Blocking version information

/dev/rob0 rob0 at
Mon Jun 20 20:25:40 UTC 2005

On Monday 20 June 2005 11:05, Bill Larson wrote:
> There are many "security" checks that simply report that the version
> number is available and that this is a "security issue".  Often these
> checks are performed by an outside organization that is being paid
> for by management, and management isn't going to listen to
> philosophical arguments or logic or even facts.  What these
> consultants say WILL be implemented no matter what.

Sigh. BTDT. The management at my site wasn't QUITE as knee-jerkish
about it, but we did have to explain why the consultant was so stupid. 
Managers who hire and trust stupid consultants deserve what they get, 
but it sure doesn't feel good to have your good work attacked by know- 
nothings who are paid a lot more money than you do. <sad smile>

Incompetence is the rule these days, not the exception, and in IT 
security perhaps more so than anywhere.

> So, this is an argument that I will not take on.  I know that this

How far do we go down the slippery slope of neglecting our professional 
responsibility? I'm just playing devil's advocate here, having gone 
down this very slide myself, BTW.

> When discussing this issue with the security people, they are
> generally inflexible.  At best they will admit that this doesn't
> provide any "security" but that this is simply a common security

As we all know, inflexibility is as likely as not an indicator of 
incompetence, even stupidity! Many "common practices" are horrid, 
witness the number of Microsoft worms in the wild for proof of that!

> NOT provide any additional security, I will comply with my management
> telling me to hide the version because some "security" person told
> them that this must be done.  It is not worth arguing about.  The
> idea is too deeply entrenched to fight.

Comply, sure. But do tell them what you think of it and why.

Thanks to all for this thread. I am going to start climbing back up my 
own slippery slope as a result. :) I'm a subcontractor to an IT 
consultant who does outsourced IT support for numerous small- to 
medium-sized businesses. In my own case I have to work on MY boss, who 
believes in this voodoo himself, before we can work on the customers.

There is, however, one form of security-through-obscurity which might 
afford a bit of protection from script kiddies: use of alternate ports 
for standard services. There we're drifting a bit further off-topic I'm 
afraid, as I am specifically thinking about putting sshd's other than 
on 22. That wouldn't hide it from a determined attacker, but it would 
put it out of reach of the 22-scanning SSH attack bots.
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

More information about the bind-users mailing list