Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!decvax!genrad!panda!talcott!harvard!seismo!mcvax!enea!kuling!andersa From: andersa@kuling.UUCP (Anders Andersson) Newsgroups: net.crypt Subject: Re: foiling password crackers Message-ID: <887@kuling.UUCP> Date: Wed, 12-Feb-86 21:16:11 EST Article-I.D.: kuling.887 Posted: Wed Feb 12 21:16:11 1986 Date-Received: Sun, 16-Feb-86 09:07:05 EST References: <100900001@haddock.UUCP> <588@bentley.UUCP> Reply-To: andersa@kuling.UUCP (Anders Andersson) Organization: Uppsala University, Sweden Lines: 31 In article <588@bentley.UUCP> kwh@bentley.UUCP writes: >In <100900001@haddock.UUCP> haddock!trb (Andrew Tannenbaum) writes: >>This would let the unsuspecting loser keep trying to log into your >>system while you had plenty of time to trace his phone line ... > >Trouble is, (a) no serious cracker will actually make guesses to the >login program. (b) If he knows about this feature, the cracker can >turn it to his advantage by locking out all the administrators. a) Besides the "serious" crackers, there are probably a lot of non-serious dito, rather not knowing very much at all about "how to do it". They're not seeking money or secret information, instead they ask for a special kind of excitement, "on the border of what's unallowed" (really they have plunged right into it), maybe making trouble for others, knowing that they have found some backdoor or whatever. I'll rather *bore* them to death than put a lot of fancy gizmos into operation in front of their smiling faces. b) I don't think Tannenbaum suggested locking out the *target* of the intruder, but rather the intruder himself. Knowing about the feature, he'll probably give up guessing passwords before he started. And yes, there might be those fools finding it fun to occupy a modem. Sure anybody who hasn't logged in within a reasonable amount of time should be hanged up. I suggest we shouldn't give any extra clues by letting people measure differences in time depending on whether the last username tried was valid or not. -- Anders Andersson, Dept. of Computer Systems, Uppsala University, Sweden Phone: +46 18 183170 UUCP: andersa@kuling.UUCP (...!{seismo,mcvax}!enea!kuling!andersa)