---------------------<snip>----------------------
Let me ask this question - although this is not directly related to
RACF - but to any access control system that locks out people upon
failed access attempts..
Isn't locking out or revoking someone because of unsuccessful access
attempts a wonderful denial of service attack opportunity ?
You wait for your good friend in the next cubicle to go on a coffee
break.. log him off (it he hasn't already done so) - and attempt to
log in with bogus passwords 3 times.. and while you are at it, do the
same for some other userids of some highly ranked officers from HIS
terminal.. There is going to be some embarrassment for a LOT of people
and a lot of time lost.. (your co-worker, the locked out people, the
person responsible for security)..
I am of course not saying anyone should do that.. But isn't it a
potential problem with user name lockouts ?
-------------------<unsnip>--------------------
The scenario you describe is quite possible. In shops where I've worked,
getting caught doing something like that would result in a speedy
promotion: to the street. And DON'T ASK FOR REFERENCES!
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
