Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Through Obsolescence

Posted by Hemos on from the security-through-elderly dept.

dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."

6 of 263 comments (clear)

  1. Sounds like the ATC's position... by southpolesammy · · Score: 3, Informative

    Per yesterday's /. article on the current state of Air Traffic Control systems, is sounds like this is standard fare for them as well. They've certified that the ATC systems that STARS is replacing are hack-proof, simply because the systems are so old that few people in the IT world today were even alive when they were introduced.

    Of course, a system like this is still subject to physical abuse, and an old system that is broken into pieces is just as bad as a new system that is the subject of a DoS....

    --
    Rule #1 -- Politics always trumps technology.
  2. Re:Just Obscurity, not Security by Istealmymusic · · Score: 2, Informative
    I bet you could break 90% of the script-kiddie tools out there just by installing Windows in a non-default directory
    Nice try, but Windows automatically sets the %WINDIR% environment variable to where Windows was installed. Can't fake that.
    --
    "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
  3. Re:Just Obscurity, not Security by screwballicus · · Score: 3, Informative

    It's not like there aren't readily available sources for information on older OSs, after all.

  4. Re:Fort Knox; aka MS-DOS by BlowCat · · Score: 2, Informative
    MS-DOS was the OS of choice because it was impossible for a hacker to do anything remotely
    Ever heard of Denial of Service Attack? You don't need to control the system remotely - just send a malformed macket and watch it die.

    Besides, exploing a buffer overflow could allow the attacker to upload some code that would overwrite memory with the contents of some special packets. The attacker could even install another OS over the net this way :-)

  5. Re:Just Obscurity, not Security by gnovos · · Score: 3, Informative

    The problem is that while you could probably get rid f most script kiddies by using some non-standard OS that you wrote yourself, you don't get rid of the real problem, which is that a *determined* hacker (say an ex-employee who wants to steal your secrets to sell to a competitor, or an evil black-hat who wants to steal you credit card database, etc) will be able to get in. Obscurity may stop the "nuiscance" hacks, but those hacks don't really cost you much in reality. The scary hacks that actually do cost your company money will not be stopped.

    --
    "Your superior intellect is no match for our puny weapons!"
  6. Look at crypto. by surfcow · · Score: 4, Informative

    The most secure cryptosystems in the world are "open source". The encryption key is kept secret, but the method of encrypting the key is published. People are encouraged to whack at it. If a system gets broken, someone gets famous, but people know quickly.

    This seems like a much better model for OS development than "let's hope no one remembers that old trick".

    =brian