In the last episode (Feb 11), David Schultz said:
> Thus spake Julian Elischer <[EMAIL PROTECTED]>:
> > Our client wants the following 'features' and we'd LIKE to be able
> > to at least say "yes we can do that", even if we can also say "but
> > we don't think it's a good idea".
> >
> > 2/ they want to disable a login if it fails 'n' sequential logins
> > anywhere in the system. i.e. 2 on one machine followed by another
> > on another machine.
>
> For #2, I'd try to convince them that their threat model is way out
> of whack and get new clients if they disagree. CapitalOne
> implemented #2 for their online credit card account management
> system, and people would launch DOS attacks as you describe by
> guessing random logins, so customer service learned to change
> peoples' passwords whenever they asked...
Not having #2 in your internal network is a big red X on security
audits, though. Netware did this right, where 3 (configureable)
consecutive bad logins sets an intruder lockout flag, that gets cleared
after 10 (configureable) minutes.
--
Dan Nelson
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
