[5192] in www-talk@info.cern.ch
Re: Minimal Authorization
daemon@ATHENA.MIT.EDU (Adrian John Howard)
Tue Aug 16 06:34:04 1994
Date: Tue, 16 Aug 1994 12:31:00 +0200
Errors-To: listmaster@www0.cern.ch
Errors-To: listmaster@www0.cern.ch
Reply-To: adrianh@cogs.susx.ac.uk
From: "Adrian John Howard" <adrianh@cogs.susx.ac.uk>
To: Multiple recipients of list <www-talk@www0.cern.ch>
> It's kind of like parking your junker next to the BMW. As long as you're
> sniffing passwords, you're going to sniff for root's password, not the
> password to get to someone's emailbox or something. -- Darren
This is a very bad assumption... the phrase "weakest link in the chain"
comes to mind.
Having had to clean up after them on occasion I feel safe in saying that
crackers will try to get into any account, however pointless, for one of
three reasons:
1) Just for the hell of it.
2) Vandalism.
3) Using the account as a stepping stone to crack the rest of the
system.
I'm not going to deny the utility of yellow-ribbon security in some
limited situations but you have to be *very* careful... What often
happens is that once a "security" mechanism has been installed for one
purpose, it's get used for another, and another.... and somehow the the
assumptions made by the original implementors are never examined quite
as closely as they should be...
Oh well, time to get off the horse :-)
aids (adrianh@cogs.susx.ac.uk) ObDisclamer: Poplog used to pay my wages
Phone: +44 (0)273 678367 URL: http://www.cogs.susx.ac.uk/users/adrianh/
