Re: Small Bug

To: Niels "Möller" <nisse@lysator.liu.se>
Cc: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>, dallen@capitalone.com, debian-hurd@lists.debian.org
Subject: Re: Small Bug
From: "Guy's Account" <guy@interlog.com>
Date: Wed, 15 Mar 2000 07:02:33 -0500 (EST)
Message-id: <[🔎] Pine.LNX.3.96.1000315064527.16487A-100000@hal.dms.sni.ca>
Reply-to: guy@interlog.com
In-reply-to: <[🔎] nng0u5qmuk.fsf@sture.lysator.liu.se>

On 5 Mar 2000, Niels Möller wrote:

> "Guy's Account" <guy@interlog.com> writes:
> 
> > This is not security by obscurity.  It is long-established practice.
> 
> It might well be "long-established practice". But I still agree with
> Marcus that it (usually) is security by obscurity.
> 
> To get a little further, I'll try to define "security by obscurity".
> 
> We have some information (in this case, user names), that the security
> model considers as "public knowledge". This means that the security

This is wrong.

The "model" is that an external user does NOT have access to the full
list of user names.  They may be able to harvest a subset but there is
no way to get the full list.  In fact, as a paranoid system administrator,
I can configure the mail system to only allow First.Last@mydomain.org and I
can give the users usernames like:
	a1fred		John.Doe@mydomain.org
	b7barney	Bill.Smith@mydomain.org
All non-user accounts are locked and accessible only via 'sudo'.  I need
a root account in single user mode but I can have the system change the
password file on single-user boot and if the root disk is too hosed to
do this I can boot the system from the install media.  I don't run services
like finger.  So there is NO public information about user names.

Therefore it is a quadratic problem to attack the machine externally.
Except for a small subset of the user names you are forced to guess
username + password pairs.

If you configure the FTP service to leak user info you have reduced the
problem to two linear ones.  First find ALL the user names and then
attack the passwords for each one.

While this is theoretical, if you read Cheswick and Bellovin, you will
find that the AT&T network was protected in this way --- NO information
on user names on internet-accessible machines.  NO mail accepted except
to First.Last@domain.  I'll have to re-read C&B to see if there are
any other errors in my logic here (but I just lent it to someone).

	<snip>
> /Niels
> 
> > > The user login name is often very exposed, for example in email addresses,
> > > log files etc. If you already have an account, you can usually just list
> > > /home to get all user names of a system.
> > 
> > But the problem pointed out allows an attacker *without* an account to gain
> > information.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

----
Guy W. Hulbert					At Work:
guy@interlog.com				guy@bioinfo.sickkids.on.ca

Reply to:

Follow-Ups:
- Re: Small Bug
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: Small Bug
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

References:
- Re: Small Bug
  - From: nisse@lysator.liu.se (Niels Möller)

Prev by Date: Re: Hurd user survey results
Next by Date: Re: Small Bug
Previous by thread: Re: Small Bug
Next by thread: Re: Small Bug
Index(es):
- Date
- Thread