Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site inset.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!panda!talcott!harvard!seismo!mcvax!ukc!qtlon!ist!inset!dave From: dave@inset.UUCP (Dave Lukes) Newsgroups: net.followup Subject: Re: Hackers at dutesta (with solution) (no solution really) Message-ID: <531@inset.UUCP> Date: Sat, 23-Mar-85 00:00:47 EST Article-I.D.: inset.531 Posted: Sat Mar 23 00:00:47 1985 Date-Received: Wed, 27-Mar-85 04:10:44 EST References: <317@dutesta.UUCP>, <364@talcott.UUCP> Organization: The Instruction Set Ltd, London Lines: 40 jak@talcott sez: > >What I think is more dangerous is allowing externally available >computers to have passwordless accounts. This can make access really >easy. Agreed >Also, a better solution might be storing an incorrect count, and >disabling an account for 24 hours or so if 10 incorrect passwords were >entered in a row. We've had this at times here, and I know of no >problems other than with people who leave their forst names, or other >similar stuff, as passwords. > Read the AT&T Bell Laboratories Technical Journal (yawn) Oct. '84 UN*X issue, there's a paper there on UN*X security which explains what's wrong with this: If you do this for root, you've got problems ... Also, more importantly, I can go up to your machine, knowing that it has this particular misfeature, and knowing the login names of the local administrator(s) and I type: login: Password: Login incorrect login: ... and so on, until it disables the logins for the administrator(s), (or you accidentally type the right pasword). then I have 24 hours (or until the admins guess) of peaceful hacking. And the moral of this story is: ********** IT'S ALWAYS MORE PAINFUL THAN YOU THINK !!! ********** Yours insecurely, Dave.