Are CMS Detectors Legal?
-
The are many CMS detector tools that help detect the CMS of a website. The theme and plugins as well. But recently someone said that if we can find all this easily with tools then this is a security problem. Is this really a security problem?
-
I use built with a lot. I don't think it's a security issue at all. A lot of times you can figure a lot out just from using developer tools on chrome.
-
This is basically the security through obscurity argument. If knowing the CMS you are running is a security issue you should probably be using a different CMS that doesn't have the easy to access vulnerabilities.
-
@stacksofplates Yes I agree with you. Thanks for sharing your thoughts mate.
-
Often CMS advertise what they are, as do plugins and themes. If detecting is illegal, then one could argue that reading a "powered by..." line is also illegal. At which point, just visiting websites would be illegal.
-
@coliver You are correct. And WordPress is an open source platform and such things are not security matter.
-
@scottalanmiller Wow! very well said Scott. You put the final nail in the coffin
-
@masterarts said in Are CMS Detectors Legal?:
@coliver You are correct. And WordPress is an open source platform and such things are not security matter.
Wait what? How do you equate open source with no security? Or that they don't care about security? Many of the largest security applications in the world are FOSS based or use some significant FOSS components.
-
@coliver May I see some examples of such security applications FOSS based.
-
@masterarts said in Are CMS Detectors Legal?:
@coliver May I see some examples of such security applications FOSS based.
Nessus, AlienVault, pretty much all pen testing tools. Security and open source go hand in hand. Closed source is, itself, a security problem as it is an attempt to use obscurity for security, the antithesis of security.
-
@scottalanmiller said in Are CMS Detectors Legal?:
@masterarts said in Are CMS Detectors Legal?:
@coliver May I see some examples of such security applications FOSS based.
Nessus, AlienVault, pretty much all pen testing tools. Security and open source go hand in hand. Closed source is, itself, a security problem as it is an attempt to use obscurity for security, the antithesis of security.
Nessus is closed now, but OpenVAS is another popular one (and I think a fork of Nessus?).
-
@stacksofplates said in Are CMS Detectors Legal?:
@scottalanmiller said in Are CMS Detectors Legal?:
@masterarts said in Are CMS Detectors Legal?:
@coliver May I see some examples of such security applications FOSS based.
Nessus, AlienVault, pretty much all pen testing tools. Security and open source go hand in hand. Closed source is, itself, a security problem as it is an attempt to use obscurity for security, the antithesis of security.
Nessus is closed now, but OpenVAS is another popular one (and I think a fork of Nessus?).
Then Nessus is dead to me
-
@scottalanmiller said in Are CMS Detectors Legal?:
Nessus
Via SlashDot:
Posted by CmdrTaco on Thursday October 06, 2005 @04:02PM from the say-it-ain't-so dept.
JBOD writes
"As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL."
Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.Apparently you're 11 years behind on that news, Scott.
-
@FiyaFly said in Are CMS Detectors Legal?:
@scottalanmiller said in Are CMS Detectors Legal?:
Nessus
Via SlashDot:
Posted by CmdrTaco on Thursday October 06, 2005 @04:02PM from the say-it-ain't-so dept.
JBOD writes
"As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL."
Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.Apparently you're 11 years behind on that news, Scott.
It's been a LONG time since I looked at it.
-
We use it. It seems fine so far.
-
@scottalanmiller Yeah Nessus is dead.
-
It's not illegal to scope a home to break into from the sidewalk. That is basically how the law works with scanning. You can scan all day long, and on the security side it is not uncommon to see scans hitting your DMZ constantly. I see NMAP scans running all day. You also will see Open-vas and webscanners hitting your DMZ all day.
-
OpenVas is a great tool, but the GUI is one of the worst I have seen.
-
@IRJ said in Are CMS Detectors Legal?:
OpenVas is a great tool, but the GUI is one of the worst I have seen.
Ya. What's with the lady in the scan area? The reports are also not great.
-
@stacksofplates said in Are CMS Detectors Legal?:
@IRJ said in Are CMS Detectors Legal?:
OpenVas is a great tool, but the GUI is one of the worst I have seen.
Ya. What's with the lady in the scan area? The reports are also not great.
Yeah she really annoys me. She has to be the most annoying thing about the GUI. The reports have good information but the format isn't great. They aren't well organized and they don't have pretty images.
