[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Small Bug

Hi, I've been lurking on this mailing list for a while (though I still havn't
managed to use the Hurd, waiting for PPP) and I thought I'd chime in to this 
thread.

On Wed, Mar 15, 2000 at 09:52:48PM +0100, Marcus Brinkmann wrote:
> >  Currently, such a user could simply walk up to a
> > login> prompt on a hurd box and get the same information that any valid
> > user on the hurd box could get.
> 
> So what?
> 

So the more information a potential attacker has, the less work he has to do to
break into the system and do damage.

> How do you compromise a box with a username but no password? I challenge
> you:
> 

The same way you compromise a box with a password but no username. You don't.
The username by itself is useless, but so is a password by itself and obviously
you don't go around arguing that the password shouldn't be hidden when it's
typed in (or at least I hope you don't.) Knowing the username alone doesn't do
anything _by itself_, but it does help a potential attacker attack.

> brinkmds@mailhost.ruhr-uni-bochum.de
> brinkmd@master.debian.org
> brinkmd@va.debian.org
> finnegan@users.sourceforge.net
> marcus@gnu.org
> 
> Those are four user names on wholly different systems.
> 

I could go make 4 passwords right now, on 4 different systems with 4 different
accounts (actually I couldn't, I only have one machine) and give you the
passwords but it wouldn't help if you didn't know what machines they were or
the usernames for them. If I gave you the addresses of all 4 boxes it would
become easier, and if I gave you the addresses and a login> shell it would 
be easier yet, and if I just flat out told you what username went with what
password on what machine it would be easiest still. The point is that usernames
may not be useful by themselves, but they are a needed piece of information
by an attacker to break into the system. The less information that he has the
longer it'll take him to break in and telling him "Invalid username" just makes
it easier for him to find one piece of the information he needs, and you gain
nothing from it. The user can see that the username is typed wrong just by 
looking at the screen if they got a "Invalid username/password pair" error. The
attacker couldn't. So by changing the error message you help the attacker and
gain nothing for the user.

> Here is one for you: "root". Probably 90% of all machines have it.

Most systems don't allow you to telnet in as root. The username is only useful
if the attacker has physical access to the machine, which is a problem with
the physical security, not the machine's.

> It's one of the VERY LAST things I would care about. It's a completely false
> sense of security.
> 

It's not a sense of security, it's a little piece of security that makes it 
slightly more secure.

> To put the main argument in a single sentence: "What do you think is the
> password mechanism worth when knowing the username is likely to insecure the box?"
> 

Knowing the username won't "insecure the box". It will just make it slightly 
_less_ secure.

> Usernames are there to seperate several users, like PID's seperate
> processes. They don't even appear in the security model, so to speak of.
> (As opposed to key ids in public key cryptography, where authentification is
> important).
> 

But if an attacker knows a PID of a process it probably won't help him break
into your box.

-- 
Reject (reject@metaphorcity.com)
 "Children who aren't trusted become adults
  who can't be trusted" --Anonymous
Reply to: