service version disclosure
Stephen John Smoogen
smooge at gmail.com
Sat Jan 7 05:13:17 UTC 2012
On 6 January 2012 21:46, Kevin Kofler <kevin.kofler at chello.at> wrote:
> Reindl Harald wrote:
>> would it not be a good idea to NOT disclosure service versions?
>> https://bugzilla.redhat.com/show_bug.cgi?id=718133
>>
>> you will more and more have the "problem" of 3rd party
>> security scans to your servers and currently in the case
>> of openssh the only solution is to tkae the F16-src-rpm
>> and rebuild it for your F15 machines
>
> If the scan is looking at the version to determine vulnerability, it is
> completely broken, useless and unsupportable, because fixes can be
> backported.
I am going with Kevin on this one. The real hacking tools check to see
if a vulnerability works or not. The broken "audit" scanners only
check to see if a header is this or that. Not putting the header only
gets you past the auditors and doesn't stop the real hacker from
getting in if the vulnerability is there.
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
More information about the devel
mailing list