On 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<s5zfypli35m.fsf@gmail.com>, Schöön Martin wrote:

>Thinking aloud: Such an attack can only work if the system is open
>for remote login to start with - or?

Basically correct - but this also deals with situations where the
attacker has access to the keyboard. In MOST cases, if the attacker
can reboot the system, all bets are off ("Physical Access beats five
aces _every_time_), but many systems default to a configuration where
entering multiple bad passwords for a specific user in a set amount of
time (or some similar circumstance) results in the system delaying
response (maybe taking 10 seconds to return that "Login incorrect"
message). But I've seen anonymous FTP servers kick into a delay mode
when the user screws up entering the username and password.

Old guy