Owen,
Ready for the attack that come as in how? Are you sitting there day after
day parsing logs, watching, waiting, to what? What exactly are you going
to do there when you suddenly see a few packets clobber your system? Fire
up tcpdump to see what might be in the packets? Dang, too late, your
system has been compromised in the time it took you to fire up tcpdump.
They not only got in, they rootkitted the box and you have a mess on your
hands, and might as well empty your pockets on the desk to pay for
cleaning up the mess and trying to trace it to a place of origin, after
the disconnection from the internet.
The real question is and has been;
does hiding the version and make of the services you offer hurt security
on the site? Certainly not, you've yet to show it could. Does it help
security? Perhaps, it might send someone off to seek an easier place to
exploit and crack, and it might well hide your exploitable service until
you can get the newfound exploit patched.
If you choose to advertise your potential weaknesses, then fine, do so,
that is your choice, but, point no moral finger at me cause someone
prodded my sites, and then moved on to your cause they garnered more
exploitable info at yours then they did mine, that's an issue totally
between you and your clients that lost monies in the compromise.
Thanks,
Ron DuFresne
On Fri, 11 May 2001, Owen Boyle wrote:
> [EMAIL PROTECTED] wrote:
>
> > I still think publicising your server version is like writing the PIN number
> > to your burglar alarm on your front door.
>
> Come now, John. This is just nonsense. It is more like scrubbing the
> brand-name off your burglar alarm. If someone could hack into a system
> just by knowing the version number, it would take them about 3 guesses
> on average to break into most systems:
>
> - Hmmm, let's try 1.3.9 - nope...
> - 1.3.12?..... nope,
> - 1.3.17? .... Aha! - now to do my fiendish hacking....
>
> My point is a subtle one and it is not suprising that many people
> misunderstand it: "Reducing the likelihood of an attack is NOT a
> security measure". The attack will come - you have to be ready when it
> does, not put it off a few days or weeks or whatever....
>
> Rgds,
>
> Owen Boyle.
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
