As an Evil Firewall Administratorâ„¢, I have an interest in this area ... On Fri, 4 Oct 2019 15:05:29 -0700, William Herrin <bill@herrin.us> may have written:
On Thu, Oct 3, 2019 at 2:28 PM Keith Medcalf <kmedcalf@dessus.com> wrote
Anyone who says something like that is not a "security geek". They are a "security poser", interested primarily in "security by obscurity" and "security theatre", and have no clue what they are talking about.
Hmm ... 'primarily in "security by obscurity"' ... that does tend to indicate a severe case of cluelessness (and that's coming from someone who doesn't let his right hand know what his left hand is up to without justification that has been signed off in triplicate). To give a real world example, removing headers from an Apache web server doesn't do much to increase security (it's mostly to keep auditors happy) because automated attacks will hit your exposed Apache servers anyway, and a sophisticated attacker will note the removal and adopt the strategy of an automated attack.
more important information you'd like to deny to him. There's a 5-step process used by the U.S. Military but the TL;DR version is: if you don't have to reveal something, don't.
You've ignored step 1 - identifying critical information that needs protecting. It makes sense to protect information that needs protecting and don't lose sleep over information that doesn't need protecting. Not many of us are planning an invasion of a Nazi-infected Europe any time soon. -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer