lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, May 29, 2014 at 1:07 PM, Sean Conner <sean@conman.org> wrote:

>   Yeah, I wrote the same type of program [2]---the only difference is I
> don't like "security through obscurity."  And because of that, I don't care
> if you see what paths Lua is looking through [3].  How will knowing that
> help a cracker get into my system?  And if they want to get into my system
> bad enough, *no* amount of security will help [4].

Well I don't agree there... *proving* a security system with obscurity
is bad, everyone agrees there.  I wouldn't count hiding paths as
obscurity though.  I use obscurity on my webserver to make it look
like an Apache setup rather than an nginx setup, that would be
obscurity.  Hiding paths is just hiding unnecessary details -- they
don't outright give away insecurities, but from them you can infer
certain characteristics about the host.  (You can usually be sure
something is Apache if you see ~user in the path, for example).  Other
well-known paths might give away the distribution of Linux, and
therein the big insecurities that system is currently suffering from
and might not be patched for.  I agree, that we should stay attentive
and guard where we can -- but giving away information unnecessarily is
always a bad idea (imo).