On Fri, 7 Apr 2000, Gunther Birznieks wrote:
> Yeah, but this is the same with any X strikes solution on any other
> platform. It's a tradeoff. One would assume that if a DoS were being
> played, that other information would be gathered about the person doing a
> DoS.
>
> According to that theory, one would also assume securID cards are not safe
> from DoS because they lock out after a certain number of tried attempts.
> While it is true that it may be a DoS, there are situations where there
> are quite a few people using securID cards with this config because they
> feel they would rather be locked out and know that someone was doing
> something funny than to let a hacker do whatever they want.
And they're not safe from DoS, so the theory is correct! :-) I'm not
saying that it's not a tradeoff that one might want to meke, I just
thought it would be worthwile to mention that there are some drawbacks to
this approach.
> In addition, a lock out isn't the only logic you could implement in an X
> strikes scenario. You could also consider simply notifying a sysadmin with
> a pager so they can logon and start tracking if someone is hacking the
> system. A sort of Intrusion Detection System if you will.
Exactly right. It would even be possible to put in some more advanced
logic there to setup thresholds for notifying the sysadmin, and perhaps
sending the user instructions for reactivating their account without
sysadmin intervention. The door is wide open -- again, I just wanted to
make sure that the person asking the question understood that there are
drawbacks to the approach.
> I guess it depends on what this guy wants to do. The primary point of my
> message was to ask if it is possible to do what I stated as a workaround
> to the stateless HTTP problem that Vivek wrote (rather than being a
> discourse on whether it is truly the most secure solution for the
> requirements).
In that case, sure it's possible. And fairly trivial to implement at
that. I am not trying to start an argument of any kind, and I'm pretty
sure that my first messages wasn't inflammatory, though it appears that
you may have taken it that way.
-Mark
