Jon Hamilton wrote:
>
> In message <[EMAIL PROTECTED]>, Wes Peters wrote:
> } Lyndon Nerenberg wrote:
> } >
> } > >>>>> "Mark" == Mark Murray <[EMAIL PROTECTED]> writes:
> } >
> } > Mark> o A username may only be checked $number times per
> } > Mark> $timeperiod; after that, _all_ answers are silently
> } > Mark> converted to "no".
> } >
> } > Umm, massive DOS hole.
> }
> } Per username. If you publish your userlist, you're an idiot. The
> } daemon should also immediately go into "breakin evasion mode" for
> } all invalid usernames, answering the requests very slowly.
>
> You don't have to publish a userlist in order for some of that kind
> of information to leak out. Besides, by answering very slowly for
> invalid usernames you just gave the bad guys a way to deduce your
> user list anyway.
And how exactly are they supposed to tell the difference between answering
slowly due to breakin evasion vs. answering slowly because the system is
a 386sx/16?
You would want to answer all "mistakes" slowly, but valid logins quickly.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
[EMAIL PROTECTED] http://softweyr.com/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
