<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Metasploit :)<br>
<br>
I fully realize this but obscurity works by "reducing" the attack
surface of course.<br>
<br>
The less data or "assurance" the attacker has the better your are
, so now im going to replace freeswitch with *cough asterisk
*cough on the SDP :D<br>
<br>
<br>
On 6/21/13 8:56 AM, Steven Ayre wrote:<br>
</div>
<blockquote
cite="mid:CAFiqYumFgM6geBA=TL+3tKKTFXtEbyr4wM_H2L3dyxv_MqBp_w@mail.gmail.com"
type="cite">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">2) </span><u
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Security
trough obscurity != security</u><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> its
always better than nothing. " hey you don't need to guess the <br>
</span><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">the
software I'm using , I'm giving the info for free just find an
entry point and you got it ...."</span></blockquote>
<div><br>
</div>
<div>Actually I'd argue the opposite. Security through obscurity
often makes people assume they're secure and therefore neglect
securing their systems in the places that actually matter.</div>
<div>
<br>
</div>
<div>The only argument I can really see of hiding that you're
running $version of $product is that an bug in that $version
means an exploit exists.</div>
<div><br>
</div>
<div>If that's the case then you need to upgrade to a patched copy
of $product - you can NOT rely on the fact that people will not
realise that they can use the exploit because you're hiding what
you're running.</div>
<div><br>
</div>
<div>The flaw still exists and attackers might either a) guess
you're using $product and try the exploit anyway or b) have
their bot just randomly try every exploit in the book against
you until one works in which case they don't even need to know
you're using $product.</div>
<div><br>
</div>
<div>The things that matte are actually verifying your
authentication is working correctly, you're running the latest
software, you're following software updates / security
announcements, etc.</div>
<div><br>
</div>
<div>Besides even when $product/$version are hidden they can often
be found through fingerprinting by looking at differing
behaviour between different products and within a product
between versions.</div>
<div>
<br>
</div>
<div>-Steve</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On 21 June 2013 07:59, Antonio Teixeira
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:eagle.antonio@gmail.com" target="_blank">eagle.antonio@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>@Ken<br>
I think we need to drop into the real world...<br>
<br>
1) Ok .,... Don't forget to say thanks to Debian ,
CentOs , Fedora , PHP , Python , Microsoft , all the
authors of the OpenSource Libs , the creator of Make ,
the creator of the IDE that the Dev team uses , etc etc
when you deliver the next project to your client ...<br>
<br>
2)<br>
<u>Security trough obscurity != security</u> its always
better than nothing. " hey you don't need to guess the <br>
the software I'm using , I'm giving the info for free
just find an entry point and you got it ...."<br>
<br>
I could also imagine you agree with showing the version
of the software in the HTPP headers (stuff that happens
on some webservers/libs ( from my ming i can recall
Django?!).<br>
<br>
3)<br>
The clients pays it doesn't really care about what
software you use ( unless he fears some patent
infringement) he wants results.<br>
<br>
4)<br>
No , Compliance could be internal or external the
end-client could simply say "i don't want the freeswitch
brand".<br>
<br>
<br>
---- ///// ----<br>
@all<br>
I don't know you guys but my daily work is developing
software for some fairly large financial institutions
and sincerely i think you are all over reacting to this
thing.<br>
Yes if you open-source something you will get part of
your software stolen , changed or use in a way you were
not expecting and not given credit for , that's life .If
you don't want it , close the source , resell it , ask
for NDA's , etc.<br>
In my daily work me and my collegues use alot of open
source ( contrary to the popular belief) , closed source
and everything in between and you don't expect a public
statement thanking anyone for anything.<br>
<br>
This is the way life works and with open-source this is
our current world ( i think the FS Team could even offer
a fully custom branded solution) so it could help
monetize the project.<br>
<br>
And before you start thinking yes i bought G729 licenses
, the FS Book even before it was out and no to many
miles between me and Gluecon , yes i know airplanes
exist :D.<br>
<br>
P.S - I Also assume that you all as sysadmins once found
a problem that a blogger may have solved and on your
final report to the administration you didn't wrote "
problem solved by Blogger XXXXXX"....<br>
<br>
And never forget he is just the mailman sometimes the
boss wants something ( even if not morally correct ) and
you have to do it. <br>
But the point raised by Anthony regarding the SDP
"freeswitch flag" is important and you be featured on
the wiki :)<span class="HOEnZb"><font color="#888888"><br>
<br>
Antonio Teixeira</font></span>
<div>
<div class="h5"><br>
<br>
<br>
On 6/19/13 3:49 PM, Ken Rice wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<pre>Ok... Lets look at these...
Branding... I don't want to show people that I'm using F/OSS software for
running my for profit business so I can tell them I'm using either
${some_comercial_platform} or ${we_developed_this_ourselves}
Security/Security Requirements - Security throught obscurity != security...
Client Requirements - That's a new one one... Unless client is <see
branding>
Compliance - isnt this the same thing as see security
On 6/19/13 8:44 AM, "Antonio Teixeira" <a moz-do-not-send="true" href="mailto:eagle.antonio@gmail.com" target="_blank"><eagle.antonio@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre>I could think off
Branding
Security
Client Requirements
Security Requirements
Compliance
On 6/19/13 2:37 PM, Michael Jerris wrote:
</pre>
<blockquote type="cite">
<pre>Why would you want to do that?
On Jun 19, 2013, at 9:28 AM, Abdullah <a moz-do-not-send="true" href="mailto:abdullah@smonte.com" target="_blank"><abdullah@smonte.com></a> wrote:
</pre>
<blockquote type="cite">
<pre>HI ALL ,
please help me ,how to change or remove o=*"FreeSWITCH"* in free switch Cli
Log .
any idea ??
o=FreeSWITCH 1369449071 1369449072 IN IP4 10.10.50.1
s=FreeSWITCH
c=IN IP4 10.10.50.1
</pre>
</blockquote>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a moz-do-not-send="true" href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a moz-do-not-send="true" href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a moz-do-not-send="true" href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a moz-do-not-send="true" href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a moz-do-not-send="true" href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a moz-do-not-send="true" href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a moz-do-not-send="true" href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a moz-do-not-send="true" href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a moz-do-not-send="true" href="http://www.cudatel.com"
target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true" href="http://wiki.freeswitch.org"
target="_blank">http://wiki.freeswitch.org</a><br>
<a moz-do-not-send="true" href="http://www.cluecon.com"
target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</body>
</html>