Date: Fri, 18 Feb 2000 16:01:38 -0600 From: Jon Hamilton <hamilton@pobox.com> To: Wes Peters <wes@softweyr.com> Cc: Lyndon Nerenberg <lyndon@orthanc.ab.ca>, Mark Murray <mark@grondar.za>, Peter Wemm <peter@netplex.com.au>, current@freebsd.org, committers@freebsd.org Subject: Re: Crypto progress! (And a Biiiig TODO list) Message-ID: <20000218220138.0BD819B@woodstock.monkey.net> In-Reply-To: Your message of "Fri, 18 Feb 2000 10:01:23 MST." <38AD7AE3.B4BEB308@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <38AD7AE3.B4BEB308@softweyr.com>, Wes Peters wrote: } Lyndon Nerenberg wrote: } > } > >>>>> "Mark" == Mark Murray <mark@grondar.za> writes: } > } > Mark> o A username may only be checked $number times per } > Mark> $timeperiod; after that, _all_ answers are silently } > Mark> converted to "no". } > } > Umm, massive DOS hole. } } Per username. If you publish your userlist, you're an idiot. The } daemon should also immediately go into "breakin evasion mode" for } all invalid usernames, answering the requests very slowly. You don't have to publish a userlist in order for some of that kind of information to leak out. Besides, by answering very slowly for invalid usernames you just gave the bad guys a way to deduce your user list anyway. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000218220138.0BD819B>