Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

Security Through Obsolescence 322

Posted by Hemos from the security-through-elderly dept.
dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."
This discussion has been archived. No new comments can be posted.

Security Through Obsolescence More

Security Through Obsolescence

Comments Filter:

  • This is great! (Score:5, Funny)

    by Rantastic ( 583764 ) on Thursday June 06, 2002 @05:03PM (#3655021) Journal
    No one can break into my house because I have a moat and a drawbridge, and a dragon behind the door. Old, but effective.

  • Just Obscurity, not Security (Score:5, Insightful)

    by crow ( 16139 ) on Thursday June 06, 2002 @05:04PM (#3655035) Homepage Journal
    This is simply a variation on security through obscurity. <I>Make sure the operating system and software it runs are so old that current hacking tools won't work on it.</I> Sure, that will stop a bunch of script kiddies. It's just like running MacOS will make you immune to most viruses.

    Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.

    • No it's not (Score:3, Insightful)

      by ChanxOT5 ( 542547 )
      It's Security through time.
      They've got the argument all wrong - it's not more secure because it's obscure - it's more secure because older software has been around longer, and the kiddies have already found the obvious bugs and they've been patched.

      Would you run a 2.5 kernel on a computer where you worried about security? I'd hope not.

      • Re:No it's not (Score:5, Insightful)

        by scott1853 ( 194884 ) on Thursday June 06, 2002 @05:51PM (#3655477)
        I had an argument with a customer a few months ago. He was running Win 95 and had to keep rebooting his machine everytime he wanted to get on the internet and he said it was our fault for providing such crappy internet service. I told him that's normal, Windows 95 is unstable. His response was that it's been out for 7 years so they must have fixed everything that was wrong with it by now.

        You may want to rephrase that statement and maybe say "because older linux kernels have been around longer"

        • your man is an idiot, but this is what they mean: (Score:4, Interesting)

          by mekkab ( 133181 ) on Thursday June 06, 2002 @06:58PM (#3655986) Homepage Journal
          I'll give you a counter-example, and this is more to the point.

          Mac OS 8.6 was *THE* standard before 9 and X. More stable, better for the environment, better for the economy, etc. etc.
          There was a free upgrade available everywhere to get you from 8.5 to 8.6. Yet two years ago I ran 8.5 for a year and a half.

          Why? DIDN'T need to upgrade. It gave me everything I needed, didn't crash out* (I had 1 or 2 problems with ProTools, but it was an anomaly) , and I didn't need USB support.

          My system was set up in such a way that everything, CDEV's, INIT's, and all extensions got along with each other and the only time I had to reboot was when I wanted to turn my computer off.

          To extend this, if you have a set up that has had the HECK tested out of it, stands up to "attack" (whether that means a "hack" for an network box, or a heavy load for a server) and doesn't give you problems, why re-invent the wheel?

    • Re:Just Obscurity, not Security (Score:5, Interesting)

      by NanoGator ( 522640 ) on Thursday June 06, 2002 @05:18PM (#3655184) Homepage Journal
      "Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities. "

      You lightly touched on one of the biggest vulnerabilities to any system: Consistancy. If you can research an OS, you can find out how to break in.

      What about a case where somebody builds their own OS and runs their apps on it? (I realize that is extremely unlikely, so use your imagination a bit...) How would a would-be hacker get into that? I'm sure it's possible, but without a model to work from, how would they know what to do?

      My company used to run IIS. When we got hit with Nimda, I noticed that 'CMD.exe' was getting called a lot. What'd I do? I renamed CMD.exe and replaced it with Calc.exe. I had originally intended to write my own VB App that'd notify me if it was ever ran. Never got around to it, though. Essentially, I hid a commonly known function of WinNT. Anybody breaking into the system would have to figure out what I did since it's no longer the same type of server other people run.

      It is for this reason I'm really interested in Linux as server. If I were to get really deep down into the nitty gritty, I could make the OS so unfamiliar that only the most determined hacker would get in.
      • //It is for this reason I'm really interested in Linux as server. If I were to get really deep down into the nitty gritty, I could make the OS so unfamiliar that only the most determined hacker would get in.//

        That's absolutely right, and one of the huge advantages that Linux has over any MS products in that you can configure in or out any options you want at time of install. Even post-install, the kernel and every type of service is yours to do with as you see fit.

      • It's not like there aren't readily available sources [google.com] for information on older OSs, after all.
      • The problem is that while you could probably get rid f most script kiddies by using some non-standard OS that you wrote yourself, you don't get rid of the real problem, which is that a *determined* hacker (say an ex-employee who wants to steal your secrets to sell to a competitor, or an evil black-hat who wants to steal you credit card database, etc) will be able to get in. Obscurity may stop the "nuiscance" hacks, but those hacks don't really cost you much in reality. The scary hacks that actually do cost your company money will not be stopped.
    • That's right, buy the source to the end of life products you use.
      I understand that this is an expensive proposition, however this is what we do where I work.
      This way any bugs/exploits can still be researched and fixed by the good guys, and the bad guys are just shooting in the dark.

      Not that we intended to have all of our COTS (Commercial Off The Shelf) to go end of life, but you make do!

      However when UK air traffic goes down for a few hours and the only developer who knows the product is in hawaii for two weeks on his honeymoon (yep. That was me.) you have a problem!

    • By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.

      So you think the 'script kiddies' can easily hack say, VM/CMS or MVS? Just do some simple research and plow through the manuals? Ever read those manuals? It's like sanscrit, not simple cook-book stuff. JCL makes perl look like english.

      These old systems can certainly be hacked, but not trivially. Go look on the net and you will find very little on hacking these types of systems. Then look for info on hacking Unix and especially Windows.

      =brian

  • AIX old and obscure? (Score:2, Interesting)

    by ChanxOT5 ( 542547 )
    "... like AIX that has never been widely used for Net-attached servers but is adequate for handing out simple Web pages .."

    Um, I don't know about you but last time I checked, AIX is far more capable than most UN*Xs out there at just about everything.
    By no means is it "old" or "outdated."

  • Just introducing new problems (Score:4, Insightful)

    by jerrytcow ( 66962 ) on Thursday June 06, 2002 @05:07PM (#3655065) Homepage
    At least with current software when a hole is found it will get patched - more quickly for some companies than others. What happens when a major flaw is found with older OSes/apps? Do you really think MS will bother to write a patch for win95 or Apple for mac os 7.1? You will not only have a security problem, but to fix it you'll have to upgrade or migrate to a new platform.
    • Which is a salient point--most older OSes/apps that were around for any length of time have already been patched. There are few new vulnerabilities to find.

      On the other hand, depending on the product, the newer versions are the security patches, so ultimately you do end up upgrading by following this logic.

      Best course? Somewhere in the middle. If you're interested in security, stay off the cutting edge, but don't run something so far back that it's been superceded by newer versions.
    • Windows 95 IS no longer supported by Microsoft.

      3rd parties will pick up the slack.

  • Nice points but... (Score:5, Insightful)

    by garett_spencley ( 193892 ) on Thursday June 06, 2002 @05:07PM (#3655074) Journal
    I still wouldn't rely on this for really critical security implementations.

    The main problem is that most vendors stop supporting old products. This creates a huge security threat. Just because no one knows about security holes don't mean they exist.

    Sure you've eliminated probably 99% of all script kiddie threats and if that's the only threat you can identify then by all means this is a cute idea. However, as security administrator at my company I do my best to secure against any and all threats which means I must presume that old versions of Solaris (for example) have gaping security holes that were never fixed and therefore running the leatest and greatest with all applied security patches and a rock hard configuration is my best bet when it comes to security.

    Roblimo's friend does have a point, though regarding Macs. Old Mac's are really the most secure systems out there. Simply because they can't really do much. They weren't designed to be networked and so there aren't any services to exploit ;^)

    --
    Garett
    • Just because no one knows about security holes don't mean they exist.

      err... doesn't mean they do not exist.

      --
      Garett
    • It's called appletalk and while PC users were being strangled with novell netware Apple had this easy-peasy way to connect macs (ring style) with some $30 adapters (under $10 if you homebrewed!)

      You can run appletalk on ip.
      • You're right but that's not what I meant. I guess it's a poor choice in wording on my end.

        What I meant to say was that Mac's weren't designed to run services like http, smtp, dns etc.

        They were made for home users and that's it. Any networking capability that they had was solely to either make home users lives easier or for some cash (like selling to schools where networking is important).

        --
        Garett
  • This is the same reason that NASA uses old (pre-Pentium) hardware for the general purpose computers on the space shuttle - they've been out for so long that close to 100% of the bugs in it have been found. The same logic applies to someone working in a production environment - never update to the newest unless you're CERTAIN it's not going to screw up. I know lot of sysadmins that wouldn't dare think of upgrading to Windows2000 from NT4, much less upgrading to .NET servers.

    Besides, when was the last time you moved a production (IE: business-oriented box) to the -CURRENT tree on anything?

    • Re:NASA follows the same logic. (Score:4, Informative)

      by acehunter ( 534399 ) on Thursday June 06, 2002 @05:21PM (#3655209) Homepage
      Actually, Nasa uses pre-pentium processors on the Shuttle because they are radiation-hardened, and generate much less heat than Pentiums and their successors. Heat management is key on a spacecraft, and as of 1999 Intel had still not produced a radiation resistant Pentium chip. NASA designs typically also take a decade or more to enter service, ensuring that any data processing hardware will be at least 2 generations out of date before it is implemented.
    • I think the reason NASA uses old hardware is subtly different...err...subtlely diff...err...different in a subtle way. Its not becuase the hardware's been successfully vetted by the public for many years. Its because NASA's testing and acceptance procedures are (understandably) long and expensive. They start with hardware that's farily up-to-date (and lots that's state-of-the-art) and put together huge complex systems with them and test the hell out of them. They don't re-do all that unless they have to.
    • Umm, no. They use old hardware because that's what was available when the shuttle was designed. If it works, don't fix it. Also, to take new hardware/software in use on the shuttle is probably hideously expensive considering all the testing it has to go through.
    • You're partly right. But when a transistor as small as the transistors on, say, a P-4 is hit by cosmic radiation, it'll probably misfire causing a flipped bit. A 8086 has much larger transistors and is therefore much more resistant to cosmic radiation.

  • Debian (Score:3, Funny)

    by edwazere ( 87203 ) on Thursday June 06, 2002 @05:10PM (#3655099)

    Isn't that how Debian works anyway?

  • Benefits to running older software (Score:3, Interesting)

    by mlyle ( 148697 ) on Thursday June 06, 2002 @05:11PM (#3655114)
    There's a lot of advantages that you gain in running older software. One of which is that it has a known security track record (for better, or for worse). New features may very well hurt reliability or security. That's why it's not uncommon for networks to be running several year old versions of Cisco IOS.

    The down side is that if a problem does emerge, there's not a lot you can do if the vendor stops maintaining it. However, for critical infrastructure like routers, vendors typically keep old releases alive for a long length of time and continue to release updates to the old branches.
  • My c64 is way more secure than my new fangled PC.
    I owe it all to the fact that nobody knows enough about the software to hax0r into it and steal my personal data.

  • HA! (Score:2, Funny)

    by JeanBaptiste ( 537955 )
    And all this time my boss called me a slacker... turns out I was just a step ahead of the security game!

  • Perhaps think twice before jumping at the chance to buy MS's latest OS.
    Twice?! Good lord, if the phrase "think twice" can be extended indefinitely, I must have thought fifty or sixty billion times about buying XP by now.

  • Gopher (Score:5, Funny)

    by arson1 ( 527855 ) on Thursday June 06, 2002 @05:16PM (#3655166) Homepage
    Time to move my mp3 collection over to a gopher server :)
  • Now I can dust off that old VAX in my livingroom and figure out how to load CP/M on it for my eStore!
  • I'm serving web pages from by NeXT Station at home. My logs show tons of attempts to reach internal WIN-NT paths. Which is slightly amusing. But in the end, that's just my DMZ machine, and my linxis(sp?) firewall is trusted to keep out other naughty people. Still, nothing keeps the wife from opening an email with an executable attachment... So my web server stays up while I refresh the image on my PC. The most stable running box in the house is still the NeXT.

  • Fort Knox; aka MS-DOS (Score:5, Interesting)

    by dcavanaugh ( 248349 ) on Thursday June 06, 2002 @05:22PM (#3655219) Homepage
    A few years ago, I remember researching firewall products and stumbled across one that ran on MS-DOS. According to the marketing hype, MS-DOS was the OS of choice because it was impossible for a hacker to do anything remotely with an OS that had no remote accessiblity. They had custom ethernet drivers for a small number of cards, and a homegrown GUI (definitely not Windoze). IMHO, it wasn't the best product (for a variety of reasons), but I'll bet it was every bit as intrusion-resistant as advertised.
    • MS-DOS was the OS of choice because it was impossible for a hacker to do anything remotely
      Ever heard of Denial of Service Attack? You don't need to control the system remotely - just send a malformed macket and watch it die.

      Besides, exploing a buffer overflow could allow the attacker to upload some code that would overwrite memory with the contents of some special packets. The attacker could even install another OS over the net this way :-)

    • Re:Fort Knox; aka MS-DOS (Score:5, Funny)

      by NewtonsLaw ( 409638 ) on Thursday June 06, 2002 @07:20PM (#3656136)
      I remember researching firewall products and stumbled across one that ran on MS-DOS. According to the marketing hype, MS-DOS was the OS of choice

      Cool... just what everyone needs... a single-user, single-tasking firewall.

      Why not call it a brick-wall? :-)
    • HAHAHA! Hardly! One buffer overflow and you've got the one thing better than a r00ted box - memory access. Just overwrite the interrupt table, install a virus on int 21h :-)
      • Considering that a T-1 is 1.5 mbps, you're unlikely to cause a buffer overflow until the line speed hits T-3 or better. That's assuming the firewall code isn't smart enough to keep track of available memory. Without any other processes competing for memory, it would not be all that tough to detect & avoid buffer overflow (in ancient times, programmers checked for such things.) A denial-of-service attack might be successful, since the firewall would have to drop the packets that can't be processed due to excessive queueing. Of course if the sysadmin does something stupid (like logging all rejected packets), the disk fills & the game is over.

  • Sounds like the ATC's position... (Score:3, Informative)

    by southpolesammy ( 150094 ) on Thursday June 06, 2002 @05:23PM (#3655229) Journal
    Per yesterday's /. article on the current state of Air Traffic Control systems [slashdot.org], is sounds like this is standard fare for them as well. They've certified that the ATC systems that STARS is replacing are hack-proof, simply because the systems are so old that few people in the IT world today were even alive when they were introduced.

    Of course, a system like this is still subject to physical abuse, and an old system that is broken into pieces is just as bad as a new system that is the subject of a DoS....
  • Comment removed based on user account deletion

  • Dammit, don't let the secret out! (Score:3, Funny)

    by allism ( 457899 ) <alice@harrison.gmail@com> on Thursday June 06, 2002 @05:24PM (#3655235) Journal
    We ship DOS based and Windows based medical data collection software out of our shop, and we've had WAY fewer problems (one, to be exact, compared with over a dozen) with people hacking into our DOS stuff vs our Windows stuff, despite the fact that we have 50 times more DOS units in the field than Windows.

    Not to mention that the laptops we ship the DOS software on gets stolen a lot less frequently, since our DOS software will run on 286s...
  • Hey, nobody ever managed to crack my A/UX server before I switched to OpenBSD -- maybe there's something to this.

    Of course, the flip side would be that the whole OS is toast as soon as a vulnerability is found. Hell, Apple won't admit they even _made_ A/UX any more.

    --saint
    (Seriously. Try to find it on their site. You'll find Newton stuff first.)
  • This article seems to suggest that older operating systems are better because hackers tend to shoot for the lastest and greatest, and find weaknesses in them instead.

    So what happens if there are alot of webservers, etc out there who run obsolete software for this very reason? Hackers don't exploit a particular OS, webserver, etc just because it's new, they also do it because that particular flavor is popular as well.

    Even if the software is old by today's standards, rest assured, as long as it's running on alot of servers and PCs, it'll still get attacked.

    On another note, I agree with the aspect that when a particular OS/software is out in the "wild" for a long time, it gets scoured for weaknesses and gets patched accordingly. Eventually the OS/software becomes robust and secure over time. In the end it's no so much that it's new, but that its strong and secure. And that's what matters the most.
  • Hi, I know you're Unisys now, but do you still have any mothballed UNIVACs around? I have a secure project that I need one for.

    A UNIVAC I? Mmmmmm, mercury delay line storage, 500 microsecond memory speed, and 5,600 tubes. What more could I ask for!
  • Is this the real reason the green screeners at work claim the AS/400 is so secure? And all along I thought is was because there were only, I don't know, maybe 2 on the internet not behind massive firewalls!

    hmm,

    -Pete
  • I was talking to a member of IBM's ethical hacking group a few months ago. He said he had gone down to DefCon and took one of his System 390 manuals as a bartering item. He said that he got all sorts of cool offers for it. Most of the hackers had never seen any documentation on the system so it was a total black box to them. The guy from IBM thought it was all rather funny since after he traded it away for items worth several times its value he went home and ordered another copy off of Amazon.

    This article just goes to show that good security is hard, and is often an afterthought.

  • When I read the original article at newsforge, they served up an ad encouraging me to "Move to Apache 2.0" because "The More You Wait, The More You Lose". screenshot [xmission.com]
  • Just try and load your root-kit onto this machine [dunkels.com]. Whaddya mean ?OUT OF MEMORY AT LINE 10.
    Previously discussed on slashdot back here [slashdot.org]
  • I used to work at a small Unix workstation company in the 80's, Callan Data Systems. All our accounting and payroll software was running on an old Callan machine that was running CP/M. That made it much more secure from internal attacks than a Unix machine would have been...all of us systems programmers knew holes and tricks in Unix that would get us root on any Unix machine inside of 15 minutes (mid 80's Unix was not all that secure). Sit us down at a CP/M machine, however, and most of us would be completely lost, and would wonder off to go back to playing with Unix.
  • Now we securely sit in the dark.

    This is the flip side of saying non disclosure is more secure than disclosure. Obsolete means nobody knows about it whether anyone gives a shit about it or not is a different question.If we had all sorts of PDP-11's around here or Link analog computers I'm sure that eventually someone would break them just because they're there.

  • Flawed.. (Score:5, Interesting)

    by reflective recursion ( 462464 ) on Thursday June 06, 2002 @05:47PM (#3655438)
    this is a pretty flawed argument. Do these security experts actually look at "script kiddie" tools? If they cared to do a little homework they would see that many exploits and tools cover a wide array of software versions. Exploits for antique software are relatively easy to find. Now you could claim that _obscure_ software is more difficult to crack, and you would probably be right. But keep in mind that that software is obscure for a reason--it's probably junk. Just because you are running last generation's software does not mean the current cracker generation can not get to those exploits (or information needed for the software).

    I believe there is a little bit of confusion in this article between obscurity in the sense of software not being widely used and obscurity in the sense of proprietary closed-source software. There is also the confusion of software _differences_, which the author of this article bungles together with software age. In any case, this article is seriously misguided. Let me explain:

    There is an Object. It could be your physical hardware, your OS, or simply a version of a software package. Imagine two generic Objects, Object-A and Object-B, exact in every practical way. Now imagine an Exploit that works on Object-A (and a cracker has access to this object). It also works on Object-B (your object) because they are identical. Now imagine there is an Object-C. It is very similar to Object-A and B, but has a few slight differences. Now the Exploit will need to change to accomodate this. This is _security_. This is the same principle viruses (biological or computer) work on. The differences between objects makes them secure. The less difference, the less secure. Think of any *ix security measure. Passwords, for instance, are simply ~8 character differences (and a login name) between one *ix and the next. Attempting to break a password by trial-and-error is impractical. Crackers rely on this principle of _similarity_ of systems to break passwords. They download a system's password file and use a "word file" to crack passwords. This word file is merely commonly used passwords--again, the principle of similarity. Most *ix systems have a password file in a common format and there are common passwords. Common system properties (/etc/passwd, etc.) + common user psychology turns what is a very secure method (passwords) into a very insecure method. One small admin. change could make the difference between a system being cracked or not (such as moving daemons to a "strange" location or partition, etc.).

    Software age has nothing to do with security. The article really has many seperate issues tied together and it really is not a good idea to just use older software for security sake.

  • My new filing technique is unstoppable! (Score:4, Funny)

    by Junior J. Junior III ( 192702 ) on Thursday June 06, 2002 @05:48PM (#3655443) Homepage
    No one can steal my data!

    I have no network. My backups are stored on 5 1/4" floppies.

    Not only can no one read these things, they'd need a truck convoy to haul them away. No way in hell they're sneaking past security with a motherfucking semi truck!
  • From the article: ' You never read about this kind of "security through obscurity," which can just as correctly be called "security through obsolescence." Despite this lack of publicity, it may be as effective a tactic as any other, and it can be implemented without spending a dime. '

    Most people will know this, but I have to quote Jamie Zawinski [google.ca]: But as we all know, Linux is only free if your time has no value, and I find that my time is better spent doing things other than the endless moving-target-upgrade dance...

    ... which raises an interesting point: If you are spending time to do this, aren't you investing -- perhaps even wasting -- a lot of it hoping that your machine is beyond reach or unknown? Is that amount of effort really worth nothing? If someone succeeds in breaking the barrier, all that conscious thinking will have gone to waste, as the end result is still 'I have a cracked machine'. With current software, you have some recourse. It may always be true that the need for endless-upgrades will persist. I don't think this sounds like an alternative.

    I could be wrong, but the knowledge and practical experience needed to try something like this looks to be of little worth to the people who'd want to do it.

  • Security through obscurity (Score:3, Insightful)

    by gregbaker ( 22648 ) on Thursday June 06, 2002 @05:56PM (#3655505) Homepage

    This is a good example of security through obscurity, particularly the MacOS example in the article. Obscurity is no basis for a security model, but a little obscurity thrown in on top of some real security can't hurt.

    For example, a tech I know runs a MySQL server that shouldn't be exposed to the outside world. It's behind a firewall and the port is blocked, fine. It's also run on a non-standard port. Why? Because if somebody cracks the main network, they still have some work to do to get to find the MySQL server. That's time to discover the intrusion and fix the leak.

    Summary: Security through obscurity: bad. Security + obscurity: good.

    • This is a good example of security through obscurity

      There is no such thing as a "good" example of security through obscurity.

      The biggest problem with security through obscurity is not that it doesn't provide security (although this is one of the problems), but that it provides a false sense of security.

      if somebody cracks the main network, they still have some work to do to get to find the MySQL server. That's time to discover the intrusion and fix the leak.

      This is a perfect example of the problem with it.

      Your friend probably thinks that the "non-standard port" thing is pretty clever, and that it gives him time - he thinks that he's done something to secure his network, when in reality he hasn't; the system is just as vulnerable as it was before he moved the port, but he believes that it's more secure. This is hubris at it's worst.

      Incidentally, using old software is not necessarily obscurity - in general, older software has fewer features, fewer lines of code, so therefore fewer potential bugs.. fewer bugs means fewer potential security problems.

  • Security through Maturity (Score:3, Insightful)

    by thepoolguy ( 467704 ) on Thursday June 06, 2002 @06:41PM (#3655855)
    Security through obsolescence may be a bit of a misnomer. When I take an older OS release and apply all of the relevant patches, I know that the patch OS is considerably more mature that a newer version. Espicially a new major release with a newer or different components which have not been extensibly tested.

    This is not to say that OS and software companies do not try to thoroughly test their software. They do. But even in the largest, most sophisticated test lab, one cannot recreate all of the possible conditions that will be revealed when the software is released into the real world.

    The reasons older (obsolete) software may be more secure are really two fold. Older software, due to creaping featurism which haunts all software development activities adds features, which adds chances for security holes and errors. I assert the increased features, and espicially increased interfaces (user, programmatic and otherwise) increases the likelyness of security issues. The second issue with older (obsolete) software is that it is more mature. Please understand this carefully- older software that has been patched ot the current patch level will be more secure than software that has not been patched.

    I think equating obsolete software with security is quite a stretch. I do agree with the thought that mature software will have fewer security issues. Added to this the fewer interfaces on older software gives it a greater chance to be free from security issues.

    -tpg.
  • This is more a case of getting a different variety through monoculture. The main reason for going for "old" is that you manage to cut out the bulk of ghee-whizz script-kiddies. But some of the kids may have cut their tooth on your system, and then will be quite conversant with its innards.

    What it does not stop is those who live off hand-me-downs. My experience with a pentium 200 is that it's not much fun browsing the web with it.

    The rule of affordance states that locks are meant to be picked.

  • We run Netware.

  • Look at crypto. (Score:4, Informative)

    by surfcow ( 169572 ) on Thursday June 06, 2002 @07:09PM (#3656061) Homepage
    The most secure cryptosystems in the world are "open source". The encryption key is kept secret, but the method of encrypting the key is published. People are encouraged to whack at it. If a system gets broken, someone gets famous, but people know quickly.

    This seems like a much better model for OS development than "let's hope no one remembers that old trick".

    =brian
  • I think security thorigh diversity [unm.edu] is a much better propostion. It is well known that biological systems become vulnerable if they are too homogeneous. For example, if one species dominates an ecosystem then diseases will spread more rapidly and affect more of the population. The same argument can be applied to computer systems. If one hardware and software configuration is dominant eg MS, then vulnerabilities will affect a larger number of systems and viruses will spread more rapidly.
  • Why not put it into the compiler/assembler suite? Add random jumps everywhere to foil buffer overflows. Might bloat your code and increase the run time linearly, but it would bring obscurity to a whole new level. You still have to recompile everything, but then that in itself might do the trick. On second thought try compiling on an obscure compiler. That might fool the buffer overflow demons at address #oxDEADBEEF.
  • Especially considering active development has ceased on source trees that have been superceded and that modern applications are sometimes much more secure than their predecessors.

    Oh, and occasionally development occurs only because of a serious exploit that requires immediate attention. Let's install BIND 8.0, hoping that the script kiddies will not observe this blatant error, oblivious to the fact that experienced (cr|h)ackers would perceive exploiting such an application or operating system a trivial activity.

    This concept is nothing more than an esoteric form of "security by obscurity." It disappoints me that the Slashdot editors would begin to advertise such a blatantly rhetorical and poor security practice.
  • All the "obscurity" does is extend the time before the FIRST person discovers a hole. Once one person finds a hole and that info hits the Internet, it's not obscure any more. What, you think all the script kiddies personally research and discover security holes?

    It's a similar problem to that faced by music companies trying to copy-protect CDs -- all it takes is for ONE person to rip the protected CD, then it's out there.

  • Security and Convenience are bitter, mortal foes. Using long forgotten and ancient software may be secure(dare I suggest also abandoning ASCII and replacing it with a hieroglyphics-based standard) but it's not really convenient(or practical). Forgive me, but I don't see businesses rushing to downgrade their software. Issues of support, maintainance, licensing, etc. really make this one a tough sell. Security and Convenience just don't get along well...

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close