Date: Mon, 26 Mar 2001 14:02:37 -0700 (MST) From: Nate Williams <nate@yogotech.com> To: "Michael A. Dickerson" <mikey@singingtree.com> Cc: "\"Duwde (Fabio V. Dias)\"" <duwde@duwde.com.br>, <freebsd-security@FreeBSD.ORG> Subject: Re: SSHD revelaing too much information. Message-ID: <15039.44653.624089.289615@nomad.yogotech.com> In-Reply-To: <005f01c0b62e$9cab5980$db9497cf@singingtree.com> References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> <005f01c0b62e$9cab5980$db9497cf@singingtree.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Uh, Kris Kennaway was the first to respond to you on -stable, and the first > to disagree that this is a problem. He *is* the FreeBSD Security Officer. That doesn't make him right. > As others pointed out, it is trivial to determine the OS of a remote host. Not necessarily. And, a good rule of security is to never reveal information unless you have to. Don't go out of your way to stop folks from figuring out your OS. Make them work for out. > As others pointed out, it is extremely useful for the legitimate > administrator of a system to be able to query the version of various > services remotely. I disagree. Anyone who administers a small number of machines can keep track of it, and anyone who has alot of machines won't trust the remote information. This is a specious argument. > You may even have a legitimate reason to audit the > services on machines you don't have an account on. Suppose you're > responsible for an academic network, where people can run anything they > want. Again, you're giving information to the crackers for free. Make them work for out. Security through obscurity is *one* form of legitimate security. Using the same arguments as people are using, public key infrastructure is security through obscurity. I'm not giving you my private key, so by being 'obscure' I'm also being secure. Security is ALL about having useful information, and denying as much information from your attacker is a great strategy. It can't be the only strategy, but it's a good first cut. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15039.44653.624089.289615>