Date: Fri, 18 Feb 2000 23:14:48 -0700 From: Wes Peters <wes@softweyr.com> To: Jon Hamilton <hamilton@pobox.com> Cc: Lyndon Nerenberg <lyndon@orthanc.ab.ca>, current@freebsd.org Subject: Re: Crypto progress! (And a Biiiig TODO list) Message-ID: <38AE34D8.F7F88DBA@softweyr.com> References: <20000218220138.0BD819B@woodstock.monkey.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jon Hamilton wrote:
>
> In message <38AD7AE3.B4BEB308@softweyr.com>, Wes Peters wrote:
> } Lyndon Nerenberg wrote:
> } >
> } > >>>>> "Mark" == Mark Murray <mark@grondar.za> writes:
> } >
> } > Mark> o A username may only be checked $number times per
> } > Mark> $timeperiod; after that, _all_ answers are silently
> } > Mark> converted to "no".
> } >
> } > Umm, massive DOS hole.
> }
> } Per username. If you publish your userlist, you're an idiot. The
> } daemon should also immediately go into "breakin evasion mode" for
> } all invalid usernames, answering the requests very slowly.
>
> You don't have to publish a userlist in order for some of that kind
> of information to leak out. Besides, by answering very slowly for
> invalid usernames you just gave the bad guys a way to deduce your
> user list anyway.
And how exactly are they supposed to tell the difference between answering
slowly due to breakin evasion vs. answering slowly because the system is
a 386sx/16?
You would want to answer all "mistakes" slowly, but valid logins quickly.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38AE34D8.F7F88DBA>