[Freeswitch-users] remove in local SDP word FREESWITCH

Antonio Teixeira eagle.antonio at gmail.com
Fri Jun 21 12:18:28 MSD 2013 

Metasploit :)

I fully realize this but obscurity  works by "reducing" the attack 
surface of course.

The less data or "assurance" the attacker has the better your are , so 
now im going to replace freeswitch with *cough asterisk *cough on the SDP :D


On 6/21/13 8:56 AM, Steven Ayre wrote:
>
>     2) _Security trough obscurity != security_ its always better than
>     nothing. " hey you don't need to guess the
>     the software I'm using , I'm giving the info for free just find an
>     entry point  and you got it ...."
>
>
> Actually I'd argue the opposite. Security through obscurity often 
> makes people assume they're secure and therefore neglect securing 
> their systems in the places that actually matter.
>
> The only argument I can really see of hiding that you're running 
> $version of $product is that an bug in that $version means an exploit 
> exists.
>
> If that's the case then you need to upgrade to a patched copy of 
> $product - you can NOT rely on the fact that people will not realise 
> that they can use the exploit because you're hiding what you're running.
>
> The flaw still exists and attackers might either a) guess you're using 
> $product and try the exploit anyway or b) have their bot just randomly 
> try every exploit in the book against you until one works in which 
> case they don't even need to know you're using $product.
>
> The things that matte are actually verifying your authentication is 
> working correctly, you're running the latest software, you're 
> following software updates / security announcements, etc.
>
> Besides even when $product/$version are hidden they can often be found 
> through fingerprinting by looking at differing behaviour between 
> different products and within a product between versions.
>
> -Steve
>
>
>
>
> On 21 June 2013 07:59, Antonio Teixeira <eagle.antonio at gmail.com 
> <mailto:eagle.antonio at gmail.com>> wrote:
>
>     @Ken
>     I think we need to drop into the real world...
>
>     1) Ok .,... Don't forget to say thanks to Debian , CentOs , Fedora
>     , PHP , Python , Microsoft , all the authors of the OpenSource
>     Libs , the creator of Make , the creator of the IDE that the Dev
>     team uses ,  etc etc when you deliver the next project to your
>     client ...
>
>     2)
>     _Security trough obscurity != security_ its always better than
>     nothing. " hey you don't need to guess the
>     the software I'm using , I'm giving the info for free just find an
>     entry point  and you got it ...."
>
>     I could also imagine you agree with showing the version of the
>     software in the HTPP headers (stuff that happens on some
>     webservers/libs ( from my ming i can recall Django?!).
>
>     3)
>     The clients pays it doesn't really care about what software you
>     use ( unless he fears some patent infringement) he wants results.
>
>     4)
>     No , Compliance could be internal or external the end-client could
>     simply say "i don't want the freeswitch brand".
>
>
>     ---- ///// ----
>     @all
>     I don't know you guys but my daily work is developing software for
>     some fairly large financial institutions and sincerely i think you
>     are all over reacting to this thing.
>     Yes if you open-source something you will get part of your
>     software stolen , changed or use in a way you were not expecting
>     and not given credit for , that's life .If you don't want it ,
>     close the source , resell it , ask for NDA's , etc.
>     In my daily work me and my collegues use alot of open source (
>     contrary to the popular belief) , closed source and everything in
>     between and you don't expect a public statement thanking anyone
>     for anything.
>
>     This is the way life works and with open-source this is our
>     current world ( i think the FS Team could even offer a fully
>     custom branded solution) so it could help monetize the project.
>
>     And before you start thinking yes i bought G729 licenses , the FS
>     Book even before it was out and no to many miles between me and
>     Gluecon , yes i know airplanes exist :D.
>
>     P.S - I Also assume that you all as sysadmins once found a problem
>     that a blogger may have solved and on your final report to the
>     administration you didn't wrote " problem solved by Blogger
>     XXXXXX"....
>
>     And never forget he is just the mailman sometimes the boss wants
>     something ( even if not morally correct ) and you have to do it.
>     But the point raised by Anthony regarding the SDP "freeswitch
>     flag" is important and you be featured on the wiki :)
>
>     Antonio Teixeira
>
>
>
>     On 6/19/13 3:49 PM, Ken Rice wrote:
>>     Ok... Lets look at these...
>>
>>     Branding... I don't want to show people that I'm using F/OSS software for
>>     running my for profit business so I can tell them I'm using either
>>     ${some_comercial_platform} or ${we_developed_this_ourselves}
>>
>>     Security/Security Requirements - Security throught obscurity != security...
>>
>>     Client Requirements - That's a new one one... Unless client is <see
>>     branding>
>>
>>     Compliance - isnt this the same thing as see security
>>
>>
>>     On 6/19/13 8:44 AM, "Antonio Teixeira"<eagle.antonio at gmail.com>  <mailto:eagle.antonio at gmail.com>  wrote:
>>
>>>     I could think off
>>>
>>>     Branding
>>>     Security
>>>     Client Requirements
>>>     Security Requirements
>>>     Compliance
>>>
>>>
>>>     On 6/19/13 2:37 PM, Michael Jerris wrote:
>>>>     Why would you want to do that?
>>>>
>>>>     On Jun 19, 2013, at 9:28 AM, Abdullah<abdullah at smonte.com>  <mailto:abdullah at smonte.com>  wrote:
>>>>
>>>>>     HI ALL ,
>>>>>
>>>>>     please help me ,how to change or remove o=*"FreeSWITCH"* in free switch Cli
>>>>>     Log .
>>>>>
>>>>>     any idea ??
>>>>>
>>>>>
>>>>>
>>>>>     o=FreeSWITCH 1369449071 1369449072 IN IP4 10.10.50.1
>>>>>         s=FreeSWITCH
>>>>>         c=IN IP4 10.10.50.1
>>>>     _________________________________________________________________________
>>>>     Professional FreeSWITCH Consulting Services:
>>>>     consulting at freeswitch.org  <mailto:consulting at freeswitch.org>
>>>>     http://www.freeswitchsolutions.com
>>>>
>>>>     
>>>>     
>>>>
>>>>     Official FreeSWITCH Sites
>>>>     http://www.freeswitch.org
>>>>     http://wiki.freeswitch.org
>>>>     http://www.cluecon.com
>>>>
>>>>     FreeSWITCH-users mailing list
>>>>     FreeSWITCH-users at lists.freeswitch.org  <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>     http://www.freeswitch.org
>>>     _________________________________________________________________________
>>>     Professional FreeSWITCH Consulting Services:
>>>     consulting at freeswitch.org  <mailto:consulting at freeswitch.org>
>>>     http://www.freeswitchsolutions.com
>>>
>>>     
>>>     
>>>
>>>     Official FreeSWITCH Sites
>>>     http://www.freeswitch.org
>>>     http://wiki.freeswitch.org
>>>     http://www.cluecon.com
>>>
>>>     FreeSWITCH-users mailing list
>>>     FreeSWITCH-users at lists.freeswitch.org  <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>     http://www.freeswitch.org
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     
>     
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://wiki.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130621/fb56964d/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list