If Rich wants to keep his stuff there because it meets his needs and he is fully aware of what they do and how they do it then all of this is irrelevant.
In any case "security risk" is really a overblown term for even the worst case scenario of what could happen to documentation pages. If you are "scared" of what might happen, you are free to use a language with more "secure" documentation pages. Seesh. Hank On Sat, Jun 27, 2009 at 7:55 PM, Four of Seventeen<fsevent...@gmail.com> wrote: > > On Jun 27, 6:32 pm, "J. McConnell" <jdo...@gmail.com> wrote: >> On Jun 27, 2009, at 12:28 PM, Four of Seventeen <fsevent...@gmail.com> >> wrote: >> > Regardless, it's a security problem that someone other than Rich was >> > able to bring clojure.org down for tens of minutes last night at the >> > push of a button. >> >> No, it's not, whatsoever. > > Yes, it is. It's Rich's site. If someone else is able to substitute > arbitrary replacement content for the pages he wrote, that's a huge > security vulnerability, no matter who can do it and why. It goes > beyond being able to take down someone else's site without cause; > whoever it is can put words in Rich's mouth too. What if he'd changed > the pages not to an obviously bogus message but to a subtly-altered > version of the Clojure pages, perhaps full of errors or snide asides > aimed at Common Lisp or at Java or something? Clearly, whoever did > this had the capability. > > We're not talking a simple case of the ISP goes down, the page simply > becomes unreachable for a while, which would be unpleasant but not > very avoidable or worse than a denial of service if done > intentionally. Here we're talking keeping the server up but changing > what it serves for various URLs. That's a whole different kettle of > fish entirely. > > For starters, the server was still capable of serving HTML over the > net, and so there was no reason for it not to continue serving the > CORRECT HTML. Unlike if it was actually, genuinely down. > > Furthermore, there's this quiet-substitution thing. Whoever did this > could replace the Clojure site with a mockery of itself, as described. > Or add a 1x1 iframe that tries to hack browsers and install malware. > With Rich's reputation, and Clojure's, on the line instead of the > reputation of the actual responsible party. > > If the HTML content displayed at clojure.org is NOT in fact 100% > controlled by Rich, and for some reason he can't fix that, then he > should change the site's name to make this clear. That will help > protect his own reputation in the event of something like the above > happening. As things stand, since it just says it's clojure.org, Rich > is implicitly assuming full responsibility for everything that appears > under that domain name. While apparently, at least for the time being, > NOT having full control over what appears there. And that's a > dangerous position to be in. > > > > -- blog: whydoeseverythingsuck.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en -~----------~----~----~----~------~----~------~--~---
