lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <404DE0F9.19134.1D29F3AB@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Re: E-Mail viruses

Valdis.Kletnieks@...edu wrote:

> It's not 3^36, which is multiple billions, it's only 36^3, which is 46,656.

Yes -- that was a transliteration error on my part...

> And only one has to get through to an idiot.

Which is why I suggested that it should not be used across the board, 
but further limited to specific, "trustworthy" users who really "must" 
be able to send/receive such stuff (of course, in real life there are 
immensely fewer of these than there are idiots who believe they are in 
that category and unfortunately, scarily many of these idiots have 
equally stupid (or even stupider) managers who will insist the idiots 
really are "power users"...).

> Anybody else got a mail server that blocked more than that many Netsky's
> this weekend alone?  Draw the obvious conclusion here...
> 
> And *that* was why I was dubious as to the real usefulness...

Yes, and that complaint is negated by careful implementation of this by 
those who understand it is just another layer that could be useful in 
some circumstances.  It would be unwieldy in a very large organization 
(perhaps like Boeing, DoD, etc) or one (of any size) like a university 
where there are strong demands for autonomy and user "freedom" or too 
many idiot managers.

Like all security measures, it is as good as its weakest link, and  
although there are several opportunities for these in a scheme like 
this, that does not mean it still cannot be used effectively _in the 
right environment_.


Regards,

Nick FitzGerald


Powered by blists - more mailing lists