Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: Does fatalsToBrowser give too much information to a cracker?

by Juerd (Abbot)
on Apr 10, 2002 at 11:53 UTC ( #158002=note: print w/replies, xml ) Need Help??


in reply to Does fatalsToBrowser give too much information to a cracker?

Whenever you have something that can output, think not about if it's good or bad THAT it outputs, but think about WHAT it can output, and how that might help a cracker.

Apache sends its version number on every request, by default. This allows crackers to use an exploit without any further computer knowlegde.

I'm convinced my source is safe. UPDATE - You may stop commenting on this now. Of course no code is flawless. I just think a cracker gains nothing by knowing pieces of my code, and thus think it's safe to report errors to the user. If it weren't about commercial stuff and copyright, I'd give it to you, saying how proud I am that the source code is completely useless to you. Not because of its bad style (or in the case of juerd.nl, maybe so), but because I'm sure you can't abuse the paths or SQL statements.

When programming for the web, Perl isn't the only method of keeping information safe. *NIX file permissions are way more important, and Apache's methods of disallowing people to view contents, and database servers' techniques for not allowing remote connections are.

Yes, when you're a beginner, better hide your source and debugging information until you're convinced it's safe.

U28geW91IGNhbiBhbGwgcm90MTMgY
W5kIHBhY2soKS4gQnV0IGRvIHlvdS
ByZWNvZ25pc2UgQmFzZTY0IHdoZW4
geW91IHNlZSBpdD8gIC0tIEp1ZXJk

  • Comment on Re: Does fatalsToBrowser give too much information to a cracker?

Replies are listed 'Best First'.
Re: Re: Does fatalsToBrowser give too much information to a cracker?
by Biker (Priest) on Apr 10, 2002 at 12:33 UTC

    "I'm convinced my source is safe."

    Maybe it makes me a beginner, but I'm not yet convinced my code is safe. Just as well as I'm not convinced my code is free from bugs.

    I keep on looking for bugs and security holes in my code, and in my software design, even after it's been put in production. And yes, sometimes I do find things that require an urgent correction.

    If that makes me a beginner, so be it.


    Everything went worng, just as foreseen.

Re: Re: Does fatalsToBrowser give too much information to a cracker?
by Rhose (Priest) on Apr 10, 2002 at 13:57 UTC
    "I'm convinced my source is safe."

    Then you really don't even need an exception handler, do you? *Smiles*

    The fact that an exception handler is triggered indicates that the software was caused to behave in a way which is not within normal bounds. While I can appreciate your point of view as someone who would like to help me fix the problem, there are just as many (or even more) people who would like to see how they can abuse this new found "feature" to comprimise my system. What you call debugging detail, the others half calls a roadmap.

    I bet the developers of the first TCP/IP stacks (with predictable sequence numbers) thought their source was safe... until Kevin Mitnick abused it. I bet the developers of ICMP error messaging never thought it would be used to recon systems. I have to assume that the person on the other side of my system is smarter than me, more clever than me, and would like to comprimise my security.

    Update for Juerd

    "And exactly how did he abuse TCP/IP?"

    The Mitnick attack was based on predicting sequence numbers... this is why most current TCP/IP stacks use non-predictable sequences.

      Then you really don't even need an exception handler, do you? *Smiles*

      Well, I do. Errors are often caused by external problems, like exceeded disk quotas, connection errors etc. Or null bytes inserted in my source with terrible harddisk crashes.

      until Kevin Mitnick abused it.

      And exactly how did he abuse TCP/IP? The same way criminals abuse roads to get away? Or are you one of the many people who just blame this Mitnick guy for everything that is a crack?

      I bet the developers of ICMP error messaging never thought it would be used to recon systems.

      It's not the protocol that lets people abuse, it's the implementation. That's because it's very simple to make mistakes in lower level languages (hence Perl's huge number of bugs :)

      I have to assume that the person on the other side of my system is smarter than me, more clever than me, and would like to comprimise my security.

      Even if he is and would, how could error messages help crack a well written Perl program?

      U28geW91IGNhbiBhbGwgcm90MTMgY
      W5kIHBhY2soKS4gQnV0IGRvIHlvdS
      ByZWNvZ25pc2UgQmFzZTY0IHdoZW4
      geW91IHNlZSBpdD8gIC0tIEp1ZXJk
      

Re: Re: Does fatalsToBrowser give too much information to a cracker?
by tachyon (Chancellor) on Apr 10, 2002 at 15:12 UTC

    I'm convinced my source is safe.

    Well that must make you the only programmer in the world who has thought of every angle. Even with open source code with many years of use and review vulnerabilities still crop up.

    There are many cliches but perhaps "Pride cometh before the fall" is the most appropriate.

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Re: Re: Does fatalsToBrowser give too much information to a cracker?
by Anonymous Monk on Apr 10, 2002 at 13:14 UTC
    Like the old saying: "Pride precedes a fall". I'd rather prepare for a big push from an unexpected direction. You know it will come.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://158002]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (11)
As of 2019-12-10 16:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?