Bugtraq mailing list archives
Re: TCP Timestamping and Remotely gathering uptime information
From: Saint skullY the Dazed <skully () NETLSD ORG>
Date: Fri, 16 Mar 2001 07:03:41 -0800
On Fri, Mar 16, 2001 at 04:52:47AM +1100, Darren Reed wrote:
So when do we change things like "uname" such that they no longer report the system "identity" (OS, OS rev) to anyone but root ? Why do you think all timestamps should not reveal uptime information ? What do you think is at risk here ? Are script kiddies going to say "ooh, he's been up for 500 days and he's not linux, lets flood him to death" ? Or is there something more fundamental ?
I've been asking these questions about kernel patches to hide information that otherwise wouldn't be hidden for quite a while. I still have yet to understand the mentality behind the hiding of information. Yes, I understand there is information that you want to hide from a potential system cracker, but hiding of any and all information you can seems rediculous and stupid to me. Then again, what do I know? I leave time, finger, and auth open on all my machines. (And I still have yet to have one of my machines be compromised)
One potential use of uptime information to an attackers advantage is in attacking things which use the current time (seconds, microseconds, whatever) as a seed for some sort of thing when the start up at boot time. An server which has a week PRNG or similar might be at risk, where it otherwise would not, do you think ?
I would think that either the daemon using current time as a seed or the system's PRNG should be fixed. Fix the problems, not the symptoms. Hiding the uptime from the remote cracker doesn't make the problem cease to exist, and it certainly doesn't help in the case of a local user. But the original question is a very valid one, IMO. When do you stop hiding information? Do we force every single machine to respond identically, so that there is no chance of ever being able to determine OS type? Do we modify our web servers to stop handing out Server: headers, or to hand out bogus Server: headers? Personally, I'd rather that time was spent fixing real security holes.
Current thread:
- TCP Timestamping and Remotely gathering uptime information Bret (Mar 13)
- Re: TCP Timestamping and Remotely gathering uptime information Fyodor (Mar 14)
- <Possible follow-ups>
- Re: TCP Timestamping and Remotely gathering uptime information Bret (Mar 15)
- Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 16)
- Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 16)
- Re: TCP Timestamping and Remotely gathering uptime information Valdis Kletnieks (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Saint skullY the Dazed (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information arivanov (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Stephen White (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information bert hubert (Mar 20)
- Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Darren Reed (Mar 20)
- Re: Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Jason R Thorpe (Mar 22)
- Re: TCP Timestamping and Remotely gathering uptime information Chris Tobkin (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Matt Lewis (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Theo de Raadt (Mar 20)
- Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 19)