From owner-freebsd-current Fri Feb 18 22: 8:37 2000 Delivered-To: freebsd-current@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id E70EB37BB88 for ; Fri, 18 Feb 2000 22:08:35 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id WAA01499; Fri, 18 Feb 2000 22:08:01 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id WAA17754; Fri, 18 Feb 2000 22:08:01 -0800 Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by omni.xylan.com (8.9.3+Sun/8.9.1 (Xylan engr [SPOOL])) with ESMTP id WAA28758; Fri, 18 Feb 2000 22:07:59 -0800 (PST) Message-ID: <38AE34D8.F7F88DBA@softweyr.com> Date: Fri, 18 Feb 2000 23:14:48 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Jon Hamilton Cc: Lyndon Nerenberg , current@freebsd.org Subject: Re: Crypto progress! (And a Biiiig TODO list) References: <20000218220138.0BD819B@woodstock.monkey.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jon Hamilton wrote: > > In message <38AD7AE3.B4BEB308@softweyr.com>, Wes Peters wrote: > } Lyndon Nerenberg wrote: > } > > } > >>>>> "Mark" == Mark Murray writes: > } > > } > Mark> o A username may only be checked $number times per > } > Mark> $timeperiod; after that, _all_ answers are silently > } > Mark> converted to "no". > } > > } > Umm, massive DOS hole. > } > } Per username. If you publish your userlist, you're an idiot. The > } daemon should also immediately go into "breakin evasion mode" for > } all invalid usernames, answering the requests very slowly. > > You don't have to publish a userlist in order for some of that kind > of information to leak out. Besides, by answering very slowly for > invalid usernames you just gave the bad guys a way to deduce your > user list anyway. And how exactly are they supposed to tell the difference between answering slowly due to breakin evasion vs. answering slowly because the system is a 386sx/16? You would want to answer all "mistakes" slowly, but valid logins quickly. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message