Security Problem?
msggroup-request%brl at sri-unix.UUCP
msggroup-request%brl at sri-unix.UUCP
Tue Jul 5 16:57:00 AEST 1983
From: Einar Stefferud <msggroup-request at brl>
I can see how you connect this question to MsgGroup because of the
involvement of SMTP, or mailing lists. But, of course there are lots
of other non-mail ways to get login names on most any host.
So, I don't think this is a mail system issue after all, beyond your
accurate initial observations.
So, rather than trying to shut down the ability to extract login names
from mail servers, I think attention should be focused on other
security techniques.
Like, making the penalty higher for failing to login correctly, and
making the user start over at the beginning of the whole process when
an error occurs before completion. One thing to do is force a delay
following any failure, like an extra 5 or 10 seconds, which slows down
the hacking rate to less than 6 tries per minute. Then, I think that
too many failures in a row should cause a disconnect, which further
slows down serious password hackers.
Seems to me that it is too easy to put obstacles in the way to let
ourselves get sidetracked into trying to conceal names. Whither goest
the whole idea of name-servers if we try to close the mail gap?
So, lets just chase this issue back to the other lists, unless a more
genuine mail connection can be conjured up.
Cheers - Stef
More information about the Comp.unix.wizards
mailing list