[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Small Bug

On Thu, Feb 24, 2000 at 04:25:25PM -0500, dallen@capitalone.com wrote:
> It does make more sense though that you should give the possible
> attacker as little information about the system as you can.

In general, security through obscurity is not sufficient as a protection

The user login name is often very exposed, for example in email addresses,
log files etc. If you already have an account, you can usually just list
/home to get all user names of a system.

If knowing any user name is a worthful information for an attacker, I would
suggest to rework the password mechanism ;) Luckily, the password mechanism
we have is sufficient if you choose your password carefully.

So, in short, it's not a security problem at all, though some sites might
wish for a tighter security policy (you could easily call this paranoid,
though). (Also: Did you remove the root account and replaced it with a
different one? Did you make sure that your email transport agent does not
accept mail at username@host? Did you disable finger and other services?)


`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org

Reply to: