Thank you for the flame. It's the first one I've received since being on this list for less than a day.
+-- On 30082002 01:01:13 +0000, Sven Guckes uttered: | * krjw <[EMAIL PROTECTED]> [2002-08-29 20:56]: | > As for version numbers, there's nothing wrong with them | > unless they are advertised to potentially malicious users. | > Assuming a given version of a given MUA has a known security | > hole, sending a mail via that MUA with a header containing | > version info is just begging for trouble. Call it paranoia. | | so you are basically asking for "security by obscurity". I didn't imply that version info is a security hole in-and-of itself. However it can't be denied that it certainly makes it easier to pinpoint who is running vulnerable software. This is common sense. Let's use sshd as an example. I'm sure you're familiar with the SSH1 protocol flaw. Back when this was discussed on your favorite full-disclosure mailing lists (bugtraq et al), script kiddies went wild, scanning arbitrary IP blocks for vulnerable sshd servers. These scripts are fully-automated, designed to connect(), examine the returned version string, and tag -- based on the string alone -- the server as being vulnerable or not vulnerable. Granted that eliminating a version string by itself is a "hack" and "obscure", it's a preventative measure. It isn't a cure by any means, just one measure among many that can be taken to deal with this unfriendly "third millenium" Internet world. There are good guys and there are bad guys. Why make it easier for the bad guys to be bad? | > In general it's undersirable for network-aware software | > (whether an MUA, daemon -- like httpd or sshd -- whatever) | > to advertise its version # to untrusted users. | | and that's why you are afraid to use your real name in mails, too? | Sure. | > The Internet is not as friendly as it used to be. | | welcome to the third millennium! | | i find people who hide their name to be afraid of the internet | and its hackers; they think everyone will hack their computer | as soon as they use a modem. the internet would indeed benefit | from these people to go offline and lock themselves in at home. *sigh* | Sven | Keith
