On Wed, Apr 23, 2008 at 3:44 AM, Theo de Raadt <[EMAIL PROTECTED]> wrote: > In around 1988 there were some people left who still believed in > version string 'problems', but it is 20 years later, and it was not an > issue then and it is not an issue now, so get a grip. > > Instead we try to get the code right, and we stop fucking around with > the theory that an attacker will look at our version string and then > attack just that. Attackers don't. They throw every attack at > everything, version string or not. > > That diff you are passing around is the same old uneducate bullshit > passed around by false security practitioners. > >
Hacking Source Code to Hide Version Number of Software ===================================== I don't believe in hiding version numbers to thwart attackers. The right way to thwart attackers to keep the software updated by patching. If your software is not patched it will be cracked into by the attacker which ever version number you show him. I write this mail because I stumbled upon http://www.amazon.com/Anti-Hacker-Tool-Second-Mike-Shema/dp/0072230207/ref=pd_bbs_sr_3?ie=UTF8&s=books&qid=1209047502&sr=8-3 and was going through it. In chapter 1 where netcat is introduced ( 16th page of Indian Edition ) there is a **NOTE** for System Administrators. It is as follows. "System Administrators can go as far as hacking the source code to change these type of banners to give false information. it is a **great way** to make the hacker wonder if he can actually trust the information he is receiving" And no warning is given about the dangerous things that can be caused as in this case SSH by doing that. Perhaps it is such books and articles that still gives the false feeling of security to people who think it is a great Idea. I kept he heading so that anybody searching google "ways to patch the source code to change the version number" might stumble upon this thread and learn how dangerous it is. Thanks --Siju
