Changing the IMAP server's banner -- does one still need to patch the source?
Greg A. Woods
woods at planix.com
Thu Jun 16 21:45:52 EDT 2005
[ On Thursday, June 16, 2005 at 14:23:04 (-0700), Philip Edelbrock wrote: ]
> Subject: Re: Changing the IMAP server's banner -- does one still need to patch the source?
> Security by obscurity is bad,
Yes, it certainly is.
> but that's not what this is.
well if this kind of idiocy is not "security by obscurity" then the only
other thing it could possibly be is "security by sticking one's head in
the sand". :-)
> I still put
> my laptop under the car seat before going into the store eventhough the
> door locks /should/ be enough. ;')
Those kinds of analogies just don't apply in the digital realm.
(besides, the door locks are not likely "good enough" (esp. on their
own) when the cost, i.e. the risk, to the thief of using a jimmy or
cracking your window in broad daylight is far less than the (perceived)
benefit of grabbing your shiny new laptop -- proper risk analysis is
tricky business (for us humans), especially if you forget to do it from
at least the two primary points of view in any such situation)
Software vulernabilities don't go away, and their exploit is not
prevented in any way, just by hiding what is basically irrelevant
information to any attacker. All the attacker needs to know is that
they can connect to your IMAP port, and that by nature is impossible to
prevent them from learning since doing so would also terminate the
service you are providing (i.e. it's equivalent to using the wire-cutter
style of "permanent firewall").
Fix the bugs (or don't run the service) -- don't just pretend to hide
them, because you cannot.
Greg A. Woods
<woods at planix.com> +1 416 489-5852 x122 http://www.planix.com/
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus