[WEB SECURITY] Securing apache installation with PHP

Bernhard Nießl bernhard.niessl at gmx.net
Mon May 23 11:15:06 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----

On 23 May 2005 at 10:33, Ryan Barnett wrote:

> Why is it that anytime someone mentions an obscurity technique, people
> always assume that that is the only security measure that you are
> implementing? 

I agree: you never proposed to use ONLY obscurity.

> I woud disagree with your assessment of the security gain being almore
> zero.  Web-based worms such as Scalper and Slammer did in fact inspect
> the returned Server token banner.

Ok, fine. You secured the server against Scalper and Slammer. If they 
were the only two threats you should secure the server against, you 
did your job well. But I assume that you should secure the server 
against ANY worms and other threats. And under that light, obscurity 
helps nothing and costs ressources ...

> Most people will jump to the obfuscation techniques because they are a
> bit "sexier" that other tasks.

To fight against risks of the IT is never sexy but only hard work.
As told Albert Einstein: 99% transpiration, 1% inspiration ;-)

Regards

Bernhard Nießl


P.S. I'm reading the lists I'm writing to. Personal addressed mails 
are superfluous.

BN

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iQEVAwUBQpHze6JiaNdddTN1AQFJKggAxSnwq5/PXyFXQyfqjeKrGlmzy+C3cC1v
Gq75DTr5wqpz0yy7xc98p3XCzBrDMjsvoFIQLHEQ5sQq9dyhGgzxXpIjlYbBfCxg
ann5IwS6YZwrNyBPeJ5+N9jdJOJPbobXC9GocHwzqdSvImFsHUWD3+a8cir5g7b0
SapLiDiKyVIgmuVM1o1gvPsMhjU+ln3mkV9133Lb3ovC6Y2xHsKXWjJfeFn28OVi
dfIBhTbhC+dmRJPChWt/GU6lXyY7gZFqzSPS28CLG1mHfvAdGubManQdPHYSRnnc
lCMgYYO7Mrw8p4Fu76uW4pVxDvzPxm2mXtIlg9mKagFFg40oQzvDzg==
=DVhJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list