Hi there,
On 13 May 2001, Michael T. Babcock wrote:
> On 11 May 2001 19:49:46 -0400, R. DuFresne wrote:
> > > Hire someone who can.
> > >
> >
> > Who makes claims they can totally secure a system connected to the
> > internet from ever being compromised? What person or company offers such
> >
On 11 May 2001 19:49:46 -0400, R. DuFresne wrote:
> > Hire someone who can.
> >
>
> Who makes claims they can totally secure a system connected to the
> internet from ever being compromised? What person or company offers such
> a guarantee?
Several offer guarantees almost that good.
Do your r
On 11 May 2001 19:37:46 -0400, R. DuFresne wrote:
> at exactly are you going
> to do there when you suddenly see a few packets clobber your system? Fire
> up tcpdump to see what might be in the packets? Dang, too late, your
> system has been compromised in the time it took you to fire up tcpdump
> ut do we really have to make it easier
> to get in?
I'll ignore the rest; how does this make it easier to get in? It just
makes it easier to identify bad administrators (who don't update their
servers). I've already mentioned that its not much easier to scan HTTP
HEAD responses than to simply
On Fri, 11 May 2001, Michael T. Babcock wrote:
[SNIP]
> > any difference but I don't think it helps to assume that you can keep all
> > your systems perfectly up to date re: security updates all the time.
>
> Hire someone who can.
>
Who makes claims they can totally secure a system c
Owen,
Ready for the attack that come as in how? Are you sitting there day after
day parsing logs, watching, waiting, to what? What exactly are you going
to do there when you suddenly see a few packets clobber your system? Fire
up tcpdump to see what might be in the packets? Dang, too late, y
I'm sticking to one-liners for this one ...
> So if reducing the likelihood of an attack is not a security measure, why
> bother having a burglar alarm in the first place?
Because they (often) stop the burglar from taking anything _after_ they've
broken in or allow the police to catch them in th
This has gotten way off topic of how to use mod_ssl.
I suggest interested parties look for Dan Geer's "risk management is
where the money's at" paper. Google should find it trivially.
Many consider it to be the definitive word on this trade-off issue.
/r$
___
> My point is a subtle one and it is not suprising that many people
> misunderstand it: "Reducing the likelihood of an attack is NOT a
> security measure". The attack will come - you have to be ready when it
> does, not put it off a few days or weeks or whatever
>
So if reducing the likelihoo
[EMAIL PROTECTED] wrote:
> I still think publicising your server version is like writing the PIN number
> to your burglar alarm on your front door.
Come now, John. This is just nonsense. It is more like scrubbing the
brand-name off your burglar alarm. If someone could hack into a system
just by
>
> If you'd installed a camera instead, they'd be in jail, and not out
> helping themselves to your neighbours' stuff.
Your arguments are as naive as the statement that we can have total
security. First of all, burglar alarms and cameras do not stop crime. The
house opposite mine was burgled an
[EMAIL PROTECTED] wrote:
> Does this make the person who fits a burglar alarm unethical?
You compare hiding the server signature to fitting a burglar alarm or a
lock to your door. This is not quite accurate. It is more like etching
the word "Yale" or "Chubb" off your door lock with acid in the
On 10 May 2001 15:34:17 +0100, [EMAIL PROTECTED] wrote:
> Does this make the person who fits a burglar alarm unethical? I don't think
> so. That's as daft as saying using 128bit servers encourages hackers to
> attack 40bit IIS servers (as if they need much encouragement).
Again, you've missed the
> Your reasoning lacks in ethics; you're hoping hackers will go
> after the
> next company instead of you because its easier to pick them out in a
> crowd. Assuming all people hid their server signatures, as
> you desire,
> your logic would cease to function because there would be no easy
> tar
On 09 May 2001 04:00:19 -0400, R. DuFresne wrote:
> > Security should be systematic and precise - attackers should not get in
> > at all. Security should not be based on ideas like "If we hide the
> > version number, we are 20% less likely to get attacked".
>
> Not really, but, yer 20% of the ti
Users,
Oops, I originated this question. As usual, the group promptly
provided a wide array of perspectives and technical insights.
How to change the signature:
(1) ServerTokens ProductOnly in the config file
(2) apache_src_dist/src/includes/httpd.h in the code
In the end its a configuration q
And the standard is to use insecure protocols also like telnet and ftp,
those that pass info in clear text rather then encrypt the data of the
user logging in and his secret for access, his password. Yet, those folks
in the know frown upon such protocols for external access, seeking to use
somet
This is my last post on the subject since everyone else must be fed up
by now.
I accept that being secretive might reduce the number of hacks you are
subjected to. My point is that every machine on the web will eventually
get attacked and reducing the rate of attacks is not security - you
will s
> PS One poster compared the default server signature to
> leaving a note on
> your door for a burglar saying where the keys are hidden.
> Come on! - it
> isn't even close
>
> PPS Check out IBM, HP, Compaq, the CIA, the FBI... none of
> them hide the
> signature!
I do believe that both th
"R. DuFresne" wrote:
> Yes, still vulnerable, but harder to pick out of a crowd
"harder"? Not good enough - has to be impossible.
> > The default behaviour is good because it advertises to the world what a
> > great server we're using and lets developers keep track of uptake of
> > upgrades - i
On Wed, 9 May 2001, Owen Boyle wrote:
> I should've guessed that this might turn into a bit of a debate...
>
> To recap, the orginal poster was concerned that the default behaviour of
> apache to advertise itself with something like:
>
> "Apache/1.3.6 (Unix) PHP/3.0.16 mod_perl/1.21 mod_ssl/2.2
I should've guessed that this might turn into a bit of a debate...
To recap, the orginal poster was concerned that the default behaviour of
apache to advertise itself with something like:
"Apache/1.3.6 (Unix) PHP/3.0.16 mod_perl/1.21 mod_ssl/2.2.8
OpenSSL/0.9.2b"
was a security risk (by the way
> -Original Message-
> From: James Hastings-Trew [mailto:[EMAIL PROTECTED]]
> Sent: 07 May 2001 15:50
> To: [EMAIL PROTECTED]
> Subject: Re: HEAD / HTTP/1.0
>
>
> on 5/7/01 5:34 AM, Deocs Postmaster at [EMAIL PROTECTED] wrote:
>
> > From telnet this c
> Correct. Why shouldn't it?
>
> I understand your feeling that we should not hand out things
> on a plate
> to hackers but if you reflect on it, a sys-admin's job is not to make
> hacking a little bit more difficult, it is to make hacking
> impossible.
>
> Your security should rely on a fire
On Mon, 7 May 2001, DAve Goodrich wrote:
> on 5/7/01 12:32 PM, R. DuFresne at [EMAIL PROTECTED] wrote:
>
> >
> > Then why pray tell is OS finger printing so important to a cracker? Why
> > are the major vendors beefing up issues such as tcp sequence number
> > prediction and obscuring their OS
on 5/7/01 12:32 PM, R. DuFresne at [EMAIL PROTECTED] wrote:
>
> Then why pray tell is OS finger printing so important to a cracker? Why
> are the major vendors beefing up issues such as tcp sequence number
> prediction and obscuring their OS's from easy OS type determination? Even
> the DNS/Bi
Then why pray tell is OS finger printing so important to a cracker? Why
are the major vendors beefing up issues such as tcp sequence number
prediction and obscuring their OS's from easy OS type determination? Even
the DNS/Bind folks have added the ability to their deamon to hide it's
verson and
on 5/7/01 7:50 AM, James Hastings-Trew at [EMAIL PROTECTED] wrote:
> on 5/7/01 5:34 AM, Deocs Postmaster at [EMAIL PROTECTED] wrote:
>
>> From telnet this command returns the type of server,
>> installed modules, and other information. That info
>> is tabulated and tracked by www.netcraft.com (
James, I think you're mis-reading his use of telnet, I think what he
means to say is 'when I telnet to port 80 ..'
In any case I can see why one would want to make it harder for someone
to exploit unknown exploits (if that makes sense)
If you wish to modify the string returned by HEAD simply edit
on 5/7/01 5:34 AM, Deocs Postmaster at [EMAIL PROTECTED] wrote:
> From telnet this command returns the type of server,
> installed modules, and other information. That info
> is tabulated and tracked by www.netcraft.com (who also
> infers the operating system) and can help an attacker
> find a w
Deocs Postmaster wrote:
>
> At 07:54 AM 05/07/2001 , you wrote:
> >Deocs Postmaster wrote:
> > > From telnet HEAD / HTTP/1.0 returns the type of server,
> > > installed modules, and other information.
> >
> > > Why is this information so openly disclosed, and is
> > > there an easy way to disabl
At 07:54 AM 05/07/2001 , you wrote:
>Deocs Postmaster wrote:
> > From telnet HEAD / HTTP/1.0 returns the type of server,
> > installed modules, and other information.
>
> > Why is this information so openly disclosed, and is
> > there an easy way to disable or modify it?
>
>Do you think hiding yo
Deocs Postmaster wrote:
> From telnet HEAD / HTTP/1.0 returns the type of server,
> installed modules, and other information.
> Why is this information so openly disclosed, and is
> there an easy way to disable or modify it?
Do you think hiding your apache version number will save you from
ha
33 matches
Mail list logo