Re: When SSH standards noncompliance is a "feature"

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>> About the only thing this does is prevent security scanning software
>> from reporting the apparent presence of a vulnerable version.
> Yup, and that's exactly the reason for doing it: You don't need to
> fix a vuln when the scanner can't tell anyone you have it.

Except that, as jhutz@ said, the attackers are going to try the attacks
anyway.  Why bother checking the version when you can just throw the
attack at it?  That catches everyone who's vulnerable, including those
who have the bug but don't appear vulnerable, and the cost (to them) of
doing it is little if any more than the cost of just checking the
version string anyway.

The only exceptions, seems to me, are those that require something like
guessing a 16- or 24-bit value before they can succeed; while botnet
resources are effectively free from our perspective, they are not so
close to free that _that_ makes sense when just trawling.  That's the
kind of attack you target, not scattershot.

If _I_ were doing trawling, this kind of defense would make me go "ooh,
they think they're vulnerable but are lazy enough to try to hide it
instead of fixing it, let's see if they're right!" and throwing all the
attacks at them.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B