Re: [cgiapp] off topic ruminations on security through obscurity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] off topic ruminations on security through obscurity

Subject: Re: [cgiapp] off topic ruminations on security through obscurity
Date: Tue, 30 Sep 2003 10:17:04 -0400 (EDT)
From: Christopher Hicks <suppressed>

On Tue, 30 Sep 2003, Eric Moore wrote:

> It's trivial for a capable attacker to determine OS/http Server/script
> language.

It's just as trivial for a capable sysadmin to obscure all of those.  
Proxy servers, load balancers, and sheer on-the-fly packet manipulation
all help security even if their main purpose is otherwise.  People are so
opposed to STO that they avoid doing the wise and useful minimization of
disseminated information.  Think about it.  If you've got all of your real
security ducks in a row, is obscuring your own target a bit really seem
that bad?  STO is bad when you think it's getting you think it's a "real" 
solution.  STO is wonderful when you already have a real solution.

> The point is not the language, per se, but the abilities of the
> script writer and the server administrator.

And able admins and programmers can use any language and avoid the user
realizing it.  I can process the same template in PHP and Perl and produce
identical server responses byte for byte.  How does somebody know which
exploit to use?  Some might ask "why not use both?".  That's obviosly
possible, but most bad folks with an exploit will target the easily
discernible targets rather than try to attack the entire Internet.  
Shotgunning the Internet is beyond the scope of humans at this point, only 
worms and their ilk manage to have that broad a reach these days.

> Using the 'popular pearl scripts' (e.g. the old sendmail.pl script that
> was full of holes) is a false friend.

nms is everyone's friend in this regard.  I'm quite happy to stop
maintaining my own secured version of several of Matt's scripts.  Perl 
progress is good.

> Changing the file suffix may slow down the script kiddies, but the
> 'pros' are pounding memory buffers and TCP stacks.

Slowing down the script kiddies is an important part of security.  If 
you've not kept the script kiddies effectively at bay then you can't even 
begin to spend time worrying about the pros.  Walk before you run and all.

-- 
</chris>

~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~

>From a student comment card (not my student):
	"He is one of the best teachers I have had... He is well-organized,
	 presents good lectures, and creates interest in the subject.  I
	 hope my comments don't hurt his chances of getting tenure."

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

References:
- Re: [cgiapp] Trying to understand how CGI::App works
  - From: Eric Moore

Prev by Date: Re: [cgiapp] Trying to understand how CGI::App works
Next by Date: Re: [cgiapp] Trying to understand how CGI::App works
Previous by thread: Re: [cgiapp] Trying to understand how CGI::App works
Next by thread: Re: [cgiapp] Trying to understand how CGI::App works
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.