Hi, I hear the argument that Colin is making, and understand and respect the use-case he describes for the setting, and wouldn't argue that this option should be removed. However, I feel like the comparison that is being setup doesn't make sense for justifying that the setting is the default. The argument is basically that we should use the current setting as the default for everyone, because there is one specific use-case that justifies it. While the argument against reverting this default is that there isn't any specific evidence of people using the version string to select servers for attack. I think that is much easier to come up with an actual use-case for the first, but much harder to provide concrete evidence of the latter. That isn't necessarily because this never happens, but very possibly its because it is quite hard to provide specific evidence of this being used, regardless if it is actually being done. We do know, in general, where this version string is used in ways that are undesirable: . it is a module in metasploit for helping identify vulnerable versions[0] . it is used as a selector in NSA's XKEYSCORE queries in conjunction with the metadata database of potentially exploitable services (BLEAKINQUIRY) by the NSA group "S31176" for targeted exploit and compromise[1][2] . it is used by annoying "security" scanners, such as Nessus to incorrectly identify vulnerable versions <-- I would normally argue that version strings are a terrible way of finding an actual vulnerability, in fact I *regularly* have to argue with people who run these "security" scanners against our network and then bring us a report to show me how many "vulnerable" services we have because the version numbers in their outdated database don't take into account Debian Security fixes... but this is precisely why I am bringing this up, because I have to regularly argue with people about these version strings. They are wrong, of course, but I don't want to have to deal with that pointless argument. If there was no version string, I wouldn't have to do that anymore. . its used in CTF (capture the flag) events, in order to know what OS is running on a system that only has ssh running, and what version of ssh is running so that you can look at exploits that could be used to compromise the system for a flag. apart from these, things like malware dropper (for instance) that use 0-days don't bother with version strings, they just hammer the internet and try it anyways... but that depends a lot on the malware. I'd actually turn that argument around and say that justifying Debian carrying this patch and setting this non-standard default from upstream for everyone, just because of one example, is not sufficient. micah 0. http://www.offensive-security.com/metasploit-unleashed/Service_Identification 1. http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html 2. http://www.spiegel.de/media/media-35515.pdf
Attachment:
signature.asc
Description: PGP signature