Re: Added pause (-p) option to Lua REPL

[Paige DePol <lual@...>]

On May 29, 2014, at 3:45 PM, Coroutines <coroutines@gmail.com> wrote:

> On Thu, May 29, 2014 at 1:07 PM, Sean Conner <sean@conman.org> wrote:
> 
>>  Yeah, I wrote the same type of program [2]---the only difference is I
>> don't like "security through obscurity."  And because of that, I don't care
>> if you see what paths Lua is looking through [3].  How will knowing that
>> help a cracker get into my system?  And if they want to get into my system
>> bad enough, *no* amount of security will help [4].
> 
> Well I don't agree there... *proving* a security system with obscurity
> is bad, everyone agrees there.  I wouldn't count hiding paths as
> obscurity though.  I use obscurity on my webserver to make it look
> like an Apache setup rather than an nginx setup, that would be
> obscurity.  Hiding paths is just hiding unnecessary details -- they
> don't outright give away insecurities, but from them you can infer
> certain characteristics about the host.  (You can usually be sure
> something is Apache if you see ~user in the path, for example).  Other
> well-known paths might give away the distribution of Linux, and
> therein the big insecurities that system is currently suffering from
> and might not be patched for.  I agree, that we should stay attentive
> and guard where we can -- but giving away information unnecessarily is
> always a bad idea (imo).

There are a number of methods to determine the type of operating system without ever touching a server process, for example TCP/IP stack fingerprinting[1]. Masquerading your nginx server as Apache really does nothing to secure your installation if the person attacking knows what they are doing.

~pmd

[1] http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting