[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Version strings [Was: Re: Smolt: Fedora Hardware Profiler]



Ralf Corsepius <rc040203 freenet de> wrote:

[...]

> Many servers/service return an id-string identifying the version of a
> particular piece of SW - If this string is correct it, it provides clear
> information to which vulnerabilities it is likely to be vulnerable.

In my experience, the use of those for troubleshooting is much more
important than any vulnerabilities exposed this way. Crackers (particularly
automated attacks) usually just dive in, without any regard to any version
strings. Besides, it is easy to guess (quite accurately, via something like
nmap) what is at the other end. Hiding what you are running is an example
of what is dismissed with the quip "Security through obscurity, isn't". It
is uniformly regarded as almost completely useless. Fix the vulnerabilities,
don't pretend they aren't there.

> Therefore many server admins use faked id-strings or don't provide this
> kind of information.

That is detrimental to legitimate uses, and stops no cracker.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                    Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria             +56 32 2654239
Casilla 110-V, Valparaiso, Chile               Fax:  +56 32 2797513


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]