On Thu, Aug 10, 2000 at 11:40:41AM -0400, Noel L Yap wrote:
> Also, how do you know who did what when users aren't "really" authenticated?
> For example, using your numbers, there's a 1 out of 10 chance
> (fairly high in my opinion), that someone can pose as someone else.
Where does this 1 in 10 chance come from? I posted relative risk
percentages. If an attack happens I think it is 90% likely to come
from an authenticated user. That doesn't mean that an attack is
going to happen.
A common risk analysis practice is to list your top 3/5/10 risks and
concentrate your efforts on reducing the top risks. That's all I was
trying to do, you shouldn't read too much into those numbers, as they
are purely speculative.
> So now what, you revoke priveleges from the person who was impersonated?
Yes. Because either they are doing something nasty or someone has
compromised their password.
I do use real unix uids so I can determine which *userid* did the damage,
providing they don't break root (in which case no authentication system
can hope to help you, unless you have extensive off-site logging, etc.)
Justin