Re: Crypto progress! (And a Biiiig TODO list)

[Jon Hamilton]

In message <[EMAIL PROTECTED]>, Wes Peters wrote:
} Lyndon Nerenberg wrote:
} > 
} > >>>>> "Mark" == Mark Murray <[EMAIL PROTECTED]> writes:
} > 
} >     Mark> o A username may only be checked $number times per
} >     Mark> $timeperiod; after that, _all_ answers are silently
} >     Mark> converted to "no".
} > 
} > Umm, massive DOS hole.
} 
} Per username.  If you publish your userlist, you're an idiot.  The
} daemon should also immediately go into "breakin evasion mode" for 
} all invalid usernames, answering the requests very slowly.

You don't have to publish a userlist in order for some of that kind
of information to leak out.  Besides, by answering very slowly for
invalid usernames you just gave the bad guys a way to deduce your
user list anyway.

-- 
   Jon Hamilton  
   [EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message