Blocking version information
rob0 at gmx.co.uk
Mon Jun 20 20:25:40 UTC 2005
On Monday 20 June 2005 11:05, Bill Larson wrote:
> There are many "security" checks that simply report that the version
> number is available and that this is a "security issue". Often these
> checks are performed by an outside organization that is being paid
> for by management, and management isn't going to listen to
> philosophical arguments or logic or even facts. What these
> consultants say WILL be implemented no matter what.
Sigh. BTDT. The management at my site wasn't QUITE as knee-jerkish
about it, but we did have to explain why the consultant was so stupid.
Managers who hire and trust stupid consultants deserve what they get,
but it sure doesn't feel good to have your good work attacked by know-
nothings who are paid a lot more money than you do. <sad smile>
Incompetence is the rule these days, not the exception, and in IT
security perhaps more so than anywhere.
> So, this is an argument that I will not take on. I know that this
How far do we go down the slippery slope of neglecting our professional
responsibility? I'm just playing devil's advocate here, having gone
down this very slide myself, BTW.
> When discussing this issue with the security people, they are
> generally inflexible. At best they will admit that this doesn't
> provide any "security" but that this is simply a common security
As we all know, inflexibility is as likely as not an indicator of
incompetence, even stupidity! Many "common practices" are horrid,
witness the number of Microsoft worms in the wild for proof of that!
> NOT provide any additional security, I will comply with my management
> telling me to hide the version because some "security" person told
> them that this must be done. It is not worth arguing about. The
> idea is too deeply entrenched to fight.
Comply, sure. But do tell them what you think of it and why.
Thanks to all for this thread. I am going to start climbing back up my
own slippery slope as a result. :) I'm a subcontractor to an IT
consultant who does outsourced IT support for numerous small- to
medium-sized businesses. In my own case I have to work on MY boss, who
believes in this voodoo himself, before we can work on the customers.
There is, however, one form of security-through-obscurity which might
afford a bit of protection from script kiddies: use of alternate ports
for standard services. There we're drifting a bit further off-topic I'm
afraid, as I am specifically thinking about putting sshd's other than
on 22. That wouldn't hide it from a determined attacker, but it would
put it out of reach of the 22-scanning SSH attack bots.
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the bind-users