NYCPHP Meetup

[Chris Bielanski]

I had a much longer response in preparation, but Andrew just nailed it.
Obscurity is not security. And yes, it only stops the timid assailant. A
determined cracker will take it *personally* that you configured your server
to tell *lies* to its "friendly users"!! The NERVE!! He'll fix YOU, buddy!
:)

And *poof* another one bites the dust, nah?


Thanks,
Chris Bielanski
Web Programmer, 
International Trademark Association,
1133 Avenue of the Americas, 33rd Floor
New York, NY 10036
+1 (212) 642-1745, f: +1 (212) 768-7796
mailto:cbielanski at inta.org, www.inta.org  
INTA -- 125 Years of Excellence



> -----Original Message-----
> From: Paul Reinheimer [mailto:preinheimer at gmail.com]
> Sent: Wednesday, July 14, 2004 3:35 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] Basic security question
> 
> 
> See, if that was convincing enough prospective attacker would spend a
> lot of time going after IIS and ASP vulnerabilities that presumably
> (in the same form) exist in Apache and php.
> 
> 
> paul
> 
> On Wed, 14 Jul 2004 15:33:08 -0400, Phillip Powell
> <phillip.powell at adnet-sys.com> wrote:
> > I can tell you PHP folk up in NY do not work for the US 
> Feds nor for a
> > federal contractor, but were you ever to do so, you'd find 
> how horribly
> > security measures that deal with the Web fly in the face of
> > federally-mandated Section 508 Compliance.
> > 
> > Augh! You have to put your EMAIL address on your website, 
> how secure is
> > THAT???
> > 
> > I do know of some PHP programmers in DC for the Labor Dept that once
> > "spoofed" Apache into interpreting PHP files as ".asp" (and to show
> > itself as IIS!) to spoof the higher-ups that everything was in a M$
> > environment to "make them happy".
> > 
> > Phil
> > 
> > 
> > 
> > Paul Reinheimer wrote:
> > 
> > >Every attack wether web or otherwise I have heard about starts with
> > >learning as much as you can about the target's systems, 
> then seeking
> > >to exploit some either known or unknown security holes in 
> the software
> > >that system is running.
> > >
> > >Knowing that, why reveal anything? Make the potential attacker work
> > >for every peice of information they want. Set the apache 
> server string
> > >to claim it is some recent release of IIS, tell all the 
> services not
> > >to advertise they are running, save your .php files as 
> .exe and tell
> > >apache just to interpret apropriatly. etc. Obviously if 
> you choose to
> > >run some off the shelf application (ie phpBB) you will let 
> the cat out
> > >of the bag, but seperating it to a subdomain may only add to the
> > >confusion.
> > >
> > >Does anyone see any real advantage to this approach?
> > >
> > >
> > >paul
> > >_______________________________________________
> > >talk mailing list
> > >talk at lists.nyphp.org
> > >http://lists.nyphp.org/mailman/listinfo/talk
> > >
> > >
> > >
> > 
> > --
> > 
> --------------------------------------------------------------
> -------------------
> > Phil Powell
> > Multimedia Programmer
> > BPX Technologies, Inc.
> > #: (703) 709-7218 x107
> > Fax: (703) 709-7219
> > 
> > _______________________________________________
> > talk mailing list
> > talk at lists.nyphp.org
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>