[Freeswitch-users] remove in local SDP word FREESWITCH

Steven Ayre steveayre at gmail.com
Sun Jun 23 23:48:46 MSD 2013


Except the approach of a bot trying known exploits is automated. It doesn't
take any effort of the hacker's time. It's not on his machine so doesn't
even use his resources (time/CPU/bandwidth). It doesn't even need to check
what software is running, simply trying everything in the book is
sufficient. And that could be done in a couple of minutes.

-Steve



On 23 June 2013 15:45, Dmitry Lysenko <dvl36.ripe.nick at gmail.com> wrote:

> The more work should be done by hacker, the more secure system is.
> So, "security by obscurity" is working, not so good, but thousands of
> years.
>
>
> 2013/6/21 Steven Ayre <steveayre at gmail.com>
>
>> 2) *Security trough obscurity != security* its always better than
>>> nothing. " hey you don't need to guess the
>>> the software I'm using , I'm giving the info for free just find an entry
>>> point  and you got it ...."
>>
>>
>> Actually I'd argue the opposite. Security through obscurity often makes
>> people assume they're secure and therefore neglect securing their systems
>> in the places that actually matter.
>>
>> The only argument I can really see of hiding that you're running $version
>> of $product is that an bug in that $version means an exploit exists.
>>
>> If that's the case then you need to upgrade to a patched copy of $product
>> - you can NOT rely on the fact that people will not realise that they can
>> use the exploit because you're hiding what you're running.
>>
>> The flaw still exists and attackers might either a) guess you're using
>> $product and try the exploit anyway or b) have their bot just randomly try
>> every exploit in the book against you until one works in which case they
>> don't even need to know you're using $product.
>>
>> The things that matte are actually verifying your authentication is
>> working correctly, you're running the latest software, you're following
>> software updates / security announcements, etc.
>>
>> Besides even when $product/$version are hidden they can often be found
>> through fingerprinting by looking at differing behaviour between different
>> products and within a product between versions.
>>
>> -Steve
>>
>>
>>
>>
>> On 21 June 2013 07:59, Antonio Teixeira <eagle.antonio at gmail.com> wrote:
>>
>>>  @Ken
>>> I think we need to drop into the real world...
>>>
>>> 1) Ok .,... Don't forget to say thanks to Debian , CentOs , Fedora , PHP
>>> , Python , Microsoft , all the authors of the OpenSource Libs , the creator
>>> of Make , the creator of the IDE that the Dev team uses ,  etc etc when you
>>> deliver the next project to your client ...
>>>
>>> 2)
>>> *Security trough obscurity != security* its always better than nothing.
>>> " hey you don't need to guess the
>>> the software I'm using , I'm giving the info for free just find an entry
>>> point  and you got it ...."
>>>
>>> I could also imagine you agree with showing the version of the software
>>> in the HTPP headers (stuff that happens on some webservers/libs ( from my
>>> ming i can recall Django?!).
>>>
>>> 3)
>>> The clients pays it doesn't really care about what software you use (
>>> unless he fears some patent infringement) he wants results.
>>>
>>> 4)
>>> No , Compliance could be internal or external the end-client could
>>> simply say "i don't want the freeswitch brand".
>>>
>>>
>>> ---- ///// ----
>>> @all
>>> I don't know you guys but my daily work is developing software for some
>>> fairly large financial institutions and sincerely i think you are all over
>>> reacting to this thing.
>>> Yes if you open-source something you will get part of your software
>>> stolen , changed or use in a way you were not expecting and not given
>>> credit for , that's life .If you don't want it , close the source , resell
>>> it , ask for NDA's , etc.
>>> In my daily work me and my collegues use alot of open source ( contrary
>>> to the popular belief) , closed source and everything in between and you
>>> don't expect a public statement thanking anyone for anything.
>>>
>>> This is the way life works and with open-source this is our current
>>> world ( i think the FS Team could even offer a fully custom branded
>>> solution) so it could help monetize the project.
>>>
>>> And before you start thinking yes i bought G729 licenses , the FS Book
>>> even before it was out and no to many miles between me and Gluecon , yes i
>>> know airplanes exist :D.
>>>
>>> P.S - I Also assume that you all as sysadmins once found a problem that
>>> a blogger may have solved and on your final report to the administration
>>> you didn't wrote " problem solved by Blogger XXXXXX"....
>>>
>>> And never forget he is just the mailman sometimes the boss wants
>>> something ( even if not morally correct ) and you have to do it.
>>> But the point raised by Anthony regarding the SDP "freeswitch flag" is
>>> important and you be featured on the wiki :)
>>>
>>> Antonio Teixeira
>>>
>>>
>>>
>>> On 6/19/13 3:49 PM, Ken Rice wrote:
>>>
>>> Ok... Lets look at these...
>>>
>>> Branding... I don't want to show people that I'm using F/OSS software for
>>> running my for profit business so I can tell them I'm using either
>>> ${some_comercial_platform} or ${we_developed_this_ourselves}
>>>
>>> Security/Security Requirements - Security throught obscurity != security...
>>>
>>> Client Requirements - That's a new one one... Unless client is <see
>>> branding>
>>>
>>> Compliance - isnt this the same thing as see security
>>>
>>>
>>> On 6/19/13 8:44 AM, "Antonio Teixeira" <eagle.antonio at gmail.com> <eagle.antonio at gmail.com> wrote:
>>>
>>>
>>>  I could think off
>>>
>>> Branding
>>> Security
>>> Client Requirements
>>> Security Requirements
>>> Compliance
>>>
>>>
>>> On 6/19/13 2:37 PM, Michael Jerris wrote:
>>>
>>>  Why would you want to do that?
>>>
>>> On Jun 19, 2013, at 9:28 AM, Abdullah <abdullah at smonte.com> <abdullah at smonte.com> wrote:
>>>
>>>
>>>  HI ALL ,
>>>
>>> please help me ,how to change or remove o=*"FreeSWITCH"* in free switch Cli
>>> Log .
>>>
>>> any idea ??
>>>
>>>
>>>
>>> o=FreeSWITCH 1369449071 1369449072 IN IP4 10.10.50.1
>>>    s=FreeSWITCH
>>>    c=IN IP4 10.10.50.1
>>>
>>>  _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>
>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>
>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>
>>>  _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>
>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>
>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130623/b7cefb52/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list