Re: [cobalt-users] wish to Cobalt: suppressing "sensitive" information

[Kris Dahl <krislists@xxxxxxxxxxxxx>]

on 9/21/00 2:44 AM, Jerome Tytgat at j.tytgat@xxxxxxxx wrote:

> 
>> The biggest argument for this is not whether or not
>> it is a Cobalt system because Cobalt's port 81/444 admin
>> server is a dead giveaway.  But whether or not the box is
>> x86 or mips, since most remote root sploits use shell code.  If
>> someone is smashing the stack and using the wrong shell code
>> they are going nowhere fast, and it might leave some
>> funk behind to aid in detection.
>> 
>> Jeff-
> 
> No security is really bad security...

Obscurity is no obscurity.  Jeff is refering to a comment that I made:

>>> exploit available.  Patching the the software is the solution.  Also, there
>>> are many ways of fingerprinting a system, software, etc. not just based upon
>>> those messages.

He is confirming that it is easy to fingerprint a Cobalt machine.  Shutting
off the messages does help to determine if a machine is MIPs or x86, and so
what exploits are more likely to work.

That legitimate, and I agree that if someone gets in but isn't able to
execute get an exploit working then it will leave a trail.

ONe note,  I have never found these 'trails' to be that helpful--usually
they lead back to a compromised system who's administrator is typically not
very forthcoming on helping you locate the 'real' culprit.

I'm not saying that 'shy' mode isn't a good idea.  Just saying that it is
not the solution to the problem, or even a big part of it.

-k