./databyte


Don't show your cards - defense in depth

I recently went to visit a popular Ruby and Rails website called the Ruby Toolbox at http://www.ruby-toolbox.com/

On my arrival, I had a friendly “Application Segmentation Fault” message.  Even more useful was the stack trace (I bolded the awesome parts):

/home/slugs/127160_40c7b71_f0a5/mnt/.gems/gems/rails-2.3.5/lib/
rails/gem_dependency.rb:119:Warning: Gem::Dependency#version_
requirements is deprecated and will be removed on or after
August 2010.  Use #requirement
** [NewRelic] New Relic RPM Agent 2.11.2 Initialized: pid = 20162
** [NewRelic] Agent Log found in /disk1/home/slugs/127160_40c7b71
_f0a5/mnt/log/newrelic_agent.log
>> Thin web server (v1.2.6 codename Crazy Delicious)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:52877, CTRL+C to stop
** [NewRelic] Connected to NewRelic Service at collector7.
newrelic.com:80
/home/slugs/127160_40c7b71_f0a5/mnt/.gems/gems/rails-2.3.5/lib/
rails/backtrace_cleaner.rb:25: [BUG] Segmentation fault
ruby 1.8.7 (2009-12-24 patchlevel 248) [x86_64-linux], MBARI
0x6770, Ruby Enterprise Edition 2010.01

Security is about defense in depth.  Not only are you supposed to change your passwords, but you make them hard to guess.  Not only do you check your firewall for open ports, but you make it impossible to have unauthorized applications send packets out.

So needless to say, you pull away a few layers of your security when you spit out folder structure, internal listening port, web server name/version and other product version information.

In the case of Heroku, it’s not exactly a secret that they run that flavor of ruby, rails, and web server.  Though I didn’t know it was those exact versions and that they were running REE.  Still, they shouldn’t advertise it.