[Catalyst] Can you tell if a server is running Catalyst?

Wade.Stuart at fallon.com Wade.Stuart at fallon.com
Thu May 18 19:25:40 CEST 2006






catalyst-bounces at lists.rawmode.org wrote on 05/18/2006 10:03:00 AM:

> On 5/18/06, Marcello Romani <mromani at ottotecnica.com> wrote:
> > Wijnand Wiersma ha scritto:
> > > Daniel McBrearty wrote:
> > >> I also like this feature. To my mind, the less is visible about how
> > >> the site is implemented, the better, from POV of security.
> > > That is IMHO a very bad POV!
> > >
> >
> > Why ?
>
> Because "security through obscurity" is BAD.  Security through
> properly tested and hardened systems is GOOD.  If your system is
> properly secure then there is nothing wrong with advertising every
> single little bit of software and the version for everyone to see.
>
> If someone feels like they are taking security measures by hiding the
> software they use from being known then they are probably less secure
> since they are living in a false sense of  security which makes them
> lazy.
>
> Aran

Ok, this has already been covered, but your statement shows some very
exaggerated level of misunderstanding of the principle of Security through
obscurity and the reasoning behind the term that I feel I must respond.

"Security though obscurity" (STO from now on) is the name describing the
practice of lowering the amount of knowledge available to the attack
vector. STO itself is not "BAD".  STO should be used in conjunction with
all other types of procedures and utilities used to secure applications and
services.  What you (or what the person writing the articles that you have
read) have read and misunderstood about STO being "BAD" is talking
specifically  about STO being used in place of some or all of the other
tools in your security toolbox.

The bottom line is given a solid security methodology applied to a service
or application, the application will have fewer and or harder (more
knowledge pre-work required) attack vectors given some level of STO vs full
disclosure of information.

Don't go cargo cult on security issues.
http://en.wikipedia.org/wiki/Cargo_cult
http://en.wikipedia.org/wiki/Cargo_cult_programming





More information about the Catalyst mailing list