Helping attackers by declaring your defense setup in your signature

[polonus]

Hello all forum members,

It has become more and more custom now in forums to declare your defense setup in your signature. This form of advertising is unwise. You make things a lot easier for an advanced attacker. So they know exactly what you use or do not use. They can then easily analyze your security setup, and act accordingly with the one vulnerability sure to hit YOU. Let them guess at what security your bastion has. Let's not make it too easy for our adversaries.

Yours truly,

polonus

[DavidR]

Sorry I have to disagree, a string of unidentifiable data in a post is just that a string of data.

Your signature doesn't disclose anything that would allow access, they have to know where you are (IP address, which isn't disclosed in your post) to be able to exploit any potential vulnerability of the software you use.

For an IP to be disclosed it would have to be some forum that has been hacked or malicious (and your brain should alert you), so that it can track your IP from arriving at the forums through to posting and or simply using the signature details in the forum set-up.

So I don't feel that I'm in any way vulnerable when I include my signature details in reputable forums. It's getting to be so paranoid about these things that we might as well sell our computers because we are frightened about the consequences of someone attacking us. Life has to go on and using your brain will for the most part keep you well protected.

[polonus]

Hi David,

Well in an ideal world this would be true, but as you say even you leave a remote possibility. But with your bastion I am sure an attacker would not have full admin rights of course. I too think this is not an everyday routine, but there could be additional circumstances (side-contacts) that could make it possible. I read this info in an another security forum, so I just wanted to pass it through. When there is smoke, then there is fire, and people do not make these things up, when it is 100% bogus. Maybe there are people who can relate to this, allthough it is unlikely they  like to admit it. (One case I know about for sure). You know James Bond's famous saying: "Never say never".

greets,

polonus

[DavidR]

I'm not saying this is untrue or impossible, just currently very difficult under normal circumstances, especially when using reputable forums and you can't go around in constant fear otherwise there is little point in using the internet. Security can be taken too far when we become paranoid, we have lost the plot and might as well give it up completely.

Anyone is welcome to try and identify my dynamically assigned IP address on a dial-up ISP connection from an old signature file in a forum. Then they have to get past the security software identified (but not all) in my signature defenses. Not to mention as you rightly say they may not have admin rights to be able to help install something.

[polonus]

Hi DavidR,

I agree with you, that you  perfectly know what you are doing, and I have learned a few things here. But think of all those people that put interesting information in their postings, not hiding computer names, IPs etc. With a HijackThis log we do wonderful things, but there are people with other interests. The only benefit of putting this info in your sig would be that we could help you better if you were compromised, but I think "Illegitimis non carborundum" or leave it in the dark a bit. And imagine what can you do with just a google for.."

polonus

[szc]

I remember I had that animated gif banner in my signature once... and it stated: "...click here to see my underwear..."     

Oh, there it is...



Joke of course... anything is possible... I dare hackers to see my underwear though, but first they have to pass my first line of defense... even better than some lousy firewall... even better than any resident antivirus... ta-da... my precious wifewall     

[bob3160]

I'm even displaying my ugly Mug but no one has yet stolen my identity.
Personally, I can't blame them.
As far as info in signatures, most of that is in code as David mentioned.
If we have to worry about every little move we make,  why not stay in bed.
It's got to be fairly safe there unless you take your laptop to bed with you....

[polonus]

Hi Bob3160,

This is what I found under your bed in 10 sec., and I am a good-willing searcher.
Example deleted.

greets,

polonus

[DavidR]

So what, that doesn't get you into Bob's computer, it doesn't give his IP address for direct attempts. Even using email or other IM, etc. doesn't get over his brain and common sence.

Whilst we are on common sence, I suggest you edit/remove the link as that exposes Bob to spam, etc. but not I think attack.

Posting this link to try to prove a point about vulnerability of signatures is surely playing into the vulnerabilities that you are trying to expose, not too clever.

[polonus]

Hi DavidR,

Message taken. Corrected.

Thanx,

polonus

[szc]

Good point David and perfect answer Polonus... but all that brings us back to the core of the problem. We really shouldn't expose so much information in public forums like this one is... posting your system configuration (basic stuff like those from my banner inside my previous reply) is nothing and can not harm anyone. Even if it can, I dare anyone who is self-proclaimed hacker to attack my system anytime and we will see those results.  How when I haven't posted my IP or some other important info ? Exactly... that's how... DO NOT post your sensitive information people, use common sense, be and act clever.

Also, when we are at this, even Polonus removed that link from his post, I can still find exactly the same post (initial one with link to Bob's profile) simply by browsing and searching for cached pages on Google. Voila... there they are...

Besides, Bob already has his e-mail and Messenger accounts info inside his forum profile... which is not quite clever IMHO... sorry Bob, no hard feelings, but this is easiest way to attract SPAM-ers to your mailbox.

Cheers !

[polonus]

Howdy Sasza,

Yes very good point, my friend First we start out dis-agreeing on this, then finally we have to agree. This is the best conclusion and lesson. The info of course is out on the Net a thousand times, because the digital elephant never forgets, you know.

I thank you for making the final "pointe" to this thread I started. Let us all be friends, and say "Hey just one more thing I have learnt to-day" ,

polonus