From owner-freebsd-stable Sun Mar 25 1:23:52 2001 Delivered-To: freebsd-stable@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43]) by hub.freebsd.org (Postfix) with ESMTP id 3904F37B71B for ; Sun, 25 Mar 2001 01:23:49 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id ADB4A66B3C; Sun, 25 Mar 2001 01:23:48 -0800 (PST) Date: Sun, 25 Mar 2001 01:23:48 -0800 From: Kris Kennaway To: freebsd-stable@freebsd.org Subject: Re: sshd revealing too much stuff. Message-ID: <20010325012348.A10975@xor.obsecurity.org> References: <3ABD9014.E78871BC@duwde.com.br> <20010325015443.A29255@home.com> <20010325032213.H255@pir.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010325032213.H255@pir.net>; from pir@pir.net on Sun, Mar 25, 2001 at 03:22:13AM -0500 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 25, 2001 at 03:22:13AM -0500, Peter Radcliffe wrote: > Graywane probably said: > > Yes, it is security by obscurity and no, most people thinking about sec= urity > > on the net do not believe it is an effective technique to secure a site= . You > > secure a site by: >=20 > Security by obscurity is a bad thing to _rely_ on, but why make it any > easier to get information which is useful ? The less a cracker knows > about any system the more work/time it will take for them to break > into it. Making it easy for the _administrator_ to get information that is useful for administration is a good thing. Think about the administrator of a large network of machines, trying to conduct an audit for vulnerable versions of SSH using e.g. scanssh. How is the administrator to differentiate between the standard, vulnerable, version of OpenSSH 2.3.0 and the fixed, non-vulnerable version included in FreeBSD 4.2-STABLE unless it reports itself differently? Perhaps you're unaware of how easy it is to fingerprint an OS by simply examining the behaviour of the IP stack and the response to various packets. If you can receive *any* packets from a host you can fingerprint its OS and version to varying degrees. This is true regardless of application-level fingerprinting like banner strings. Again, fine-grained OS fingerprinting is trivial and there are many automated tools for doing it which work reliably, so complaining about this instance is just tilting at windmills. Kris --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6vbkkWry0BWjoQKURAnYGAKD9Bz+GzBLwejr8d+1uJzezlYq8fACgvoD0 QTZ2UDLJ4Z+sr97dejmW5PQ= =JFCu -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message