> My point is a subtle one and it is not suprising that many people
> misunderstand it: "Reducing the likelihood of an attack is NOT a
> security measure". The attack will come - you have to be ready when it
> does, not put it off a few days or weeks or whatever....
>
So if reducing the likelihood of an attack is not a security measure, why
bother having a burglar alarm in the first place? Why bother with any
security? Why not put a big button on your website saying "click here to
delete this site". (Someone has actually done this would you believe!)
Most hackers go after the soft targets. If you want to advertise that you
are soft target, fine. I don't. Yes, if everyone hid their server version
the problem would be evenly spread. That is what I'm advocating, as part of
a security policy (but by no means the entire policy). Why make it easy for
Jo Hacker to see what you are running? OK, he can guess, but to attempt to
break in to an unknown server is more work than going after the soft
targets.
Take UCE (ie SPAM) as an example. I would imagine that everyone on this list
has secured their mail relays against UCE. It still goes on, so why don't we
all just open our relays anyway? For the same reason, ie we don't want to be
a soft target.
Whether someone attacks your site is not a certainty. It would be possible
if we knew the number of hackers worldwide and the number of servers to
attack to calculate a statistical chance of being attacked. However chance
and reality are separate entities (which may come as a surprise to
compulsive gamblers, but there you go). What I'm talking about is reducing
the statistical chance of being attacked. I agree that may not actually make
any difference but I don't think it helps to assume that you can keep all
your systems perfectly up to date re: security updates all the time.
In brief I am saying:
1. Don't give away more information than you need to.
2. Keep systems as up to date as is possible.
2 is more important but there are times when 1 has to suffice "temporarily".
That's all. I'll definitely stop now. Have a good weekend everyone.
Has anyone noticed that this list gets busier at the weekends?
John
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
