http://sagenb.org

[William Stein]

Hello sage-devel/sage-notebook.

I'm aware that http://sagenb.org is down, so there is no need for
anybody to email me about this.

It may be down for some time, due to abusive users. It (or
something similar) will definitely be available by the end of the
summer.

William

--
William Stein
Professor of Mathematics
University of Washington
http://wstein.org

[Robert Bradshaw]

Just as a thought, is it possible to continue to allow use by existing
users (minus the abusers of course) in the meantime, even if we reject
new accounts (subject to a manual whitelisting procedure). Cutting off
existing users due to a small set of malicious people is really
unfortunate.

[William Stein]

On Wed, Jun 27, 2012 at 11:46 AM, Robert Bradshaw <robe...@gmail.com> wrote:
> Just as a thought, is it possible to continue to allow use by existing
> users (minus the abusers of course) in the meantime, even if we reject
> new accounts (subject to a manual whitelisting procedure). Cutting off
> existing users due to a small set of malicious people is really
> unfortunate.

I'm worried about what to do about the other 5000 published
worksheets, any of which could contain spam. Any thoughts about
that?

[Robert Bradshaw]

On Wed, Jun 27, 2012 at 10:50 AM, William Stein <wst...@gmail.com> wrote:
> On Wed, Jun 27, 2012 at 11:46 AM, Robert Bradshaw <robe...@gmail.com> wrote:
>> Just as a thought, is it possible to continue to allow use by existing
>> users (minus the abusers of course) in the meantime, even if we reject
>> new accounts (subject to a manual whitelisting procedure). Cutting off
>> existing users due to a small set of malicious people is really
>> unfortunate.
>
> I'm worried about what to do about the other 5000 published
> worksheets, any of which could contain spam.   Any thoughts about
> that?

Is it spam content that's the problem? I think this could be solved by
whitelisting all published worksheets that have no links, or only
links to "good" sites (where good sites would be determined by
manually looking at the top 100 links, likely wikipedia or university
sites).

In the meantime, how hard is it to point sagenb.org to a plain html
page citing the problem. (You may already be trying to do this...)

[William Stein]

On Wed, Jun 27, 2012 at 12:00 PM, Robert Bradshaw <robe...@gmail.com> wrote:
> On Wed, Jun 27, 2012 at 10:50 AM, William Stein <wst...@gmail.com> wrote:
>> On Wed, Jun 27, 2012 at 11:46 AM, Robert Bradshaw <robe...@gmail.com> wrote:
>>> Just as a thought, is it possible to continue to allow use by existing
>>> users (minus the abusers of course) in the meantime, even if we reject
>>> new accounts (subject to a manual whitelisting procedure). Cutting off
>>> existing users due to a small set of malicious people is really
>>> unfortunate.
>>
>> I'm worried about what to do about the other 5000 published
>> worksheets, any of which could contain spam.   Any thoughts about
>> that?
>
> Is it spam content that's the problem?

No, it's an intentional "malware" attack (in javascript), at least
according to the university...

> I think this could be solved by
> whitelisting all published worksheets that have no links, or only
> links to "good" sites (where good sites would be determined by
> manually looking at the top 100 links, likely wikipedia or university
> sites).

It doesn't have links. I'll send it to you offlist, since I haven't
looked at it for more than a second.

> In the meantime, how hard is it to point sagenb.org to a plain html
> page citing the problem. (You may already be trying to do this...)

I'm personally busy with a workshop right now:

http://www.ams.org/programs/research-communities/mrc-12

[Jason Grout]

On 6/27/12 1:03 PM, William Stein wrote:
> It doesn't have links. I'll send it to you offlist, since I haven't
> looked at it for more than a second.

Please CC me and Keshav.

Thanks,

Jason

[kcrisman]

>> Just as a thought, is it possible to continue to allow use by existing
>> users (minus the abusers of course) in the meantime, even if we reject
>> new accounts (subject to a manual whitelisting procedure). Cutting off
>> existing users due to a small set of malicious people is really
>> unfortunate.
>
> I'm worried about what to do about the other 5000 published
> worksheets, any of which could contain spam.   Any thoughts about
> that?

Is it spam content that's the problem? I think this could be solved by
whitelisting all published worksheets that have no links, or only
links to "good" sites (where good sites would be determined by
manually looking at the top 100 links, likely wikipedia or university
sites).

So, just to be clear for the community, the issue this time is not an explicit DoS attack or something, but people publishing spammy worksheets (though of course if there's enough it could really slow things down).  This is only a point of clarification.

 

In the meantime, how hard is it to point sagenb.org to a plain html
page citing the problem. (You may already be trying to do this...)

Undoubtedly, but +1 if not. 

[William Stein]

On Wed, Jun 27, 2012 at 12:06 PM, kcrisman <kcri...@gmail.com> wrote:
>
>
>> >> Just as a thought, is it possible to continue to allow use by existing
>> >> users (minus the abusers of course) in the meantime, even if we reject
>> >> new accounts (subject to a manual whitelisting procedure). Cutting off
>> >> existing users due to a small set of malicious people is really
>> >> unfortunate.
>> >
>> > I'm worried about what to do about the other 5000 published
>> > worksheets, any of which could contain spam.   Any thoughts about
>> > that?
>>
>> Is it spam content that's the problem? I think this could be solved by
>> whitelisting all published worksheets that have no links, or only
>> links to "good" sites (where good sites would be determined by
>> manually looking at the top 100 links, likely wikipedia or university
>> sites).
>>
>
> So, just to be clear for the community, the issue this time is not an
> explicit DoS attack or something, but people publishing spammy worksheets
> (though of course if there's enough it could really slow things down).  This
> is only a point of clarification.

Not exactly. Somebody -- user name "anderson tyew" -- published a
worksheet that contains *malware*, meant to intentionally harm
anybody's computer that visits that published worksheet... This
caused sufficient alarm bells elsewhere that the University of
Washington has disabled internet access to mod.math.washington.edu.

-- William

>
>
>>
>> In the meantime, how hard is it to point sagenb.org to a plain html
>> page citing the problem. (You may already be trying to do this...)
>>
>
> Undoubtedly, but +1 if not.

[Jason Grout]

On 6/27/12 11:24 AM, William Stein wrote:
> It may be down for some time, due to abusive users. It (or
> something similar) will definitely be available by the end of the
> summer.

I've completely disabled public worksheets (users can still log in, but
the listing of public worksheets won't work and any url to a specific
published worksheet won't work). I did this by just returning an error
for any /pub/* URL.

I've turned sagenb.org back on, but the UW blocking still seems to be in
effect. Can we get them to unblock things now?

Thanks,

Jason

[Carl Eberhart]

Are there any suggestions for procedures other sage notebook sites could implement to reduce the possibility of a similar attack?
Is there a mechanism for allowing accounts to only approved users?  Failing that, is it easy to turn off the publish worksheet property?
Thanks.  Carl Eberhart

[Jason Grout]

On 6/27/12 2:27 PM, Carl Eberhart wrote:
> Are there any suggestions for procedures other sage notebook sites could
> implement to reduce the possibility of a similar attack?
> Is there a mechanism for allowing accounts to only approved users?

I do this by either disabling account creation and just creating
accounts from the admin user, or making a special challenge question
like "What is the magic word?" and then only giving the magic word to
people I trust.

> Failing that, is it easy to turn off the publish worksheet property?
> Thanks. Carl Eberhart

Here is my patch:

https://gist.github.com/3006260

Jason

[William Stein]

I've requested that they unblock it, but it can take "arbitrarily
long" until the decide to actually do so. We just have to wait.

William

>
> Thanks,
>
> Jason

[Moreira]

[Robert Bradshaw]

On Wed, Jun 27, 2012 at 12:53 PM, William Stein <wst...@gmail.com> wrote:
> On Wed, Jun 27, 2012 at 1:03 PM, Jason Grout
> <jason...@creativetrax.com> wrote:
>> On 6/27/12 11:24 AM, William Stein wrote:
>>>
>>> It may be down for some time, due to abusive users.    It (or
>>> something similar) will definitely be available by the end of the
>>> summer.
>>
>>
>> I've completely disabled public worksheets (users can still log in, but the
>> listing of public worksheets won't work and any url to a specific published
>> worksheet won't work).  I did this by just returning an error for any /pub/*
>> URL.
>>
>> I've turned sagenb.org back on, but the UW blocking still seems to be in
>> effect.  Can we get them to unblock things now?
>
> I've requested that they unblock it, but it can take "arbitrarily
> long" until the decide to actually do so.   We just have to wait.

Disabling public worksheets seems like an easy enough solution (for
this and spam). Eventually, any worksheet publishing should have a
whitelisted set of tags in user-created content, specifically
excluding script (thought needs to be put into how to handle dynamic
content like interact) the same as is done with blog comments.

Can we move sagenb.org to another server? Just turning off public
worksheets period does greatly reduce the gain in attacking the server
(though people could still use it to, e.g. send spam) or just abuse
for DoS (of the server itself or elsewhere).

- Robert

[William Stein]

On Wed, Jun 27, 2012 at 10:47 PM, Robert Bradshaw <robe...@gmail.com> wrote:
> On Wed, Jun 27, 2012 at 12:53 PM, William Stein <wst...@gmail.com> wrote:
>> On Wed, Jun 27, 2012 at 1:03 PM, Jason Grout
>> <jason...@creativetrax.com> wrote:
>>> On 6/27/12 11:24 AM, William Stein wrote:
>>>>
>>>> It may be down for some time, due to abusive users.    It (or
>>>> something similar) will definitely be available by the end of the
>>>> summer.
>>>
>>>
>>> I've completely disabled public worksheets (users can still log in, but the
>>> listing of public worksheets won't work and any url to a specific published
>>> worksheet won't work).  I did this by just returning an error for any /pub/*
>>> URL.
>>>
>>> I've turned sagenb.org back on, but the UW blocking still seems to be in
>>> effect.  Can we get them to unblock things now?
>>
>> I've requested that they unblock it, but it can take "arbitrarily
>> long" until the decide to actually do so.   We just have to wait.
>
> Disabling public worksheets seems like an easy enough solution (for
> this and spam). Eventually, any worksheet publishing should have a
> whitelisted set of tags in user-created content, specifically
> excluding script (thought needs to be put into how to handle dynamic
> content like interact) the same as is done with blog comments.
>
> Can we move sagenb.org to another server?

Yes... but where?

> Just turning off public
> worksheets period does greatly reduce the gain in attacking the server
> (though people could still use it to, e.g. send spam) or just abuse
> for DoS (of the server itself or elsewhere).
>
> - Robert

[Robert Bradshaw]

On Thu, Jun 28, 2012 at 1:30 AM, William Stein <wst...@gmail.com> wrote:
> On Wed, Jun 27, 2012 at 10:47 PM, Robert Bradshaw <robe...@gmail.com> wrote:
>> On Wed, Jun 27, 2012 at 12:53 PM, William Stein <wst...@gmail.com> wrote:
>>> On Wed, Jun 27, 2012 at 1:03 PM, Jason Grout
>>> <jason...@creativetrax.com> wrote:
>>>> On 6/27/12 11:24 AM, William Stein wrote:
>>>>>
>>>>> It may be down for some time, due to abusive users.    It (or
>>>>> something similar) will definitely be available by the end of the
>>>>> summer.
>>>>
>>>>
>>>> I've completely disabled public worksheets (users can still log in, but the
>>>> listing of public worksheets won't work and any url to a specific published
>>>> worksheet won't work).  I did this by just returning an error for any /pub/*
>>>> URL.
>>>>
>>>> I've turned sagenb.org back on, but the UW blocking still seems to be in
>>>> effect.  Can we get them to unblock things now?
>>>
>>> I've requested that they unblock it, but it can take "arbitrarily
>>> long" until the decide to actually do so.   We just have to wait.
>>
>> Disabling public worksheets seems like an easy enough solution (for
>> this and spam). Eventually, any worksheet publishing should have a
>> whitelisted set of tags in user-created content, specifically
>> excluding script (thought needs to be put into how to handle dynamic
>> content like interact) the same as is done with blog comments.
>>
>> Can we move sagenb.org to another server?
>
> Yes... but where?

It was more a question of would the university be mad if we we moved
it to, say, geom.

- Robert

[kcrisman]

 Update - sagenb.org seems to be back up and working ... just that "Public worksheets are currently disabled."