From owner-freebsd-current Fri Feb 18 14: 3:29 2000 Delivered-To: freebsd-current@freebsd.org Received: from mailgw00.execpc.com (mailgw00.execpc.com [169.207.1.78]) by hub.freebsd.org (Postfix) with ESMTP id EF44137BA96; Fri, 18 Feb 2000 14:03:21 -0800 (PST) (envelope-from hamilton@pobox.com) Received: from woodstock.monkey.net (minbar-2-58.mdm.mke.execpc.com [169.207.135.186]) by mailgw00.execpc.com (8.9.1) id QAA22651; Fri, 18 Feb 2000 16:02:02 -0600 Received: from pobox.com (localhost [127.0.0.1]) by woodstock.monkey.net (Postfix) with ESMTP id 0BD819B; Fri, 18 Feb 2000 16:01:38 -0600 (CST) X-Mailer: exmh version 2.1.1 10/16/1999 To: Wes Peters Cc: Lyndon Nerenberg , Mark Murray , Peter Wemm , current@freebsd.org, committers@freebsd.org Subject: Re: Crypto progress! (And a Biiiig TODO list) In-reply-to: Your message of "Fri, 18 Feb 2000 10:01:23 MST." <38AD7AE3.B4BEB308@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 18 Feb 2000 16:01:38 -0600 From: Jon Hamilton Message-Id: <20000218220138.0BD819B@woodstock.monkey.net> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <38AD7AE3.B4BEB308@softweyr.com>, Wes Peters wrote: } Lyndon Nerenberg wrote: } > } > >>>>> "Mark" == Mark Murray writes: } > } > Mark> o A username may only be checked $number times per } > Mark> $timeperiod; after that, _all_ answers are silently } > Mark> converted to "no". } > } > Umm, massive DOS hole. } } Per username. If you publish your userlist, you're an idiot. The } daemon should also immediately go into "breakin evasion mode" for } all invalid usernames, answering the requests very slowly. You don't have to publish a userlist in order for some of that kind of information to leak out. Besides, by answering very slowly for invalid usernames you just gave the bad guys a way to deduce your user list anyway. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message