On Thu, Feb 24, 2000 at 04:25:25PM -0500, [EMAIL PROTECTED] wrote: > > It does make more sense though that you should give the possible > attacker as little information about the system as you can.
In general, security through obscurity is not sufficient as a protection strategy. The user login name is often very exposed, for example in email addresses, log files etc. If you already have an account, you can usually just list /home to get all user names of a system. If knowing any user name is a worthful information for an attacker, I would suggest to rework the password mechanism ;) Luckily, the password mechanism we have is sufficient if you choose your password carefully. So, in short, it's not a security problem at all, though some sites might wish for a tighter security policy (you could easily call this paranoid, though). (Also: Did you remove the root account and replaced it with a different one? Did you make sure that your email transport agent does not accept mail at [EMAIL PROTECTED] Did you disable finger and other services?) Thanks, Marcus -- `Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server Marcus Brinkmann GNU http://www.gnu.org for public PGP Key [EMAIL PROTECTED], [EMAIL PROTECTED] PGP Key ID 36E7CD09 http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ [EMAIL PROTECTED]
