service version disclosure

[Digimer]

On 01/07/2012 01:59 AM, Reindl Harald wrote:
> 
> 
> Am 07.01.2012 07:52, schrieb Digimer:
>> On 01/07/2012 01:02 AM, Reindl Harald wrote:
>>> Am 07.01.2012 06:35, schrieb Digimer:
>>>>> if you have a big customer which hires a 3rd party auditor
>>>>> you are NOT in the poisiton to give such arguments or
>>>>> you can give them but you can not change ANYTHING in
>>>>> the fact that finally "fix it or shutdown the service"
>>>>> is what you have to do
>>>>
>>>> If you have a "security expert" who can't grasp the concept of
>>>> back-ported bug fixes, and is unwilling to test for specific
>>>> vulnerabilities' existence, it's time to get a new expert.
>>>
>>> you are missing the point A BIG CUSTOMER has a security-expert
>>
>> No, I'm not missing the point. You're asking for a wholesale change in
>> how a program works so that you can have an easier time with an
>> uneducated customer. Your job, as a consultant or IT support is not make
>> sure that your solution is safe. Making you customer feel comfortable
>> without actually given them security is a bad idea.
> 
> i know about the pros and cons for obscurity
> 
> but i also know that from "SSH-2.0-OpenSSH_5.8" only "SSH-2.0"
> is relevant for clients and having backports in mind this must
> be the truth because if the whole version would matter all
> LTS distributions would be broken by design

This doesn't change the fundamental point;

You are asking for a significant change in behaviour to a program that
who-knows-how-many apps use, for no real reason other than to make a
client feel better.

-- 
Digimer
E-Mail:              digimer at alteeve.com
Freenode handle:     digimer
Papers and Projects: http://alteeve.com
Node Assassin:       http://nodeassassin.org
"omg my singularity battery is dead again.
stupid hawking radiation." - epitron