Date: Sun, 25 Mar 2001 01:23:48 -0800 From: Kris Kennaway <kris@obsecurity.org> To: freebsd-stable@freebsd.org Subject: Re: sshd revealing too much stuff. Message-ID: <20010325012348.A10975@xor.obsecurity.org> In-Reply-To: <20010325032213.H255@pir.net>; from pir@pir.net on Sun, Mar 25, 2001 at 03:22:13AM -0500 References: <Pine.BSF.4.21.0103232116280.8531-100000@server.highperformance.net> <3ABD9014.E78871BC@duwde.com.br> <20010325015443.A29255@home.com> <20010325032213.H255@pir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 25, 2001 at 03:22:13AM -0500, Peter Radcliffe wrote: > Graywane <graywane@home.com> probably said: > > Yes, it is security by obscurity and no, most people thinking about sec= urity > > on the net do not believe it is an effective technique to secure a site= . You > > secure a site by: >=20 > Security by obscurity is a bad thing to _rely_ on, but why make it any > easier to get information which is useful ? The less a cracker knows > about any system the more work/time it will take for them to break > into it. Making it easy for the _administrator_ to get information that is useful for administration is a good thing. Think about the administrator of a large network of machines, trying to conduct an audit for vulnerable versions of SSH using e.g. scanssh. How is the administrator to differentiate between the standard, vulnerable, version of OpenSSH 2.3.0 and the fixed, non-vulnerable version included in FreeBSD 4.2-STABLE unless it reports itself differently? Perhaps you're unaware of how easy it is to fingerprint an OS by simply examining the behaviour of the IP stack and the response to various packets. If you can receive *any* packets from a host you can fingerprint its OS and version to varying degrees. This is true regardless of application-level fingerprinting like banner strings. Again, fine-grained OS fingerprinting is trivial and there are many automated tools for doing it which work reliably, so complaining about this instance is just tilting at windmills. Kris --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6vbkkWry0BWjoQKURAnYGAKD9Bz+GzBLwejr8d+1uJzezlYq8fACgvoD0 QTZ2UDLJ4Z+sr97dejmW5PQ= =JFCu -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010325012348.A10975>