Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!rutgers!cmcl2!adm!news
From: mike@BRL.MIL ( Mike Muuss)
Newsgroups: comp.unix.wizards
Subject: Re:  new password idea
Message-ID: <26691@adm.brl.mil>
Date: 27 Apr 91 05:12:32 GMT
Sender: news@adm.brl.mil
Lines: 23

The term for this is "denial of service".  It can be a serious threat,
if your users actually have important work to do.

First, if a particular user (say, the department chairman) was getting
beaten upon by a hacker regularly (say, every other day), I think the
bother of having to get the account reactivated would upset that user.

Second, on the assumption that you support "remote" users (e.g. another
campus), you are then (with the most secure policy) faced with needing a
"secure channel" to verify their identity before reactivating the
account, and (with the simplest policy) simply going to turn that
account on again for another bout.

The action of the law enforcement community might resolve your problem,
but it could take months to work through it with them.  On the several
cases I've been involved with, the time units are YEARS.

"Computer security should be strong enough to repell virtually any attack
***from the outside***, yet unobtrusive enough that the average user is
unaware that he is being guarded by a strong defense."

	Best,
	- Mike Muuss