denial of service if done intentionally. Here we're talking keeping the server up but changing what it serves for various URLs. That's a whole different kettle of fish entirely. For starters, the server was still capable of serving HTML over the net, and so there was no reason for it not to continue serving the CORRECT HTML. Unlike if it was actually, genuinely down. Furthermore, there's this quiet-substitution thing. Whoever did this could replace the Clojure site with a mockery of itself, as described. Or add a 1x1 iframe that tries to hack browsers and install malware. With Rich's reputation, and Clojure's, on the line instead of the reputation of the actual responsible party. If the HTML content displayed at clojure.org is NOT in fact 100% controlled by Rich, and for some reason he can't fix that, then he should change the site's name to make this clear. That will help protect his own reputation in the event of something like the above happening. As things stand, since it just says it's clojure.org, Rich is implicitly assuming full responsibility for everything that appears under that domain name. While apparently, at least for the time being, NOT having full control over what appears there. And that's a dangerous position to be in. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en -~----------~----~----~----~------~----~------~--~---
