From owner-freebsd-net@FreeBSD.ORG Sat Sep 4 19:22:10 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70C9F16A4CF for ; Sat, 4 Sep 2004 19:22:10 +0000 (GMT) Received: from fedex.is.co.za (fedex.is.co.za [196.4.160.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD6F743D49 for ; Sat, 4 Sep 2004 19:22:07 +0000 (GMT) (envelope-from karnaugh@karnaugh.za.net) Received: from karnaugh.za.net (c2-dbn-74.dial-up.net [196.39.33.74]) by fedex.is.co.za (Postfix) with ESMTP id E6982D75A; Sat, 4 Sep 2004 21:21:29 +0200 (SAST) Message-ID: <413A15DB.5010702@karnaugh.za.net> Date: Sat, 04 Sep 2004 21:22:03 +0200 From: Colin Alston User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: vxp References: <20040904093042.B37306@digital-security.org> <20040904100640.E37469@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <20040904132345.A38065@digital-security.org> In-Reply-To: <20040904132345.A38065@digital-security.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: Wesley Shields Subject: Re: fooling nmap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 19:22:10 -0000 vxp wrote: >On Sat, 4 Sep 2004, Wesley Shields wrote: > > >>That is true, but the problem with these kinds of things is that users >>will think that with a simple flip of a sysctl they are secure, when in >>fact that are no more secure than before. >> >> > >that's also 100% true, however that's why documentation exists. there's >even a security section within it.. >we would probably want to add something like 'obscurity is great if it's >only _one of_ the components in your security setup, not _the only_ >component'. they might get the point. =) > >now, another question arises > >i could always code a parser for nmap fingerprints file, but i don't think >that's a good idea to include something like that in the kernel.. what do >you think? hardcode a few OS fingerprint choices, and call it a day ? > >in other words, what would you guys say be a _proper_ bsd-style thing to >do, if this were to be done? > > My point was if it provides no security, then there is no point to it at all. Most attackers are going to exploit things at a service level anyway. What is the point of changing the fingerprint? Change it to Windows and attract more attension? Or just so that people attempt the wrong attacks. I still dont see any use, or need to implement something of that nature(Given that more features can = more bugs). The point of the comment "Security by obscurity is no security at all" is that bugs and exploits should be FIXED and PATCHED not HIDDEN. Regards. -- Colin Alston About the use of language: "It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead." -- E.W.Dijkstra, 18th June 1975. (Perl did not exist at the time.)