Re: OS to know.

[Kelly Martin <kel () securityfocus com>]

Jonathan Pauli wrote:
> This is some serious Troll Bait put out by curtis I think.

At first glance it might seem to be, but it's really not. All he's 
saying is that the military systems are using standard software and 
environments that everyone else is using too, and it's not something 
ancient and obviously vulnerable like Windows 3.1.1.

> I'm hoping most of the infrastructure Curtis mentioned isn't on the 
> public Internet. 

Hi post is widely available now, just as yours is... this mailing list 
is mirrored by at least six different websites around the world, in 
addition to the SecurityFocus site. However, this really isn't an issue 
because he didn't give anything away - with the minor exception of 
knowing what kind of firewall they use. When new vulnerabilities come up 
for that particular model of firewall, knowing where it's installed 
makes it much easier for a hacker to exploit.

Obscurity isn't good security in itself, but it can still be an extra 
layer when combined with good security practices. The annoying brute-ssh 
worm that keeps looking for targets on port 22 is a good example of 
this... change the port your ssh daemon runs on, and you don't have to 
comb through your logs looking at all those mindless, failed login 
attempts. However this still doesn't let you get away with weak 
passwords which are easily discovered when you're being attacked. Just a 
quick analogy.

Regards,

Kelly Martin