Slashdot Mirror
Security Through Obsolescence
dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."
Duh.
There's no reason without good research to get the new thing. The only time the 'brand new thing' should be adopted is if you just finished compiling it.
Security is about making sure you have a firm footing, and how can you have a firm footing in a realm where you're unsure of what is exactly involved?
If the newest and the greatest is always being hacked, then Linux for Playstation should be dream for hackers. (Tounge very much in cheeck)
We had to destroy the sig to save the sig.
No one can break into my house because I have a moat and a drawbridge, and a dragon behind the door. Old, but effective.
Ask Slashdot: Where bad ideas meet poor googling skills.
That slashdot will use apache 0.01 with perl 0.01 and slash 0.01 with linux kernel 0.01?
$ yes >
This is simply a variation on security through obscurity. Make sure the operating system and software it runs are so old that current hacking tools won't work on it. Sure, that will stop a bunch of script kiddies. It's just like running MacOS will make you immune to most viruses.
Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.
If this were the case, we'd all be running solaris 7, nt 4 service pack 3, and kernel 2.2
Linux is dead.
LU
"... like AIX that has never been widely used for Net-attached servers but is adequate for handing out simple Web pages .."
Um, I don't know about you but last time I checked, AIX is far more capable than most UN*Xs out there at just about everything.
By no means is it "old" or "outdated."
Nimda didn't infect our old IIS2.0 web server which hosted our Intranet! So, there is some truth to this!
At least with current software when a hole is found it will get patched - more quickly for some companies than others. What happens when a major flaw is found with older OSes/apps? Do you really think MS will bother to write a patch for win95 or Apple for mac os 7.1? You will not only have a security problem, but to fix it you'll have to upgrade or migrate to a new platform.
If it does work, is it really out of date?
Shop smart, Shop S-Mart.
I still wouldn't rely on this for really critical security implementations.
;^)
The main problem is that most vendors stop supporting old products. This creates a huge security threat. Just because no one knows about security holes don't mean they exist.
Sure you've eliminated probably 99% of all script kiddie threats and if that's the only threat you can identify then by all means this is a cute idea. However, as security administrator at my company I do my best to secure against any and all threats which means I must presume that old versions of Solaris (for example) have gaping security holes that were never fixed and therefore running the leatest and greatest with all applied security patches and a rock hard configuration is my best bet when it comes to security.
Roblimo's friend does have a point, though regarding Macs. Old Mac's are really the most secure systems out there. Simply because they can't really do much. They weren't designed to be networked and so there aren't any services to exploit
--
Garett
It's Security through time.
They've got the argument all wrong - it's not more secure because it's obscure - it's more secure because older software has been around longer, and the kiddies have already found the obvious bugs and they've been patched.
Would you run a 2.5 kernel on a computer where you worried about security? I'd hope not.
I guess the word might be "embedded", but could a stripped down general purpose operating system run off a CDROM
only, no hard drive, no floppy? Even if they can get in, that can't do much. I'm thinking web server here. Is it doable?
Time to move my mp3 collection over to a gopher server :)
--
Don't sweat the petty things, and don't pet the sweaty things.
I know a guy who dreams of storing his secret data on 8.5" floppies, on the grounds that there aren't drives to read them with. We tried to tell him otherwise; for instance: you'll need a drive to write your secrets - why not just use that one? He just says "Yeah, I know. But dude!"
IP is just rude.
Is there any torture so subl
Quite an Oxmoron (MS-Security)...but additionally:
Microsoft Purchases Evil From Satan
Redmond, WA -
Microsoft in a recent all cash deal has purchased evil from Satan for $2.7 billion. "We've been after Satan for some time," said CEO Steve Ballmer. "Negotiations were tough but I think both Microsoft and the Prince of Darkness are happy with this deal." Before the purchase, Microsoft already had 15% of the evil market, now that number is closer to 100%. The Department of Justice has voiced concerns over one corporation controlling so much evil, and has begun investigations into the deal.
"We feel that there are real opportunities with evil, and that when evil is integrated it into our next generation of Windows products consumers will appreciate evil on their desktop," said Microsoft Chairman Bill Gates. "Businesses haven't been able to fully realize their evil potential. With evil integrated into Office 2001, corporations big and small will begin to see enhanced evil productivity."
"Evil is a real growing market," market strategist Frank Dresgan of Merrill Lynch said today. "Microsoft is a little late in the game, but even when they enter a market late they still tend to dominate. I think we'll see the same with evil."
"I've been dealing with Microsoft for some time," Lucifer said. "I've been at this evil thing for millions of years, and wanted a way out. I considered an IPO, but then Steve-O and Billy came along and told me about their "Evil Everywhere" plan and that was an offer I couldn't refuse."
Evil was founded by Satan close to the beginning of time. It has been growing steadily ever since, although most of the growth has come in the past five years with the development of the internet. Satan plans to retire to a small island in the Bahamas and write a column for the local newpaper.
just my $0.0199999
If we don't fight for ourselves no one will.
Now I can dust off that old VAX in my livingroom and figure out how to load CP/M on it for my eStore!
Eve Fairbanks says I drive a hybrid!LOL
I'm serving web pages from by NeXT Station at home. My logs show tons of attempts to reach internal WIN-NT paths. Which is slightly amusing. But in the end, that's just my DMZ machine, and my linxis(sp?) firewall is trusted to keep out other naughty people. Still, nothing keeps the wife from opening an email with an executable attachment... So my web server stays up while I refresh the image on my PC. The most stable running box in the house is still the NeXT.
Above comment is personal opinion. Poster is not a spokesperson.
A few years ago, I remember researching firewall products and stumbled across one that ran on MS-DOS. According to the marketing hype, MS-DOS was the OS of choice because it was impossible for a hacker to do anything remotely with an OS that had no remote accessiblity. They had custom ethernet drivers for a small number of cards, and a homegrown GUI (definitely not Windoze). IMHO, it wasn't the best product (for a variety of reasons), but I'll bet it was every bit as intrusion-resistant as advertised.
Per yesterday's /. article on the current state of Air Traffic Control systems, is sounds like this is standard fare for them as well. They've certified that the ATC systems that STARS is replacing are hack-proof, simply because the systems are so old that few people in the IT world today were even alive when they were introduced.
Of course, a system like this is still subject to physical abuse, and an old system that is broken into pieces is just as bad as a new system that is the subject of a DoS....
Rule #1 -- Politics always trumps technology.
Why not just sign up for a Geocities account?
95% of all Geocities accounts are effectively read-only.
I had a nice Webserver running thttpd on an iPaq, but then some script kiddie linked to it on the slashdot front page. I just can't win.
We ship DOS based and Windows based medical data collection software out of our shop, and we've had WAY fewer problems (one, to be exact, compared with over a dozen) with people hacking into our DOS stuff vs our Windows stuff, despite the fact that we have 50 times more DOS units in the field than Windows.
Not to mention that the laptops we ship the DOS software on gets stolen a lot less frequently, since our DOS software will run on 286s...
Denver Isuzu Suzuki
It's called appletalk and while PC users were being strangled with novell netware Apple had this easy-peasy way to connect macs (ring style) with some $30 adapters (under $10 if you homebrewed!)
You can run appletalk on ip.
In the future, I would want to not be isolated from my friends in the Space Station.
What about using something like FreeDOS? Pretty solid as far as DOS goes, DOS lends it the obsolence angle, plus all the tools to set up a server would probably qualify as obscure. I would guess this would buy you a little more, considering it was never a commercial OS that had its flaws publicly "outed" and made well-known. It doesn't necessarily share any of the holes/flaws that the commercial DOSes do.
Hey, nobody ever managed to crack my A/UX server before I switched to OpenBSD -- maybe there's something to this.
Of course, the flip side would be that the whole OS is toast as soon as a vulnerability is found. Hell, Apple won't admit they even _made_ A/UX any more.
--saint
(Seriously. Try to find it on their site. You'll find Newton stuff first.)
Depleted uranium rounds!
Kills dragons good and gives the occupants cancer! Fun for the whole family.
I think the really beneficial thing here would be using uncommon systems without bells and whistles, and not necessarily old systems. An actual old system is more likely to have buffer overruns, or long-dormant bugs (like the zlib vulnerability that was such a hassle a few months ago). Taking a reputable current operating system that is not near the top of Netcraft website summaries (OpenBSD?) and running a current but rare and simple server (one such might be thttpd) would probably be safer against script kiddies than using "dusty-deck" software.
Of course, you must be prepared to switch systems if your solution starts becoming fashionable...
Using "diverse" software is not necessarily "security by obscurity" as another comment claimed. It would actually be a variant of the biological strategy that has among other things prevented any single disease from wiping out the human race. The Warhol worm and other nasties discussed in the recent research paper "How to 0wn the Internet in your spare time" depend on the existence of large numbers of sites with identical vulnerable software. Being different protects you from that (and other indiscriminate attacks). But it does not necessarily protect you from a skilled attacker who is determined to crack your site in particular.
That's right, buy the source to the end of life products you use.
I understand that this is an expensive proposition, however this is what we do where I work.
This way any bugs/exploits can still be researched and fixed by the good guys, and the bad guys are just shooting in the dark.
Not that we intended to have all of our COTS (Commercial Off The Shelf) to go end of life, but you make do!
However when UK air traffic goes down for a few hours and the only developer who knows the product is in hawaii for two weeks on his honeymoon (yep. That was me.) you have a problem!
In the future, I would want to not be isolated from my friends in the Space Station.
This article seems to suggest that older operating systems are better because hackers tend to shoot for the lastest and greatest, and find weaknesses in them instead.
So what happens if there are alot of webservers, etc out there who run obsolete software for this very reason? Hackers don't exploit a particular OS, webserver, etc just because it's new, they also do it because that particular flavor is popular as well.
Even if the software is old by today's standards, rest assured, as long as it's running on alot of servers and PCs, it'll still get attacked.
On another note, I agree with the aspect that when a particular OS/software is out in the "wild" for a long time, it gets scoured for weaknesses and gets patched accordingly. Eventually the OS/software becomes robust and secure over time. In the end it's no so much that it's new, but that its strong and secure. And that's what matters the most.
A Penny for my thoughts? Here's my two cents. I got ripped off!
Hi, I know you're Unisys now, but do you still have any mothballed UNIVACs around? I have a secure project that I need one for.
A UNIVAC I? Mmmmmm, mercury delay line storage, 500 microsecond memory speed, and 5,600 tubes. What more could I ask for!
Is this the real reason the green screeners at work claim the AS/400 is so secure? And all along I thought is was because there were only, I don't know, maybe 2 on the internet not behind massive firewalls!
hmm,
-Pete
Soccer Goal Plans
This article just goes to show that good security is hard, and is often an afterthought.
Lasers Controlled Games!
When I read the original article at newsforge, they served up an ad encouraging me to "Move to Apache 2.0" because "The More You Wait, The More You Lose". screenshot
If everybody upgrades from software x to software y, the source all the of new loopholes/viruses/whatnot will be made for software y, because they have the vulnerability *and* everybody is using it. Why would you write something to do harm if only 1% of the users will be affected?
Thanks.
In trying to keep some semblance of order at my sites, I have tried to purchase "Old" licences for MS products.
I currently can purchase XPHome and XPPro, nothing else.
Even Toshiba Model 1800 laptops, (that shipped with 98 at one time) are available in XP only. MS completely eradicated history in one step.
Just try and load your root-kit onto this machine. Whaddya mean ?OUT OF MEMORY AT LINE 10.
Previously discussed on slashdot back here
Now I can dust off that old VAX in my livingroom and figure out how to load CP/M on it for my eStore!
No, man, throw it in your kitchen and make it a VaxBar.
The speed of time is one second per second.
Good, I'll start using pop2 because it's old. /dev/null
Furthermore I'll stop using iptables for stateless ipchains rules, this will improve my sites resilency in case of dos attacks.
Then I will turn back the time clock and start using old cgi-scripts like:
grep "$user_string" my_db 2>
That no one has ever heard of.
This is a horseshit story, and anyone with brains knows that the purpose of development is to provide a superior product in ALL ways, not
just security, though this should be key.
My arse. I don't care what OS it's running -- if it's plugged into the network, then it has remote accessibility.
> I'll bet it was every bit as intrusion-resistant as advertised.
Hence the phrase "marketing hype"...
There are some older versions of software that lack some features but were used for a long time, work just fine and have never had a single reported security problem.
I assume software used for years without a reported bug or hole (or a patched version) is a very reliable way to say secure.
NCSA/1.4.1 has never had a reported hole ever found.
Neither had the patched FreeBSD 2.0.5
I ran leonardodicatpio.com on the combination for 5 years. Even during the Titanic Movie release. Tons of young hackers tried to break it then never succeeded. Only problem I had was they would over fill the log files when they would throw 100 Mbps of web hits at it to try to crash it. Even that I managed fix with a small tweak in the source.
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
I used to work at a small Unix workstation company in the 80's, Callan Data Systems. All our accounting and payroll software was running on an old Callan machine that was running CP/M. That made it much more secure from internal attacks than a Unix machine would have been...all of us systems programmers knew holes and tricks in Unix that would get us root on any Unix machine inside of 15 minutes (mid 80's Unix was not all that secure). Sit us down at a CP/M machine, however, and most of us would be completely lost, and would wonder off to go back to playing with Unix.
Now we securely sit in the dark.
This is the flip side of saying non disclosure is more secure than disclosure. Obsolete means nobody knows about it whether anyone gives a shit about it or not is a different question.If we had all sorts of PDP-11's around here or Link analog computers I'm sure that eventually someone would break them just because they're there.
That's just mean! Poor thing...
Wanted: One witty yet thought provoking
You are a fool and a liar. No man can comprehend time cube.
this is a pretty flawed argument. Do these security experts actually look at "script kiddie" tools? If they cared to do a little homework they would see that many exploits and tools cover a wide array of software versions. Exploits for antique software are relatively easy to find. Now you could claim that _obscure_ software is more difficult to crack, and you would probably be right. But keep in mind that that software is obscure for a reason--it's probably junk. Just because you are running last generation's software does not mean the current cracker generation can not get to those exploits (or information needed for the software).
I believe there is a little bit of confusion in this article between obscurity in the sense of software not being widely used and obscurity in the sense of proprietary closed-source software. There is also the confusion of software _differences_, which the author of this article bungles together with software age. In any case, this article is seriously misguided. Let me explain:
There is an Object. It could be your physical hardware, your OS, or simply a version of a software package. Imagine two generic Objects, Object-A and Object-B, exact in every practical way. Now imagine an Exploit that works on Object-A (and a cracker has access to this object). It also works on Object-B (your object) because they are identical. Now imagine there is an Object-C. It is very similar to Object-A and B, but has a few slight differences. Now the Exploit will need to change to accomodate this. This is _security_. This is the same principle viruses (biological or computer) work on. The differences between objects makes them secure. The less difference, the less secure. Think of any *ix security measure. Passwords, for instance, are simply ~8 character differences (and a login name) between one *ix and the next. Attempting to break a password by trial-and-error is impractical. Crackers rely on this principle of _similarity_ of systems to break passwords. They download a system's password file and use a "word file" to crack passwords. This word file is merely commonly used passwords--again, the principle of similarity. Most *ix systems have a password file in a common format and there are common passwords. Common system properties (/etc/passwd, etc.) + common user psychology turns what is a very secure method (passwords) into a very insecure method. One small admin. change could make the difference between a system being cracked or not (such as moving daemons to a "strange" location or partition, etc.).
Software age has nothing to do with security. The article really has many seperate issues tied together and it really is not a good idea to just use older software for security sake.
Dijkstra Considered Dead
No one can steal my data!
I have no network. My backups are stored on 5 1/4" floppies.
Not only can no one read these things, they'd need a truck convoy to haul them away. No way in hell they're sneaking past security with a motherfucking semi truck!
You see? You see? Your stupid minds! Stupid! Stupid!
on the same idea.
An attorney friend of mine is using floppy disks (the original, floppy variety) to store documents in an obsolete word processing format of all his confidentail data. If subpoenaed, he will be required to turn in the disks, and it will be up to opposing counsel to decipher them.
I told him it was a cute idea, until his version of the obsolete software craps out and he's left with his entire record base in an unreadable format.
-FC
That's one of the reasons I had my company install NetBSD 1.4 on our servers!
I shouldn't have said that. I should not have said that.
Oh, you guys are stiff!!!!
Mod this mofo up, it is funny.
Congratulations! You almost correctly identified that ALL security is through obscurity.
From the article: ' You never read about this kind of "security through obscurity," which can just as correctly be called "security through obsolescence." Despite this lack of publicity, it may be as effective a tactic as any other, and it can be implemented without spending a dime. '
... which raises an interesting point: If you are spending time to do this, aren't you investing -- perhaps even wasting -- a lot of it hoping that your machine is beyond reach or unknown? Is that amount of effort really worth nothing? If someone succeeds in breaking the barrier, all that conscious thinking will have gone to waste, as the end result is still 'I have a cracked machine'. With current software, you have some recourse. It may always be true that the need for endless-upgrades will persist. I don't think this sounds like an alternative.
Most people will know this, but I have to quote Jamie Zawinski: But as we all know, Linux is only free if your time has no value, and I find that my time is better spent doing things other than the endless moving-target-upgrade dance...
I could be wrong, but the knowledge and practical experience needed to try something like this looks to be of little worth to the people who'd want to do it.
========================================
Death will come, and will have your eyes
-- Pavese
A few months ago I posted a number a few articles on my own web site about the security risk created by open source. No doubt a few /.ers recall finding out about the so-called attack upon open source and pried open their emailer.
/.ers failed to see the concept or consider how it could help them.
Problem was that it was not an attack upon open source at all but rather a rather strong suggestion that having the source code for an application or OS can have its downside. And, that is that anyone who has access to that code and your machine can modify it as they see fit. And, those modifications may not be with "your" approval (assuming you own the joint).
The point was that having source code comes with a price. And, that price is additional vigilance and perhaps some controls.
It is known that a sizable threat comes from within and not only over the internet or lan. And, those who are in a position to alter your OS or key application also have the ability to abuse that access.
As was pointed out above, if you have your own home grown or modified OS, it may be more secure against outside attack simply because of its obscurity. And, yes, obscurity can be security. Of course, once the cat is out of the bag, you are in trouble because of your insecure system, if that is the case. So, security by obscurity is only as good as the obscurity lasts.
Of course, the solution to the possible risk of someone else planting a Trojan in your OS could be modifying it yourself (making it obscure in key ways) and then hiding the source code. In other words, closing the source as far as your installation is concerned.
That does not reduce your security to that of a well known closed source OS but rather takes the better security offered by an open system, modifies the system to change its character and then sealing it against the world.
And, since it is easy to customize a log on sequence or process and then obscure the code, your custom changes would not only be more difficult to alter by a third party but any change they make may be easily detected by normal use.
Of course, the parade of
Or, indeed make an open source OS even more secure than when they got it. That would give you the benefit of the multitude of eyes upon the problem and the benefit of obscurity as well.
But, no I have not changed my opinion at all. Open sources does create certain security problems that need to be understood. And, perhaps even taken advantage of.
NexuSys - Linux support by the best
This is a good example of security through obscurity, particularly the MacOS example in the article. Obscurity is no basis for a security model, but a little obscurity thrown in on top of some real security can't hurt.
For example, a tech I know runs a MySQL server that shouldn't be exposed to the outside world. It's behind a firewall and the port is blocked, fine. It's also run on a non-standard port. Why? Because if somebody cracks the main network, they still have some work to do to get to find the MySQL server. That's time to discover the intrusion and fix the leak.
Summary: Security through obscurity: bad. Security + obscurity: good.
This is exactly the idea I've been trying to convey for so long...
I issue a challenge to all of you kiddies to hack me as I type this on my
trusty Kaypro 2. CP/M is a rock! Bring it on!
THIS MAN IS A COMEDY GENIUS!
Software is developed for a reason: people need new features in software. Though some people may be able to do what they need with old software, most businesses dont.
It's not an option for my company to switch our servers back to say linux 2.0, because we need the features that new kernels provide, the scalability, journalling filesystems, decent ATM support and so on. If we can't use those options we can't satisfy our customers and we won't make any money. We and with us many others, don't have a choice; we'll have to take bugs in software under development as another risk in doing business.
A great example of this is AOL. When someone's brand-new AOL 7.0 gets infected they're told to install v4.0 and logon to download a virus scanner. Virii are all geared toward the latest win32 stuff and have forgotten the old 16-bit junk that now works terribly well.
If you have a VAX (or better, an Alpha) and you are not going to do anything for profit on it. Get the hobbist version of openVMS and serve from that.
I am planning on doing this in the near future.
I also expect to spend lots of time laughing at skript kiddies !
Gee, how many times are we going to revisit this topic? Slashdot's criteria for accepting stories:
Badly worded subjects : n/a
Broken or missing URLs : n/a
Confusing or hysterical sounding writeup : n/a
It might be an old story : Check
It might just be a busy day and we've already : n/a
posted enough stories : n/a
Someone already submitted your story : Check
Your story just might not be interesting! : Check
News for nerds. NEWS!!!!
You need a FREE iPod Nano
http://www.cpm.z80.de/manuals/mpm2ug.pdf or view as html http://216.239.51.100/search?q=cache:Y0TGJCQk3f0C: www.cpm.z80.de/manuals/mpm2ug.pdf+mp/m&hl=en&ie=UT F8
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
(n/t)
Yes. No script kiddy will actually know how to use the bloody thing.
Well, I gotta say... It worked for us in virus protection. When the Nimda bug hit our company hard because failed miserably to protect our systems, the only server that didn't get infected and loose data was the old windows NT 3.51 box we had been pining to upgrade for years. After that we were happy to leave it go for a little while longer:)
yeah.. old OS's.. i got an old SGI box running and old version of IRIX.. i didn't have the root passwd so i couldn't get in.. plugged in the effernet cable and within 10min of googling.. i found a telnet sploit that r00t3d that b0x.. boi am i l33t. but.. i guess it doesn't count cuz it's IRIX HAHAHA
.cig
It's just like running MacOS will make you immune to most viruses.
I don't get it. How does that follow?
Because MacOS is obscure, it gets less viruses? If that's your argument, you should have said linux, or freebsd, or something really obscure.
Because MacOS is running on a *nix[y] kernel? How is that different from any other *nix[y] system (like NT, say)?
Or did you mean MacOS before OSX, in which case you're talking about a dead OS, which would be closer to the article's suggestion of security through obsolescence.
My current firewall box runs a 2.2 linux kernel. (2.2.19 to be exact) Slackware of course. The firewall is a modified TrinityOS ipchains firewall. Before I found Slackware it was an RH 6.1 box with the same firewall code.
In the 3 years plus that I have been using this to protect my internal home network It has been broken into a total of ZERO times. I had been using dial-up for a long time and I must admit to being a little worried when I finaly was able to get an always on broad-band connection. This worrying proved to be baseless as I have had broad-band for about a year now and still NO break in's.
When my employer decided to move all web services in house. I volunteered to put it all on one linux box. It now runs Slackware with the 2.2.19 kernel custom compiled, apache, qmail and pure-ftpd. I use the same firewall code with some slight modifications to secure the internal network, but it is still mostly the basic TrinityOS ipchains firewall code. In the 9 months it has been running, it has had ZERO break in's.
I have not for even ONE moment considered the 2.4 series kernels and iptables. Since Iptables became the default 2.4 firewalling code I have seen at least 3 vulnerabilities that were considered serious. I have not however seen an ipchains vulnerability in over 2 years.
A rule of thumb for all of this would be pick the right OS make sure it has all current security patches and KNOW your firewall. Know how it works and what every rule does. Leave NOTHING to chance.
If sense were common everyone would have it.
I have A Turbo NeXTstation, and a Silicon Graphics PI, and those machines are not just solid on the software side, but could easily survive a sledge hammer attack too! (although they would nolonger look cool on my desk all smashed up)
i have been using ie5 for the past 2 years..not a single virus, noone writes them for ie5 anymore, or at least they don't infect any of the good warez servers.
Your sysadmin may be correct in not passing around the root password. However, the root password is not required in order to modify the OS (assuming your have the source somewhere laying around), install your bogus copy and begin collecting those "passwords" for as long as no one figures out the OS has been replaced.
Just remember, if the jerk getting his way with your system can alter the logon, the new code can make a note of any passwords entered and just "grandfather" you in. So, it may be a while before it is detected that bad passwords work just as well as the real ones. Most people I know can type their own password without mis-spellings quite easily. And, even if you think you may have hit the wrong key, when "your're in", your're in.
So, it really depends. How would you know when your OS has been modified (without your approval), replaced (without your approval) or worse yet modified in a way which you were not informed.
When I talk about insiders engaged in serious attacks, I do not exclude the possibility that anyone with the root password may be involved. Disgrunted employees and SYSAdmins are not mutually exclusive, now are they?
Just who is the "boss" over your systems? The first answer is the last guy who installed the OS?
The risk is the same for a key application (that handles your money) and a key OS. Except all OSs
are key.
NexuSys - Linux support by the best
"Security Through Obsolescence"
I'm not cheap, I'm security conscious... Yeah. That's the ticket....
The race isn't always to the swift... but that's the way to bet!
Security through obsolescence may be a bit of a misnomer. When I take an older OS release and apply all of the relevant patches, I know that the patch OS is considerably more mature that a newer version. Espicially a new major release with a newer or different components which have not been extensibly tested.
This is not to say that OS and software companies do not try to thoroughly test their software. They do. But even in the largest, most sophisticated test lab, one cannot recreate all of the possible conditions that will be revealed when the software is released into the real world.
The reasons older (obsolete) software may be more secure are really two fold. Older software, due to creaping featurism which haunts all software development activities adds features, which adds chances for security holes and errors. I assert the increased features, and espicially increased interfaces (user, programmatic and otherwise) increases the likelyness of security issues. The second issue with older (obsolete) software is that it is more mature. Please understand this carefully- older software that has been patched ot the current patch level will be more secure than software that has not been patched.
I think equating obsolete software with security is quite a stretch. I do agree with the thought that mature software will have fewer security issues. Added to this the fewer interfaces on older software gives it a greater chance to be free from security issues.
-tpg.
IMHO best thing would be to have the latest bugfixes, but run on less common processor. So yeah, run the latest OpenBSD or Linux on your Amiga or Mac: Most holes get covered, but stack grows in "wrong" direction for most people to figure out what to do if they still manage to find a buffer overflow, not to mention the instruction set difference.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
And I just threw out our last disk set of "PC/TCP for dos", (circa 1992).
There is something wonderful in seeing a wrong-headed majority assailed by truth. ~John Kenneth Galbraith
The old root password is not required to replace the OS.
Try it sometime.
Install your OS and use a different root password, right?
NexuSys - Linux support by the best
You got the point.
But, your spouse does not need to shoot you to get your spare cash. All your spouse needs is "access".
And, the point I was making is that not all attacks come from the outside. Real security can not assume that.
Banks do not assume that only bank robbers will try to get their hands on the loot. They all know that employees are to be watched like a hawk. That is why they have to balance their cash drawers every day. It is not because the bank is afraid they are short or longing customers.
NexuSys - Linux support by the best
I'll give you a counter-example, and this is more to the point.
Mac OS 8.6 was *THE* standard before 9 and X. More stable, better for the environment, better for the economy, etc. etc.
There was a free upgrade available everywhere to get you from 8.5 to 8.6. Yet two years ago I ran 8.5 for a year and a half.
Why? DIDN'T need to upgrade. It gave me everything I needed, didn't crash out* (I had 1 or 2 problems with ProTools, but it was an anomaly) , and I didn't need USB support.
My system was set up in such a way that everything, CDEV's, INIT's, and all extensions got along with each other and the only time I had to reboot was when I wanted to turn my computer off.
To extend this, if you have a set up that has had the HECK tested out of it, stands up to "attack" (whether that means a "hack" for an network box, or a heavy load for a server) and doesn't give you problems, why re-invent the wheel?
In the future, I would want to not be isolated from my friends in the Space Station.
My Sys Admin in college told me once "security through obscurity is no security" I agree that the newest thing is not always the best choice but using win 3.11(extreme example) cause you think knowone is going to hack it is silly.
Is this really useful IRL? If say Ford decided to use some very old webserver they are a big enough target to warrant extensive research into what they run. A qualified hacker could poke at any system and get in by trial and error. Look at MS as an excellent example. Its possible to get in without any knowledge whatsoever about the system. Send some dirt to the server and examine whats returned.
The only time this works is when someone is running around portscanning looking for an easy target. Thats not the people im concerned about. Im more worried that someone really interested in my network tries to get in, like a competing compay.
HTTP/1.1 400
What it does not stop is those who live off hand-me-downs. My experience with a pentium 200 is that it's not much fun browsing the web with it.
The rule of affordance states that locks are meant to be picked.
OS/2 - because choice is a terrible thing to waste.
This is a good example of security through obscurity
There is no such thing as a "good" example of security through obscurity.
The biggest problem with security through obscurity is not that it doesn't provide security (although this is one of the problems), but that it provides a false sense of security.
if somebody cracks the main network, they still have some work to do to get to find the MySQL server. That's time to discover the intrusion and fix the leak.
This is a perfect example of the problem with it.
Your friend probably thinks that the "non-standard port" thing is pretty clever, and that it gives him time - he thinks that he's done something to secure his network, when in reality he hasn't; the system is just as vulnerable as it was before he moved the port, but he believes that it's more secure. This is hubris at it's worst.
Incidentally, using old software is not necessarily obscurity - in general, older software has fewer features, fewer lines of code, so therefore fewer potential bugs.. fewer bugs means fewer potential security problems.
We run Netware.
The most secure cryptosystems in the world are "open source". The encryption key is kept secret, but the method of encrypting the key is published. People are encouraged to whack at it. If a system gets broken, someone gets famous, but people know quickly.
This seems like a much better model for OS development than "let's hope no one remembers that old trick".
=brian
Yeeha! Now THERE possibilities a use for my old computer.
But how the f**k do I install apache on it?
Privacy is terrorism.
Has anyone got an old copy of icq left. One WITHOUT BANNERS and 'cool stuff'. One that just sends the messages?
And now that we're at it. An old version of Office. One that runs on a 486 and fits on one cd.
Sure, ok. But what does this have to do with Open Source in particular? Just because you can recompile the kernel to do naughty things? Incorrect. You can always insert unfindable stuff into an OS, open or closed source, if you have that kind of access.
I have an ancient PDP-8 that I would say is very secure. The only input devices are front panel switches, a current loop driven teletype, and a paper tape reader. Storage (even the 2 MegaWord disk packs) is all removable. You have to toggle in the proper boot code (via the switches) to load anything, so it is not something your average script kiddie would be able to do. I do have some serial boards that I will (some day) connect to a linux box for remote access.
A UNIVAC I? Mmmmmm, mercury delay line storage, 500 microsecond memory speed, and 5,600 tubes. What more could I ask for!
You'd better ask for a technician who has experience with tubes, soldering, and perhaps wirewrap. Experience with component level repair (both analog and digital) a must. I suspect that that many tubes will just about keep one person busy. You can't wait for them to fail; you'll need to swap them out on schedule to prevent failure. The FAA does this with some of their navigation aids which still use tubes.
That's how I learned to solder, by the way. When I was little, and had small hands, I could reach into the VOR and unsolder, remove and replace a multipole relay without having to disassemble the whole cabinet. It saved my dad a couple of hours a couple of times a year.
Another advantage to using an older operating system is that if you don't need all the big frills and features of a new OS, the old ones can be much more stable, and run better on much older machines.
I work for a radio station, and what do WE run on? Our MAIN server runs Novel netware (We don't want to put anything critical in Bill's hands,) but all the workstations to record music on to server/edit items/record news/edit EOM times... run MS DOS. INCLUDING the system we have set up in studio 'A' to play all of our music over the air.
The newest thing we have on the MediaTouch system (The music system we use) is Windows 95, and it just manages the list of music and tells the DOS machine when to play what.
As of now the Windows 95 computer has never crashed, although we leave it running almost 24 / 7. And the DOS computers have never crashed at a critical time.
I belive the phrase is...
If it AINT BROKE, don't fix it...
So how exactly is it different?
With open source, I can recompile the kernel to do naughty things. With closed source, I can install a cracked & patched cmd.exe. It's easier to do with open source, but it's not impossible with closed. And in any event, once physical security is breached, you're fucked and your point is moot.
I think security thorigh diversity is a much better propostion. It is well known that biological systems become vulnerable if they are too homogeneous. For example, if one species dominates an ecosystem then diseases will spread more rapidly and affect more of the population. The same argument can be applied to computer systems. If one hardware and software configuration is dominant eg MS, then vulnerabilities will affect a larger number of systems and viruses will spread more rapidly.
I have a 5 1/4" drive (1.2MB) that I continue to install on each new machine I build for myself...just in case someone asks me to read a 5 1/4" floppy.
No.
If I assign you to correct a bug in a key application, I am sure you will demand to have access to the source code used to compile that application.
In other words, you know precisely what the difference is.
Your argument suggests that support staff do not need access to source code because they can do their jobs without it.
It simply is not true.
NexuSys - Linux support by the best
--I'm still running even older versions of mac classic OS's, they are great! And like who cares the reasons that they don't get hacked, really, who cares? That they DON'T is the bottom line. Oddsa are a million to one against getting hacked or a virii with running one of those old boxes. I don't know one old mac classic user ever complained to me about getting hacked, but EVERY windows user I have met-joe homeowner I mean-has gotten hacked and cootie-fied, usually numerous tiimes, too, despite having nortonmcafeesymantec and whatever.
Once you get your progs in mac classic smoothed out, and get your setup "just right", they just keep cruising like an old faithful diesel engine, with zip problems. I got an old 512 still boots and runs great, the dang mobo battery is still keeping time from like ten years ago or something when I changed it. And I NEVER got a virii or hack in multi beaucoup years on the net with them.
Linux on the other hand, kinda fun, default distro installations are like piling all your valuables on the front lawn with a "free stuff" sign on them. for real, any po newbie gonna be owned in like 1/2 an hour, tops. Heh, I know this personal-like, cuz that was ME got owned, the bastids. hehehehe. The manuals sorta leave out this interesting info, you get 879 useless programs with cute names that start with the letter k or g combined with NO security and by the time you get to surfing and looking around at the "help fer newbies" sites, you done got had. Linux distros give you a security POTENTIAL that honestly takes an expert to implement. Catch 22. "yes, but look, I can manipulate an image in urdu while listening to an mp3". Ya, and your box is streaming who-knows-what foul hacker crap almost immediately, too. This sucks for most people, and until that is addressed, linux-ish stuff is just not gonna crack into mainstream use past the ubergeek level, no matter how purty the GUI is.
This is a SERIOUS problem I haven't seen any of the majors really address, like how many newbies are gonna hang with linux after they get r00ted a few times? How many are really gonna know how to just waltz up to a console and be unix security gurus in the first ten minutes with their new install? It bytes it big time it does.
Winderz I have on a few drives just for kicks, once in awhile I'll boot to one just to laugh at it. It is a much ranker GUI then mac classic, always has been, too, BTW, it's counter-intuitive to how most people think -I guess that would be classed as "mental ergonomics", and it's dismall to "fix" if it's broken at the registry level, and to top it off the security is worse than a new linux distro, why people keep buying that crap is amazing to me.
Just look at the beauty of it! Why even the boot (pardon IPL) messages look so intimidating
you don't have to have the source to crack & patch an application. It makes it easier, sure, but it's not impossible without it.
If you're my boss and you assign me to fix a bug, yes, I'd want the source. But if I was a cracker, I'd reverse-engineer it.
I'm not sure what exactly you're getting at anymore. Perhaps you'd like to take a try at summarizing your argument for my further edification.
Why not put it into the compiler/assembler suite? Add random jumps everywhere to foil buffer overflows. Might bloat your code and increase the run time linearly, but it would bring obscurity to a whole new level. You still have to recompile everything, but then that in itself might do the trick. On second thought try compiling on an obscure compiler. That might fool the buffer overflow demons at address #oxDEADBEEF.
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
Especially considering active development has ceased on source trees that have been superceded and that modern applications are sometimes much more secure than their predecessors.
Oh, and occasionally development occurs only because of a serious exploit that requires immediate attention. Let's install BIND 8.0, hoping that the script kiddies will not observe this blatant error, oblivious to the fact that experienced (cr|h)ackers would perceive exploiting such an application or operating system a trivial activity.
This concept is nothing more than an esoteric form of "security by obscurity." It disappoints me that the Slashdot editors would begin to advertise such a blatantly rhetorical and poor security practice.
Do you like German cars?
All I'm going to say is MPE/iX. That's our security through obscurity... and can't forget those gem-like DOS boxes....
use CPAN;
Cable's Black and White
come on man, this is /. ... get your shit together
Are you really naive enough to think you can argue against buffer overflows in a piece of software you have never seen?
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
All the "obscurity" does is extend the time before the FIRST person discovers a hole. Once one person finds a hole and that info hits the Internet, it's not obscure any more. What, you think all the script kiddies personally research and discover security holes?
It's a similar problem to that faced by music companies trying to copy-protect CDs -- all it takes is for ONE person to rip the protected CD, then it's out there.
-----
PGP Key ID 0xCB8FF658
When my mother left her systems programmer job at MD, she kept all her reference materials. System manuals, assemby references, everything. Although, her shop didn't quite get to the 390 before she left (lots of nifty 360 stuff, though).
Speaking of IBM's stuff, ever try hacking AIX? Some idiot changed the root password to our webserver without telling anyone, and then forgot it. Absolute bitch to get back in. Took me 3 days, and I had the advantage of physically being at the console with an account, which was in the security, sys, audit, and system groups. Of course later some script kiddies got in through an unpatched copy of wuftpd (which I had turned off and abovementioned idiot turned back on). Oh well. At least they saw fit to mention the unusualness of the system.
Windows 95 and 98 continue to be less secure than 2000/XP. In this method staying obselete is not in your best interests. The only way this would work is if you put nothing but dos on your computer, or remove your network card.
Security and Convenience are bitter, mortal foes. Using long forgotten and ancient software may be secure(dare I suggest also abandoning ASCII and replacing it with a hieroglyphics-based standard) but it's not really convenient(or practical). Forgive me, but I don't see businesses rushing to downgrade their software. Issues of support, maintainance, licensing, etc. really make this one a tough sell. Security and Convenience just don't get along well...
What's in a Sig?
Security Through Adolescence
Can anyone tell me why I read that subject as "security through obesity" ?
frotz grue
Back when the Atari 8-bits were out, there was a race between companies that would copy-protect their disks (through bad sectors, etc.), and companies that would produce drives that would copy them. IIRC, after this had gone on for a while, someone produced an almost uncopyable disk. Turns out it was using an old copy protection format not built into the last couple generations of copying drives.
Seems like a lot of people here need a refresher course on why security through obscurity is bad. It's not bad because it relies on the attacker not knowing something--most security relies on that. It's bad because the thing that it relies on the attacker not knowing is poorly defined.
Take the common example of the "secret URL". Noone could possibly guess the secret URL to my admin page, right? Maybe, but it's a moot point, since they don't have to. Your browser doesn't know the URL is supposed to be secret, and neither does your webserver. It can leak out via literally dozens of paths. I find "secret" pages virtually every time I take a look at my webserver referrer logs.
use constant PERL_IS_BROKEN => $] >= 5.006;
This was an extreme case, but in general, protection via obscurity can make you life very difficult, and when it is cracked, it unravels very fast, so it is no good for a big organization
What is obscure to one person will not necessarily be obsure to another. Suppose you have some small item like jewellry you want to hide in your house. Where do you put it. In the freezer compartment of the 'fridge? In a polythene bag in the toilet cistern? Naah - apparently thieves mostly know a top ten list of places that Ordinary People Think Are Really Cunning Places To Hide Stuff, and they go through them in the first minute. If there was more obscurity about, then people would become better at cracking it.
The same works with UNIX passowds. They are encrypted using a known algorithm. It is too slow to crack by brute force - encrypting all the password possibilities and comparing the results to the entries in the password file. However, if your target system is used by sloppy people, and you try a list of the more likely works such as 'password', 'root' 'christmas', there is a decent chance of getting a crack in a reasonable time.
If you want difficult passwords, then why not stick them through the encrypter twice? It seems like a good idea, but actually this has can make the encryption weaker (remember the Enigma machine that could code not character as itself?).
However, suppose the password string was passed into some fixed custom routine written by the system administrator that mapped simple strings onto obscure ones? The hacker would not start off knowing this, so they will have to run a decent number of trials on the actual machine in order to reverse engineer that algorithm. If they crack that, then there is still the regular encryption to crack too, so at worst things should not have got any weaker. However, you still have a fixed algorithm, and if your hacker can get hold of that and your password file, then things are no different - it is just like having a slightly bigger encryption algorithm. The hacker runs through the possibilities, and comes up with a crack just the same.
Okay, suppose you have an obscure scheme that changes all the time? Could you make it so the crack is bound to be out of date by the time it is finished? Nope - provided the hacker can get a snapshot of the decryption process and the password file at one time, they can find the original password, and because the sloppy users won't have changed their original password, so that will still work even through your new encryption scheme.
This argument goes on forever. It is a bit like trying to build a perpetual motion machine. It may seem possible if only you could get hold of some really powerful magnets, and avoid being kidnapped by govenment agents like the last guy. However, you can't catch Newton's 3rd napping on the job. And you can't beat a good encryption algorithm and a good set of passwords. Bit of a shame, really but There It Is.
Well, as a general rule, I dont install MS software until the third service pack comes out. This is due to the multitude of problems that come with MS new releases. As for security, why haven't the web and OS programmers set up a VM for browsers and email with no access to the underlying OS? A separate VM for each logon, and the user just kills his own VM ..........
Over 10 years ago I was using WANG VS systems, quite a nice OS IIRC. Turns out you can still get them and they have a webserver (http://www.vswebcenter.com) product. I doubt most script kiddies have never heard of Wang, let along tried to hack one. Jonathan
actually, I had my Mac Plus "owned" by nVIR B, an Olde Skool (krusty) virus...
But that's part of the equation. When it happens you recover and you learn something new. Periodically running a virus catcher can help! Then it never happened again.
Now your comments on the security of vanilla distro linux are actually On topic and a great spring board. Like you said with the old macs, you "get your setup just right"...
It's the same way with linux. If yr not running behind a firewall (even a lame one like a linksys) you should NOT connect your linny to the net! There are at least 5,000 web pages on how to harden your linux distro, not to mention security BOOKS you can buy (don't run send mail! disable all the basic accounts! don't run finger!)
The beauty of linux is that if you want to you can see the software you are running and you can change it. Now so far the only changes I've done to software is to edit some header files just to get it to compile!
No one runs with a new linux distro (well, actually I still am, but I'm behind a firewall, and that machines dual boots into MacOS more often). The idea behind most distro's is to give you almost everything you might want and allow you to prune away.
Now you have a custom set up. If something goes wrong now you know whats on your machine, trace it back. And if you find it's becuase of a code exploit you cna either fix it or find the update.
As a side note: Maybe the distro for newbies would be more like a minix- a minimal set of unix stuff to get started.
And you just add capabilities as you go.
In the future, I would want to not be isolated from my friends in the Space Station.
I use Windows 3.1 and a version of Eudora older than the concept of HTML email. No Windows Scripting Host (which is a very serious security hole). No Visual Basic. No Java. Just plain old text. No viruses. No stolen address books. No nonsense. I'm under the bad guys' radar screen. I also checked my system against www.grc.com. They said I had an outstandingly well protected system, with only a few ports available for potential intrusion.
Conversely, the greatest SOURCE of security is documentation. The more documentation you have about your system, the more secure it is simply because it is easier for someone new to come along and fix whatever breaks. Older software MAY have better documentation (especially documented vulnerabilities and fixes), but not necessarily.
No script kiddy will actually know how to use the bloody thing.
..
Heh true! VMS command line is deeply weird - I wonder how long the kiddies would take to figure out how to change directories?
set def [-] for cd
set def [.mysubdir] for cd mysubdir
It should also be mentioned that VMS is one hell of a stable and secure OS - far better than VMSlite for sure.
--
Reverse outsourcing: it's the future
I doubt you would reverse engineer anything for which you had the source code.
The difference is not whether you are assigned to fix a bug or you are a hacker attempting to take over a system.
The difference is only the means you have at your disposal. There is also a difference between an inside versus an outside attack.
If you are on the outside then having the source may or may not do you any good. If you are inside, then it makes it easy. And, that is why you have to understand the difference between having the source code or not.
NexuSys - Linux support by the best
remove all the chrome badges & remove the manual from the glove box & throw it away.
IE, remove all indicators of what OS it is, from inside the OS.
I still hold that if you've allowed your computer to be compromised at the level that someone can insert, modify or remove system components, then whether or not it's open source makes no difference in what security measures must be taken. If you're in that position, you must assume that system components HAVE been changed, and you must check for it. That it is easier to make these alterations with open source code is irrelevant. You have to check anyway, because it's still possible to do even with closed source code.
So please tell us what security precautions you can blow off when you've got a closed-source OS that is in this position. What, exactly, are the differences in security procedures?
You say, "Source is irrelevant. You think sourceless OS/application suites protects you in some fundamental way. They don't. Others have pointed this out. Though you maintain the difficulty of hacking with a sourceless system, the real world shows that the majority of security exploits occur in closed systems. How do you reconcile this fact with your claims?."
Having access the source is relevant.
It is not a question whether systems with or without source or more or less secure. I do not care about that. In considering appropriate security measures that is also not an issue.
When dealing with security issues you have to address the risk "you actually face". And, if you have the source (or others have the source), the risks are different.
I not not suggest one set of risks is more or less than the other. I only point out the "sets" differ.
Sure, you can attack a system that uses closed source. There is no doubt about that. But, that observation has absolutely nothing to do with the risks associated when the source is readily available. You can do different things with the source. You can do some things much easier with the source.
The point being that when source is available the security issues change. That is why the comparison between custom applications and a customizable OS. You simply do not address the security issues created by open source when making references to security issues on closed source. In other words, there could be absolutely no risks with closed source (not the case, of course) and security risks could still exist on open source. How is that? The OS itself can easily be changed. And, in many shops the process of changing the OS could be an active task. And, when it is an active task, certain risks are associated with that task.
Let me put it this way. There are many ways to carry out embezzlement when employees can alter the systems being used. That clearly does not mean that embezzlement can not be taking place on shrink wrapped software. It clearly can. But, the range of possibilities are different. The amount of trust that must be extended is different. And, the number of people who must be extended trust also differs.
As far as the exploits on closed systems, that issue is not relevant to the risks created by the source being available. They are different risks. And, in security you do not solve one problem by addressing an unrelated one. The risk of someone modifying your OS and installing a bogus copy has absolutely nothing to do with the risk of someone hacking into a close source system. They are different exploits. Protecting against one has no bearing on the other.
Protecting against outside attacks has little bearing upon inside attacks.
As for outside attacks, it might be fair to say that security issues are the same or similar for open and closed systems. (not making a judgment as to which is greater) But, that is not the case for inside attacks that might be carried out by disgruntled employees. Or, simply employees who prefer to embezzle to pad their retirement plans.
For inside attacks access to the source code matters greatly as does many other issues (i.e. access to hardware, etc.).
It is simply false to claim that having the source code does not alter your security considerations. It clearly does. All organizations treat their custom applications differently than they treat shank wrapped ones.
You said, "Not the organizations I work with. So you let anyone who feels like it install shrink wrapped software on your systems? You think this is secure? If not, what is the basis for you claim?"
The selection of software you let users install is a separate issue from how you control access to applications and the associated source code. And, I have never said or even suggested that closed source or shinned wrapped software is more or less secure than open source. All I have pointed out is that when you have the source code (or when everyone else has it), the security issues are a different set. How do they differ?
And, I do not make any claim that closed systems are secure or even more secure. I am only pointing out the risks do in fact differ.
It is much easier for anyone to alter what the software does and replace it on your systems.
For example: If you use the Mozilla browser, could someone in your company modify Mozilla such that a record on the side is kept of passwords used by individuals? Well. If Mozilla code is readily available (and it is), all the code is available (and it is) then what is prevent someone (anyone) from writing a custom version of the Mozilla browser to capture that information BEFORE it is sent over the internet? Or, BEFORE it is secured. This may not be a very good example. But, it simply illustrates that the "set of risks" is different when the source code is available.
The risks are not any different than those associated with the custom applications for which everyone does maintain the source. But, they are different than for those products which do not include source code.
Finally, you said "I'm obviously not going to convince you of anything. The real world shows that open applications and OSes can be very secure. Closed systems can also be secure. Or both can be very insecure. It doesn't help your case that the most dominant closed source OS for the last 10+ years has a long historry of extreme security problems. You can not ignore the real world. Your claims, if believed, would only lead people to chose that particular closed source solution over more secure open solutions. How does this promote security? What, exactly, is your motivation?"
I do know that with the source code being readily available, I (or anyone else) can seriously alter what the OS does. And, that can be accomplished in different ways than if it is not.
Recognizing the particular risks associated with the availability of source code does not decide the issue of which products overall are more secure. Neither does it decide that closed source systems are more secure than open ones. I am not making a final judgment or conclusion. I am simply pointing out that the risks are different.
And, in the real world when the risks are different so too are the appropriate responses to those risks in order to minimize possible damage.
My motivation (assuming it matters) is to encourage the adoption of security protocols that accurately reflect the risks that do exist. That is all. I do not doubt for one minute that real advantages are associated with an open (source) development process. There is no doubt about that. But, once the development is completed and implementation begins the risks associated with open and closed source do in fact differ.
How much do they differ? Or, how must security change because of the differences? Well. It may very depend upon the installation.
But, that is why I suggest that the security should be similar to that for custom in-house developed applications where source code is present. That is the appropriate comparison. The wrong comparison is that with closed source systems.
Hey, I happen to think that open source is great. I love to program. I love to develop applications. I do not intend to customize my OS for use by small numbers of individuals or employees. But, I do understand the risks associated with and created by the common availability of the source code for an OS. The risks are the same as those associated with the source code for any key in-house developed custom application. Not different. They are the same. But, they are different than for closed source software.
This is a management issue not a technical one. Too many claim that there are no security differences between open and closed source. That is simply false. As for outside attacks (once the product is compiled) that might be true. But, when looking at issues surrounding inside attacks the differences need to be understood. The industry knows how to deal with the issues. They are dealt with now and always have been. But, the policies related to in-house developed custom applications for which source code was maintained. And, that is the model that must be looked at.
NexuSys - Linux support by the best
I think you are making the wrong comparison.
.... what if the cleaning lady that comes in at night has full and complete access to the source code for your key custom applications? Would that concern you? What procedures would you put into place such that your exposure is minimized? Yes, the cleaning lady may not be a hacker, but she can get her hands on the Redhat source code. And, what about the guy who replaces the water bottles or restocks the cola machine? Does that fellow have copies of the source code for your custom applications (or OS)?
The security model for an open source OS should be the same as the security model for in-house developed custom applications where source code is also kept.
It is not a matter of blowing off some things if the source is closed.
If however, you do not have the source code (and no one else does either), then you may not need to address those security precautions related directly at source code.
For example: How do you know that no one inside the company has modified your custom apps to permit embezzlement?
Some companies do nothing. And, some companies pay the price for not doing anything. But, most companies of any significance pay close attention to the code that is used to compile their key applications. And, that is because control over that code has been deemed necessary. That does not change just because it is an OS.
There are many similarities in security risks that do not differ because of the source being available or not. But, that observation does not prove that there are not also a number of factors that do differ because of the source. The availability of source does create some risks.
That is why I have to keep saying that you need to look at the procedures you employ for dealing with the custom source code you may have rather than procedures for products on which you do not have source code. And, it is not just whether you have the source. If the source is publicly available, you have it too. And, that presents the problem. You now have to deal with it.
It may be bit of an absurd observation, but
Is this FUD? Well, yes, sort of. But security is based entirely upon FUD anyway. And, when we understand the risk, we do something about it. Many communities do not require residents to lock their back door, right? But, many communities do require that. And, when do the doors get locked? It is when fear, uncertainty and doubt shows up.
This is not something that can not be addressed. It is already addressed with the source code for custom applications we develop in-house. And, that is why that process has to be looked at for the model. Looking at the security model for products on which no one has the source is the wrong approach. And, claiming the security issues are identical between open and closed source is also incorrect. Whether you have the source makes a difference for key applications you develop and/or use. And, the same applies to your OS if you (or anyone else) has the source for it.
And, we need to distinguish between the relative benefits of an open and closed model used for development of technology versus the relative benefits of open and closed models for systems being implemented.
NexuSys - Linux support by the best
For example: How do you know that no one inside the company has modified your custom apps to permit embezzlement?
you can ask the same thing about your custom apps that people inside the company DON'T have the source to.
This is exactly my point, and one which you are seemingly being willfully dense about. If you're in the position of not trusting the people with root access to running systems and/or write access to your system binaries, whether the source is there or not doesn't matter. You can patch binaries just like you can recompile and replace. It may be harder, but it's certainly not so hard as to not warrant the proper precautions if you're in that position.
Sure but the source code being available makes it relatively simple.
That is why it is flat wrong to conclude the source being present or not is not a factor.
It clearly is a factor. They simply are not equivilent risks. That does not mean you can not adjust for the differences. But, you do have to know what the differences are. And, you have to know how much easier it is when source code is available.
Everyone knows it is easier with the source. That is a given.
Why some want to claim that fact does not exist is beyond me. It does exist. Any one who has done any programming what so ever knows that. And, the fact that source does exists lowers the level of difficulting in carring out some kinds of attacks.
Being possible without the source in no way equates the risk. That would be like saying that hanging a key outside the locked door is no more secure because someone could just pick it anyway.
Security is not an absolute concept at all. It is a relative concept. Suggesting that two unequal risks are the same only avoids the issue and leaves many people thinking they are more secure than they really are.
In security, the very first and most important step is to identify "correctly" what the risks are that you face. If you fail to do that, then you also fail to protect against those risks.
NexuSys - Linux support by the best