From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 19:12:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11E2516A41F for ; Tue, 22 Nov 2005 19:12:37 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30305.mail.mud.yahoo.com (web30305.mail.mud.yahoo.com [68.142.200.98]) by mx1.FreeBSD.org (Postfix) with SMTP id 91AAC43D78 for ; Tue, 22 Nov 2005 19:12:36 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 9868 invoked by uid 60001); 22 Nov 2005 19:12:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=LdhCKQ8IywqUwUSRN2+/p1aTW1hEFP3zVYN7xCsH0aELTYXnuacutWW6kx4zbF4i5GrNYLQY+pstBkev/8IA9ZB23y3vK7nqJBetZ1DhAl9NYMDv1MhTbCMi+3LLhi8VQUmUEqKZG23rG2jMEtJn0nvhPnG7uMgc8l6Soy5YSeY= ; Message-ID: <20051122191230.9866.qmail@web30305.mail.mud.yahoo.com> Received: from [213.54.79.72] by web30305.mail.mud.yahoo.com via HTTP; Tue, 22 Nov 2005 11:12:30 PST Date: Tue, 22 Nov 2005 11:12:30 -0800 (PST) From: Arne "Wörner" To: Roger Marquis , freebsd-security@freebsd.org In-Reply-To: <20051122075050.I81101@roble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 19:12:37 -0000 --- Roger Marquis wrote: > Obscurity is an important and wholly necessary part > of the security toolkit. Take passwords for example. > Defining a non-dictionary password is security by > obscurity. It is, however, weak protection if you > do not also log dictionary attacks and blackhole > offenders before they can try many username/password > pairs. > I can say that again... :-) I personally do not like passwords, because: 1. I could forget it. 2. A bad guy could treat me bad in order to get the password. So I was very happy, when I found out, that ssh protocol offers this passphrase-less, password-less RSA (today it seems to be DSA) authentication, which seems to be very secure, and which makes me uninteresting for authentication and for a bad guy (he or she only needs my hard disc, which he or she can get without hurting me). Maybe that could help in this specific security problem discussion. Furthermore I would ask, if it might be a good idea in this case to use a good-guy list instead of a bad-guy list. Ceterum censeo: Finger prints make everything worse (not just for thiefs, who have to wear gloves nowadays), because I have heard of a case, where a robber took away the ring-finger of his victim, because his victim was unable to get off the ring (published in german TV by a governmental broadcasting carrier (ZDF) in "Aktenzeichen XY ... noch nicht gelöst" (which translates to "case number XY ... not solved yet")). There has been a case near Kiel,SH,F.Rep.Germ, where the robber became a killer, because the victim refused to give 10USD, that belonged to his employer. -Arne who said the mother of all passwords loudly in the public, while one of his colleagues was talking to him on the phone __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com