[EMAIL PROTECTED] on 2000.08.10 22:13:46
>On Thu, Aug 10, 2000 at 05:45:09PM -0400, Noel L Yap wrote:
>> OK, then. Given an attack, there's a 1 out of 10 chance that someone can
pose
>> as someone else. That's still pretty high.
>
>Yes that's true, given an attack there is a 1 in 10 chance someone will
>be posing as someone else. In that case I disable the userid and wait to
>see what explanation I get from the userid in question (since I wouldn't
>yet know if they're the attacker or the victim).
>
>So what's wrong with that?
I see. So the conversation might go something like:
Client: Hey, why was my user id shut down?
You: Oh, your user id was used for some hacking.
Client: It wasn't me. I was framed.
You: Oh, OK, I'll give you a new user id.
Now, considering that you're assuming you don't even know who "Client" is and
even if they are who they say they are, how are you then sure that they are
telling the truth in the above conversation?
>> >> So now what, you revoke priveleges from the person who was impersonated?
>> >
>> >Yes. Because either they are doing something nasty or someone has
>> >compromised their password.
>> >
>> >I do use real unix uids so I can determine which *userid* did the damage,
>> >providing they don't break root (in which case no authentication system
>> >can hope to help you, unless you have extensive off-site logging, etc.)
>>
>> But the real culprit gets away. This wouldn't happen with SSH.
>
>The culprit gets away no matter what. There's nothing I can do to
>them even if I find out which email address is really associated
>with the attack.
Yes, but at least you know you're shutting down the right account. The only way
the attacker can keep attacking is to get a new email address (which, I agree,
is relatively easy). IOW, they don't have an alternate attack path of using
someone else's authentication.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
