Re: Small Bug
On Thu, Feb 24, 2000 at 04:25:25PM -0500, dallen@capitalone.com wrote:
>
> It does make more sense though that you should give the possible
> attacker as little information about the system as you can.
In general, security through obscurity is not sufficient as a protection
strategy.
The user login name is often very exposed, for example in email addresses,
log files etc. If you already have an account, you can usually just list
/home to get all user names of a system.
If knowing any user name is a worthful information for an attacker, I would
suggest to rework the password mechanism ;) Luckily, the password mechanism
we have is sufficient if you choose your password carefully.
So, in short, it's not a security problem at all, though some sites might
wish for a tighter security policy (you could easily call this paranoid,
though). (Also: Did you remove the root account and replaced it with a
different one? Did you make sure that your email transport agent does not
accept mail at username@host? Did you disable finger and other services?)
Thanks,
Marcus
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server
Marcus Brinkmann GNU http://www.gnu.org for public PGP Key
Marcus.Brinkmann@ruhr-uni-bochum.de, marcus@gnu.org PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ brinkmd@debian.org
Reply to: