[EMAIL PROTECTED] on 2000.08.10 16:41:35
>On Thu, Aug 10, 2000 at 11:40:41AM -0400, Noel L Yap wrote:
>
>> Also, how do you know who did what when users aren't "really" authenticated?
>> For example, using your numbers, there's a 1 out of 10 chance
>> (fairly high in my opinion), that someone can pose as someone else.
>
>Where does this 1 in 10 chance come from? I posted relative risk
>percentages. If an attack happens I think it is 90% likely to come
>from an authenticated user. That doesn't mean that an attack is
>going to happen.
OK, then. Given an attack, there's a 1 out of 10 chance that someone can pose
as someone else. That's still pretty high.
>A common risk analysis practice is to list your top 3/5/10 risks and
>concentrate your efforts on reducing the top risks. That's all I was
>trying to do, you shouldn't read too much into those numbers, as they
>are purely speculative.
Then so is your 90% figure. You seem to want to defend your patch by saying, "I
figure there's a 90% chance of so and so, therefore, I'll concentrate my efforts
there." Now, when someone uses your figures to say that the patch isn't good,
you say, "Don't read too much into the numbers." I think you're being biased in
your analysis.
>> So now what, you revoke priveleges from the person who was impersonated?
>
>Yes. Because either they are doing something nasty or someone has
>compromised their password.
>
>I do use real unix uids so I can determine which *userid* did the damage,
>providing they don't break root (in which case no authentication system
>can hope to help you, unless you have extensive off-site logging, etc.)
But the real culprit gets away. This wouldn't happen with SSH.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
