Copyright notice

Started by Pierre99, March 07, 2011, 04:26:26 PM

Previous topic - Next topic

Pierre99

I am evaluating SMF.

Do we need to put the entire line "Powered by SMF 1.1.13 | SMF © 2006-2011, Simple Machines LLC" ? Or is't enough to put only "SMF © 2006-2011, Simple Machines LLC"  ?

Displaying the version "Powered by SMF 1.1.13" it's an insecure practice.

Thanks



Arantor

The licence must be left in it's entirety. The only thing you can do is use the Hide Version mod but I can tell you that it makes no difference. I regularly see hack attempts for older versions, not to mention far many more attempts for software not even on my server.
Holder of controversial views, all of which my own.


Matthew K.

Hey there, and welcome to SMF!

As Arantor has already clearly stated, you are not allowed to modify or remove any of the copyright, except for modifying $forum_version = ''; in index.php.

Pierre99


Kindred

Quote from: Pierre99 on March 07, 2011, 04:26:26 PM
Displaying the version "Powered by SMF 1.1.13" it's an insecure practice.


and BTW: it's not insecure, really...    there are 18 dozen different ways to determine which forum software a site uses that don't involve the copyright statement...    and even then, most script kiddie attacks don't care. They try everything.  I've logged attacks for phpBB, Joomla, and Wordpress, even though my site runs none of those.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

SleePy

Kindred is correct.  The powered by has very little to do with being targeted nowdays.. Bots just go around to any site they please and try everything.  The number of attacks we get here would put you to awe (and there are much bigger sites out there than this).
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Pierre99

It's your opinion and your product.

But version help to build targets database...and when a new vulnerabilities are discover, you can be the first to be attack without a big effort....!!!.....forget the dozen ways....they go after the easy way....



Matthew K.

What we're trying to say is, hiding the version & product name isn't going to do anything to prevent hackers.
Quote from: Pierre99 on March 07, 2011, 07:30:05 PM
It's your opinion and your product.

But version help to build targets database...and when a new vulnerabilities are discover, you can be the first to be attack without a big effort....!!!.....forget the dozen ways....they go after the easy way....




live627

Hah.. the easy way is to simply try everything

Arantor

No, they just use whatever they have to hand, because it's actually now at the point where it's quicker to just throw everything at it, than it is to be selective about what you use.

In SMF's case, as the recent attacks proved, they weren't going after by version anyway, they were going after SMF based solely on 'Powered by SMF', I know this because I had sites not hit by it at all because of (borderline) manipulation of the copyright line. But I still see at least 50 hits PER DAY on phpMyAdmin, Joomla and phpBB vulnerabilities and none of those have been on my server since I've had it, which is now 5 years.

Quote from: live627 on March 07, 2011, 07:37:52 PM
Hah.. the easy way is to simply try everything

IOW, why bother searching for the page, then the version number, which can and has been faked in the past, when you can just throw everything at it; far better to try 50 possible vulnerabilities than limit it to ones you 'think' will work. Attacker computing power is colossal, and trying 50 sites per second with dozens of vectors vs 100 more specifically targetted sites, they'll take 50/second.
Holder of controversial views, all of which my own.


SleePy

Version numbers are useless.  I could change our version number here in under a few seconds and make it say anything.  Doesn't mean we are running that version.  So if your words are true, I could stop our site from being in a target database by just changing my version.
Using Powered By searches are worthless as they can easily say anything or be altered to say anything.  Attackers use urls and other bits of information unique to each software if they wish to target them directly.  Version targeting is not done for the purpose I mention above.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Arantor

Yup, they are useless. But there are Powered by SMF searches going on, which is how the recent attacks found their victims, but it wasn't version specific ;)
Holder of controversial views, all of which my own.


SleePy

I could easily use google to find SMF sites with a much better search than Powered by SMF ;).  Also any site that mentions those three words may get caught in the search unless the attack actually searched with quotes and then its still possible sites that mentioned them might get in the results.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Arantor

Yeah, but people like you and I know SMF better than most of the miscreants out there trying to abuse our installations... ;)
Holder of controversial views, all of which my own.


SleePy

I wouldn't put doubt on the fact an attacker may be smart enough to use a proper search :D  I could get similar ones for other software.  I just need to use them for a little bit to learn about them.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

青山 素子

Quote from: Pierre99 on March 07, 2011, 07:30:05 PM
But version help to build targets database...and when a new vulnerabilities are discover, you can be the first to be attack without a big effort....!!!.....forget the dozen ways....they go after the easy way....

The easy way is to just throw anything at the wall (website) and see if it sticks (hack works). It's cheaper in terms of processing power to just try everything. Using pre-built "databases" is troublesome because sites can change, URLs can change, and upgrades can occur. When I see attempts against ASP-only products on my Linux-powered Apache HTTPd server, it's kinda obvious that they don't check.

Heck, this was addressed all the way back on September 2009 by the Wordpress folks:

Quote
Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you'll be able to spot right away because it's easy. Hide the WordPress version, they say, and you'll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.

From: http://wordpress.org/news/2009/09/keep-wordpress-secure/

Still, if you want to try the snake oil, there is a modification that works safely specifically for hiding the version from the public. It shows for administrators to allow the package manager to work properly. Also, need I mention that even if the full copyright line is hidden, it's still fairly easy to find an SMF-powered site? A few search queries can fairly trivially pull up tons of results without even needing the text in the copyright line.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Advertisement: