From owner-freebsd-security Mon Mar 26 13: 3:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 963A937B71A for ; Mon, 26 Mar 2001 13:03:21 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA28196; Mon, 26 Mar 2001 14:02:38 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA07528; Mon, 26 Mar 2001 14:02:38 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15039.44653.624089.289615@nomad.yogotech.com> Date: Mon, 26 Mar 2001 14:02:37 -0700 (MST) To: "Michael A. Dickerson" Cc: "\"Duwde (Fabio V. Dias)\"" , Subject: Re: SSHD revelaing too much information. In-Reply-To: <005f01c0b62e$9cab5980$db9497cf@singingtree.com> References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> <005f01c0b62e$9cab5980$db9497cf@singingtree.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Uh, Kris Kennaway was the first to respond to you on -stable, and the first > to disagree that this is a problem. He *is* the FreeBSD Security Officer. That doesn't make him right. > As others pointed out, it is trivial to determine the OS of a remote host. Not necessarily. And, a good rule of security is to never reveal information unless you have to. Don't go out of your way to stop folks from figuring out your OS. Make them work for out. > As others pointed out, it is extremely useful for the legitimate > administrator of a system to be able to query the version of various > services remotely. I disagree. Anyone who administers a small number of machines can keep track of it, and anyone who has alot of machines won't trust the remote information. This is a specious argument. > You may even have a legitimate reason to audit the > services on machines you don't have an account on. Suppose you're > responsible for an academic network, where people can run anything they > want. Again, you're giving information to the crackers for free. Make them work for out. Security through obscurity is *one* form of legitimate security. Using the same arguments as people are using, public key infrastructure is security through obscurity. I'm not giving you my private key, so by being 'obscure' I'm also being secure. Security is ALL about having useful information, and denying as much information from your attacker is a great strategy. It can't be the only strategy, but it's a good first cut. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message