Jim Popovitch wrote: > On Sun, Jun 8, 2008 at 5:30 PM, Simon Valiquette <[EMAIL PROTECTED]> wrote: >> Jim Popovitch un jour écrivit: >>> If they want to do this, fine. But should they continue to be in >>> rotation for ftp.us.debian.org? >> Personnaly, I would have chosen to impersonate another web server than >> IIS, but except for that I see no problem with what they have done. >> >> >> I don't see why you want them to be removed from ftp.us.debian.org, >> except that you don't like to see them lying about the server application >> and version they use, which is something done by a lot of people on >> production systems that directly face the Internet. > > The reason is this: *if* they are using "security by obscurity", then > that raises the bigger question of their security knowledge and > capabilities. That would be enough for me to remove them from > distributing software to others from my domain (ftp.us.debian.org). >
Your thoughts on this subject are really fascinating. Because while I agree that the idea of "security by obscurity" as the only line of defense is flawed, you're making assumptions and value judgments that seem beyond your abilities. I question your security knowledge and capabilities. How would you feel if they used a firewall that obscured their TCP stack? Or if they dropped ICMP time stamp requests? Or used address space randomization to stop certain types of remote code execution? Or what if they removed all real version strings from all software that they used that faces the internet? Do you really think that obscurity as *part* of your security plan is only negative? And do you really think that you know their entire security plan? I think not. In addition, I think the mere fact that they took the time to customize their banner shows that they're at least thinking about the problem. Even if we agree that it is flawed to *only* try hiding version strings, you don't know that this is all they are doing. Personally, I think it's worse to print proper version strings and feel so smugly about it. It is not as if being honest about this little detail somehow protects people using your Debian mirror. Have you found some actual security issue with the mirror? Are the packages tampered with? Are the signatures invalid? If so, have you tried contacting the administrator of the mirror? Regards, Jacob Appelbaum -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
