[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

Jim Popovitch wrote:
> On Sun, Jun 8, 2008 at 5:30 PM, Simon Valiquette <v.simon@ieee.org> wrote:
>> Jim Popovitch un jour écrivit:
>>> If they want to do this, fine.  But should they continue to be in
>>> rotation for ftp.us.debian.org?
>>  Personnaly, I would have chosen to impersonate another web server than
>> IIS, but except for that I see no problem with what they have done.
>>
>>
>>  I don't see why you want them to be removed from ftp.us.debian.org,
>> except that you don't like to see them lying about the server application
>> and version they use, which is something done by a lot of people on
>> production systems that directly face the Internet.
> 
> The reason is this:  *if* they are using "security by obscurity", then
> that raises the bigger question of their security knowledge and
> capabilities.   That would be enough for me to remove them from
> distributing software to others from my domain (ftp.us.debian.org).
> 

Your thoughts on this subject are really fascinating. Because while I
agree that the idea of "security by obscurity" as the only line of
defense is flawed, you're making assumptions and value judgments that
seem beyond your abilities. I question your security knowledge and
capabilities.

How would you feel if they used a firewall that obscured their TCP
stack? Or if they dropped ICMP time stamp requests? Or used address
space randomization to stop certain types of remote code execution? Or
what if they removed all real version strings from all software that
they used that faces the internet?

Do you really think that obscurity as *part* of your security plan is
only negative? And do you really think that you know their entire
security plan?

I think not. In addition, I think the mere fact that they took the time
to customize their banner shows that they're at least thinking about the
problem. Even if we agree that it is flawed to *only* try hiding version
strings, you don't know that this is all they are doing. Personally, I
think it's worse to print proper version strings and feel so smugly
about it. It is not as if being honest about this little detail somehow
protects people using your Debian mirror.

Have you found some actual security issue with the mirror? Are the
packages tampered with? Are the signatures invalid?

If so, have you tried contacting the administrator of the mirror?

Regards,
Jacob Appelbaum
Reply to: