[ On Thursday, August 10, 2000 at 22:13:46 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory
>
> Yes that's true, given an attack there is a 1 in 10 chance someone will
> be posing as someone else. In that case I disable the userid and wait to
> see what explanation I get from the userid in question (since I wouldn't
> yet know if they're the attacker or the victim).
>
> So what's wrong with that?
What's wrong with that is that you still have almost zero
accountability. Under cvspserver anyone can be anyone with only a very
few tricks up their sleeves. That simply cannot possibly ever happen
with SSH.
> > But the real culprit gets away. This wouldn't happen with SSH.
>
> The culprit gets away no matter what. There's nothing I can do to
> them even if I find out which email address is really associated
> with the attack.
No, with SSH the culprit cannot "get away". You've got a finger
pointing right at them, and a mound of evidence to show what they did,
when, and how. I.e. you have a counter-threat, and possibly one that's
far more powerful than the threat they posed to you earlier.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
