Subject: Re: tcp-wrappers, tcpd, and NetBSD
To: der Mouse <mouse@rodents.montreal.qc.ca>
From: John F. Woods <jfw@jfwhome.funhouse.com>
List: current-users
Date: 03/16/1997 11:21:14
Erik:
> I believe the utility of the ident protocol for a general Internet
> security schema is basically zero.

der Mouse:
> But you haven't said _why_ you feel this way, nor whether you're
> talking about its value to someone who queries it or someone who runs
> it.  For the former, there is no direct benefit;

And the indirect benefit is microscopic.  Let us assume that your system's
identd is inviolate and inerrant.  The probability that I will see an attack
from your system as opposed to one of the other ten million hosts on the
Internet is on the order of 1 in ten million (unless there's something about
your user base you're not telling us), so the probability that any identd
information collected will be of any value is negligible.  It is not worth
the CPU cycles and net bandwidth needed to collect it, nor the disk space
to store it; the return is just too small.

As to that assumption about your identd, if security on your system *is*
breached to give someone root access who shouldn't have it, it is already
established that identd is worse than useless (since you've asserted that
you'll believe the now-fraudulent information that an attacked site sends
you in their report).

Claiming that identd has nonzero positive value is just as silly as claiming
that if you close your eyes when typing your password, no one can guess it.
It's just as dangerous to publically defend it, too, since the more people
who believe either of these, the wider the established hole for people who
know better.