Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!genrad!decvax!harpo!seismo!hao!hplabs!sri-unix!msggroup-request@brl From: msggroup-request%brl@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Re: Security Problem? Message-ID: <2654@sri-arpa.UUCP> Date: Tue, 5-Jul-83 02:57:00 EDT Article-I.D.: sri-arpa.2654 Posted: Tue Jul 5 02:57:00 1983 Date-Received: Fri, 1-Jul-83 06:09:45 EDT Lines: 29 From: Einar StefferudI can see how you connect this question to MsgGroup because of the involvement of SMTP, or mailing lists. But, of course there are lots of other non-mail ways to get login names on most any host. So, I don't think this is a mail system issue after all, beyond your accurate initial observations. So, rather than trying to shut down the ability to extract login names from mail servers, I think attention should be focused on other security techniques. Like, making the penalty higher for failing to login correctly, and making the user start over at the beginning of the whole process when an error occurs before completion. One thing to do is force a delay following any failure, like an extra 5 or 10 seconds, which slows down the hacking rate to less than 6 tries per minute. Then, I think that too many failures in a row should cause a disconnect, which further slows down serious password hackers. Seems to me that it is too easy to put obstacles in the way to let ourselves get sidetracked into trying to conceal names. Whither goest the whole idea of name-servers if we try to close the mail gap? So, lets just chase this issue back to the other lists, unless a more genuine mail connection can be conjured up. Cheers - Stef