Slashdot Mirror
Security Through Obsolescence
dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."
This is simply a variation on security through obscurity. Make sure the operating system and software it runs are so old that current hacking tools won't work on it. Sure, that will stop a bunch of script kiddies. It's just like running MacOS will make you immune to most viruses.
Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.
At least with current software when a hole is found it will get patched - more quickly for some companies than others. What happens when a major flaw is found with older OSes/apps? Do you really think MS will bother to write a patch for win95 or Apple for mac os 7.1? You will not only have a security problem, but to fix it you'll have to upgrade or migrate to a new platform.
I still wouldn't rely on this for really critical security implementations.
;^)
The main problem is that most vendors stop supporting old products. This creates a huge security threat. Just because no one knows about security holes don't mean they exist.
Sure you've eliminated probably 99% of all script kiddie threats and if that's the only threat you can identify then by all means this is a cute idea. However, as security administrator at my company I do my best to secure against any and all threats which means I must presume that old versions of Solaris (for example) have gaping security holes that were never fixed and therefore running the leatest and greatest with all applied security patches and a rock hard configuration is my best bet when it comes to security.
Roblimo's friend does have a point, though regarding Macs. Old Mac's are really the most secure systems out there. Simply because they can't really do much. They weren't designed to be networked and so there aren't any services to exploit
--
Garett
It's Security through time.
They've got the argument all wrong - it's not more secure because it's obscure - it's more secure because older software has been around longer, and the kiddies have already found the obvious bugs and they've been patched.
Would you run a 2.5 kernel on a computer where you worried about security? I'd hope not.
It's called appletalk and while PC users were being strangled with novell netware Apple had this easy-peasy way to connect macs (ring style) with some $30 adapters (under $10 if you homebrewed!)
You can run appletalk on ip.
In the future, I would want to not be isolated from my friends in the Space Station.
This is a good example of security through obscurity, particularly the MacOS example in the article. Obscurity is no basis for a security model, but a little obscurity thrown in on top of some real security can't hurt.
For example, a tech I know runs a MySQL server that shouldn't be exposed to the outside world. It's behind a firewall and the port is blocked, fine. It's also run on a non-standard port. Why? Because if somebody cracks the main network, they still have some work to do to get to find the MySQL server. That's time to discover the intrusion and fix the leak.
Summary: Security through obscurity: bad. Security + obscurity: good.
Software is developed for a reason: people need new features in software. Though some people may be able to do what they need with old software, most businesses dont.
It's not an option for my company to switch our servers back to say linux 2.0, because we need the features that new kernels provide, the scalability, journalling filesystems, decent ATM support and so on. If we can't use those options we can't satisfy our customers and we won't make any money. We and with us many others, don't have a choice; we'll have to take bugs in software under development as another risk in doing business.
Yes but a determined hacker would go get information on CP/M and not let give up so easily.
Security through obsolescence may be a bit of a misnomer. When I take an older OS release and apply all of the relevant patches, I know that the patch OS is considerably more mature that a newer version. Espicially a new major release with a newer or different components which have not been extensibly tested.
This is not to say that OS and software companies do not try to thoroughly test their software. They do. But even in the largest, most sophisticated test lab, one cannot recreate all of the possible conditions that will be revealed when the software is released into the real world.
The reasons older (obsolete) software may be more secure are really two fold. Older software, due to creaping featurism which haunts all software development activities adds features, which adds chances for security holes and errors. I assert the increased features, and espicially increased interfaces (user, programmatic and otherwise) increases the likelyness of security issues. The second issue with older (obsolete) software is that it is more mature. Please understand this carefully- older software that has been patched ot the current patch level will be more secure than software that has not been patched.
I think equating obsolete software with security is quite a stretch. I do agree with the thought that mature software will have fewer security issues. Added to this the fewer interfaces on older software gives it a greater chance to be free from security issues.
-tpg.
I think security thorigh diversity is a much better propostion. It is well known that biological systems become vulnerable if they are too homogeneous. For example, if one species dominates an ecosystem then diseases will spread more rapidly and affect more of the population. The same argument can be applied to computer systems. If one hardware and software configuration is dominant eg MS, then vulnerabilities will affect a larger number of systems and viruses will spread more rapidly.
All the "obscurity" does is extend the time before the FIRST person discovers a hole. Once one person finds a hole and that info hits the Internet, it's not obscure any more. What, you think all the script kiddies personally research and discover security holes?
It's a similar problem to that faced by music companies trying to copy-protect CDs -- all it takes is for ONE person to rip the protected CD, then it's out there.
-----
PGP Key ID 0xCB8FF658
Well, as a general rule, I dont install MS software until the third service pack comes out. This is due to the multitude of problems that come with MS new releases. As for security, why haven't the web and OS programmers set up a VM for browsers and email with no access to the underlying OS? A separate VM for each logon, and the user just kills his own VM ..........