The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Thursday, September 25, 2008


I swear, I want to take a clue-by-four to some of these so-called “computer network security consultants.”

One of our clients just received an audit from these people, and just like the last time (although last time it was some other company) this audit report is just inane, if not shorter (thankfully).

For instance, this lovely bit (not the full table):

Attackers use a port scan to find out what programs are running on your computer. Most programs have known security weaknesses. Disable any unnecessary programs listed below.
Protocol Port Program Status Summary
ICMP Ping   Accepting Your computer is answering ping requests. Hackers use Ping to scan the Internet to see if computers will answer. If your computer answers then a hacker will know your computer exists and your computer could become a hacker target. You should install a firewall or turn off Ping requests.


Hackers can use ping to target my computer?




I'm calming down now.

And to be fair, it may be that these so called “computer network security consultants” had no idea what the computer was tasked to do and erred on the side of Armageddon.

But generally, I feel such reports are, at best, worthless and at worst, scaremongering tactics to extract a lot of money (link picked at random) for what you get, which is nothing more than a list of open ports that may “help a hacker to gather information about what is running on this machine and what kind of machine you have.” Have these people not heard that security through obscurity doesn't work? That if I have to hide what I'm actually using I've already lost? That a false sense of security is bad because you're deluding yourself that you are safe?


In fact, the entire report can be boiled down to:

We found a computer at this IP address. This is bad because then “hackers” can break into the computer and do bad “hacker” things. Cut the network cable, yank the power cord, smash the computer to bits, embed in concrete, dump into the middle of the Pacific ocean, and nuke the site from orbit, just to make sure everything is secure.

“I'm refusing to run this program and you don't like it!”

And while I'm on the subject of security through annoyances, if you ever find yourself trying to use FastCGI under Apache using suEXEC, keep in mind that suEXEC is very fussy and won't run any program unless it passes a 20 point inspection test.

Obligatory Picture

[The future's so bright, I gotta wear shades]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2023 by Sean Conner. All Rights Reserved.