Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!think!ames!oliveb!intelca!mipos3!merlyn
From: merlyn@intelob.intel.com (Randal L. Schwartz @ Stonehenge)
Newsgroups: news.sysadmin
Subject: Re: Security checkup
Message-ID: <2968@mipos3.intel.com>
Date: 4 Oct 88 16:03:21 GMT
References: <167@carpet.WLK.COM> <5014@medusa.cs.purdue.edu>
Sender: news@mipos3.intel.com
Reply-To: merlyn@intelob.intel.com (Randal L. Schwartz @ Stonehenge)
Distribution: na
Organization: Stonehenge; netaccess via BiiN, Hillsboro, Oregon, USA
Lines: 26
In-reply-to: spaf@cs.purdue.edu (Gene Spafford)

In article <5014@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes:
| 
| Here's a very rough list of things to check:
[...]
| 9) If your system logs bad login attempts to the console, or
| bad attempts to change passwords, then be sure to audit your
| logs -- frequently!
[...]
|	       I know how to use all but 8 & 9 to break into
| systems, and I am certainly not the only one.

Arrgggh.  No.  If you have a feature that "logs bad login attempts to
the console" TURN IT OFF.  This is a *bad* *idea* (as Dave Barry would
put it).  This has been discussed in security circles, and even on
this net, if I remember correctly.

If you don't see how this is a bad idea, send me mail.  I'll reply,
mailers willing.

Yours for a more secure future,
-- 
Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095
on contract to BiiN Technical Information Services (for now :-),
in a former Intel building in Hillsboro, Oregon, USA
<merlyn@intelob.intel.com> or ...!tektronix!inteloa[!intelob]!merlyn
Standard disclaimer: I *am* my employer!