On Sun, Mar 25, 2001 at 03:22:13AM -0500, Peter Radcliffe wrote:
> Graywane <[EMAIL PROTECTED]> probably said:
> > Yes, it is security by obscurity and no, most people thinking about security
> > on the net do not believe it is an effective technique to secure a site. You
> > secure a site by:
>
> Security by obscurity is a bad thing to _rely_ on, but why make it any
> easier to get information which is useful ? The less a cracker knows
> about any system the more work/time it will take for them to break
> into it.
Making it easy for the _administrator_ to get information that is
useful for administration is a good thing. Think about the
administrator of a large network of machines, trying to conduct an
audit for vulnerable versions of SSH using e.g. scanssh. How is the
administrator to differentiate between the standard, vulnerable,
version of OpenSSH 2.3.0 and the fixed, non-vulnerable version
included in FreeBSD 4.2-STABLE unless it reports itself differently?
Perhaps you're unaware of how easy it is to fingerprint an OS by
simply examining the behaviour of the IP stack and the response to
various packets. If you can receive *any* packets from a host you can
fingerprint its OS and version to varying degrees. This is true
regardless of application-level fingerprinting like banner strings.
Again, fine-grained OS fingerprinting is trivial and there are many
automated tools for doing it which work reliably, so complaining about
this instance is just tilting at windmills.
Kris
PGP signature
