Why do I care if others can determine my computer's uptime?

1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #392,778 by mvitale 8/4/14 10:42:16 AM Reply	Why do I care if others can determine my computer's uptime? So based on the discussion in this thread, I've installed OpenVAS and used it to scan my servers. I've fixed the major issues it found (turned off a bunch of "weak" SSL ciphers that are enabled by default in Apache), the only remaining issue is: Summary The remote host implements TCP timestamps and therefore allows to compute the uptime. I've looked into this, and the fix for this is to run some `sysctl` command, but it seems that doing so might slow down the server when it's under load. But seriously: why do I care if my server's uptime can be computed? What's the security risk here? -Mike @MikeVitale42 "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #392,780 by malraux 8/4/14 11:19:53 AM Reply	How old is your kernel? Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #392,781 by mvitale 8/4/14 11:45:02 AM Reply	Ubuntu 14.04 LTS, kept up to date. -Mike @MikeVitale42 "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #392,786 by malraux 8/4/14 1:25:01 PM Reply	No, that's the point: they can tell from your uptime. If your uptime is over a year, for example, that tells someone that your kernel is at least that old. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #392,787 by mvitale 8/4/14 1:29:06 PM Reply	Ah. Sly. -Mike @MikeVitale42 "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #392,788 by folkert 8/4/14 1:54:41 PM Reply	Actually... If using some workarounds and kexec... can be spoofed. Many time even then, it is required. "Detecting" uptime is a black craft... and it doesn't work most times. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec
Post #392,785 by folkert 8/4/14 1:18:11 PM Reply	Meh Who cares. Look at the CVSS score attached to it. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec

Why do I care if others can determine my computer's uptime? - (mvitale) - (6) - Aug. 4, 2014, 10:42:16 AM EDT

How old is your kernel? -NT - (malraux) - (4) - Aug. 4, 2014, 11:19:53 AM EDT

Ubuntu 14.04 LTS, kept up to date. -NT - (mvitale) - (3) - Aug. 4, 2014, 11:45:02 AM EDT

No, that's the point: they can tell from your uptime. - (malraux) - (2) - Aug. 4, 2014, 01:25:01 PM EDT

Ah. Sly. -NT - (mvitale) - Aug. 4, 2014, 01:29:06 PM EDT

Actually... - (folkert) - Aug. 4, 2014, 01:54:41 PM EDT

Meh - (folkert) - Aug. 4, 2014, 01:18:11 PM EDT

iwethey.org

My Mom, who is vacationing in Aruba...
81 ms