[Catalyst] Can you tell if a server is running Catalyst?

Aran Deltac aran at arandeltac.com
Thu May 18 19:37:09 CEST 2006

On 5/18/06, Wade.Stuart at fallon.com <Wade.Stuart at fallon.com> wrote:
> catalyst-bounces at lists.rawmode.org wrote on 05/18/2006 10:03:00 AM:
> > On 5/18/06, Marcello Romani <mromani at ottotecnica.com> wrote:
> > > Wijnand Wiersma ha scritto:
> > > > Daniel McBrearty wrote:
> > > >> I also like this feature. To my mind, the less is visible about how
> > > >> the site is implemented, the better, from POV of security.
> > > > That is IMHO a very bad POV!
> > > >
> > >
> > > Why ?
> >
> > Because "security through obscurity" is BAD.  Security through
> > properly tested and hardened systems is GOOD.  If your system is
> > properly secure then there is nothing wrong with advertising every
> > single little bit of software and the version for everyone to see.
> >
> > If someone feels like they are taking security measures by hiding the
> > software they use from being known then they are probably less secure
> > since they are living in a false sense of  security which makes them
> > lazy.
> >
> > Aran
> Ok, this has already been covered, but your statement shows some very
> exaggerated level of misunderstanding of the principle of Security through
> obscurity and the reasoning behind the term that I feel I must respond.
> "Security though obscurity" (STO from now on) is the name describing the
> practice of lowering the amount of knowledge available to the attack
> vector. STO itself is not "BAD".  STO should be used in conjunction with
> all other types of procedures and utilities used to secure applications and
> services.  What you (or what the person writing the articles that you have
> read) have read and misunderstood about STO being "BAD" is talking
> specifically  about STO being used in place of some or all of the other
> tools in your security toolbox.

Right on.

> The bottom line is given a solid security methodology applied to a service
> or application, the application will have fewer and or harder (more
> knowledge pre-work required) attack vectors given some level of STO vs full
> disclosure of information.


Might point was that STO is not security.  I agree it can play a piece
in security, but it is a minor one compared to actually having secure
systems.  Nuff said.


> Don't go cargo cult on security issues.
> http://en.wikipedia.org/wiki/Cargo_cult
> http://en.wikipedia.org/wiki/Cargo_cult_programming
> _______________________________________________
> Catalyst mailing list
> Catalyst at lists.rawmode.org
> http://lists.rawmode.org/mailman/listinfo/catalyst

More information about the Catalyst mailing list