To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.suggestionsOpen lugnet.admin.suggestions in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / Suggestions / 1222
1221  |  1223
Subject: 
 Re: Some suggestions
Newsgroups: 
 lugnet.admin.suggestions
Date: 
 Wed, 30 Mar 2005 18:44:50 GMT
Viewed: 
 5281 times
  
Dan Boger wrote:
On Wed, Mar 30, 2005 at 05:22:53PM +0000, Frank Filz wrote:
Ability to edit a post that is being authenticated. I often realize I
should have added something to a post just after I hit send. Since we
have to go through this extra step, why not add some functionality.

From a strictly paranoid point of view, that would be a bad idea.
Right now, if I just randomly try auth strings until I hit one that's
pending, all I get is the ability to approve/deny what the original
author wrote (since the chance of me hitting a message I faked is
much smaller than hitting any random message).  But if we allow
editing the post, I can now change those author's words to be
whatever I want.  So unless we make edited posts shoot out another
auth email (or require you to be logged in), this feature would
introduce a potential security risk.  Of course, the risk might be
deemed acceptable - I just thought I'd point it out for consideration.

What's the probability of hitting an auth string? It would be reasonable to
only allow editing if logged on, or to re-authenticate the post.

Hmm, definitely have to be logged on to see all the pending authentications,
otherwise all you have to do is submit enough fake posts to have a good
chance of hitting one of them. Hmm, perhaps there should be a limit to the
number of unauthenticated posts at one time (like 100) to prevent trying to
crack the system by posting 1000s of fake posts and then hunting for them.
But it all comes down to what the probabilities are. If they're low enough,
it should be possible to catch the hunter (since the system will see a LOT
of invalid authentication strings).

Frank



Message is in Reply To:
  Re: Some suggestions
 
(...) From a strictly paranoid point of view, that would be a bad idea. Right now, if I just randomly try auth strings until I hit one that's pending, all I get is the ability to approve/deny what the original author wrote (since the chance of me (...) (20 years ago, 30-Mar-05, to lugnet.admin.suggestions)

3 Messages in This Thread:

Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR