On Mon, Aug 02, 2004 at 10:22:39PM -0700, Josh Triplett wrote: > > But standard advice on network security is *not* to advertise specific > > banners. I don't think much of that advice, but I sure do see a lot > > of it. Is it free to make this kind of requirement of users of the > > software, that they ignore good security practice? > > If your network would be insecure if someone knew the versions of > software you run, then your network is insecure.
In practice, you're both right: security by obscurity, alone, isn't secure, but in practice it's a very real gain to not advertise immediately what your set of bugs are--if it gives you five more minutes to respond to a security advisory, then it's a win. I won't overgeneralize; some free licenses do place restrictions on security- related decisions (the GPL prevents me from adding some security-related features and not releasing the source for the above reason), but I don't think it's a good thing in general. I should decide my security philosophy, not anyone else. -- Glenn Maynard
