Re: Minimal Authorization

Adrian John Howard (adrianh@cogs.susx.ac.uk)
Tue, 16 Aug 1994 11:24:17 +0100 (BST)


> It's kind of like parking your junker next to the BMW. As long as you're
> sniffing passwords, you're going to sniff for root's password, not the
> password to get to someone's emailbox or something. -- Darren

This is a very bad assumption... the phrase "weakest link in the chain"
comes to mind.

Having had to clean up after them on occasion I feel safe in saying that
crackers will try to get into any account, however pointless, for one of
three reasons:

1) Just for the hell of it.
2) Vandalism.
3) Using the account as a stepping stone to crack the rest of the
system.

I'm not going to deny the utility of yellow-ribbon security in some
limited situations but you have to be *very* careful... What often
happens is that once a "security" mechanism has been installed for one
purpose, it's get used for another, and another.... and somehow the the
assumptions made by the original implementors are never examined quite
as closely as they should be...

Oh well, time to get off the horse :-)

aids (adrianh@cogs.susx.ac.uk) ObDisclamer: Poplog used to pay my wages
Phone: +44 (0)273 678367 URL: http://www.cogs.susx.ac.uk/users/adrianh/