On Fri, 15 Oct 2010 01:12:03 +0200 Ingo Schwarze <schwa...@usta.de> wrote:
> > Much of the compliance efforts may look good on paper, but have > > no impact on actual usage or may be trivially circumvented > > or even worse, will likely end up compromising security > in case somebody aiming for "hardening" manipulates the > system without fully understanding the consequences. > Introducing denial of service springs to mind by enabling account lockout and with no benefit. The auth system and crypto is good in OpenBSD as I'm sure you know. You also want to catch attempted brute force attacks that don't steal the password file. I guess there's no extenuating circumstances procedure especially after the banks changed the chip and pin system for convenience after it was deemed acceptable, opening up local attacks. The bunch of jokers.
