Slashdot Mirror
Security Through Obsolescence
dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."
"... like AIX that has never been widely used for Net-attached servers but is adequate for handing out simple Web pages .."
Um, I don't know about you but last time I checked, AIX is far more capable than most UN*Xs out there at just about everything.
By no means is it "old" or "outdated."
"Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities. "
You lightly touched on one of the biggest vulnerabilities to any system: Consistancy. If you can research an OS, you can find out how to break in.
What about a case where somebody builds their own OS and runs their apps on it? (I realize that is extremely unlikely, so use your imagination a bit...) How would a would-be hacker get into that? I'm sure it's possible, but without a model to work from, how would they know what to do?
My company used to run IIS. When we got hit with Nimda, I noticed that 'CMD.exe' was getting called a lot. What'd I do? I renamed CMD.exe and replaced it with Calc.exe. I had originally intended to write my own VB App that'd notify me if it was ever ran. Never got around to it, though. Essentially, I hid a commonly known function of WinNT. Anybody breaking into the system would have to figure out what I did since it's no longer the same type of server other people run.
It is for this reason I'm really interested in Linux as server. If I were to get really deep down into the nitty gritty, I could make the OS so unfamiliar that only the most determined hacker would get in.
"Derp de derp."
I'm serving web pages from by NeXT Station at home. My logs show tons of attempts to reach internal WIN-NT paths. Which is slightly amusing. But in the end, that's just my DMZ machine, and my linxis(sp?) firewall is trusted to keep out other naughty people. Still, nothing keeps the wife from opening an email with an executable attachment... So my web server stays up while I refresh the image on my PC. The most stable running box in the house is still the NeXT.
Above comment is personal opinion. Poster is not a spokesperson.
A few years ago, I remember researching firewall products and stumbled across one that ran on MS-DOS. According to the marketing hype, MS-DOS was the OS of choice because it was impossible for a hacker to do anything remotely with an OS that had no remote accessiblity. They had custom ethernet drivers for a small number of cards, and a homegrown GUI (definitely not Windoze). IMHO, it wasn't the best product (for a variety of reasons), but I'll bet it was every bit as intrusion-resistant as advertised.
This article just goes to show that good security is hard, and is often an afterthought.
Lasers Controlled Games!
this is a pretty flawed argument. Do these security experts actually look at "script kiddie" tools? If they cared to do a little homework they would see that many exploits and tools cover a wide array of software versions. Exploits for antique software are relatively easy to find. Now you could claim that _obscure_ software is more difficult to crack, and you would probably be right. But keep in mind that that software is obscure for a reason--it's probably junk. Just because you are running last generation's software does not mean the current cracker generation can not get to those exploits (or information needed for the software).
I believe there is a little bit of confusion in this article between obscurity in the sense of software not being widely used and obscurity in the sense of proprietary closed-source software. There is also the confusion of software _differences_, which the author of this article bungles together with software age. In any case, this article is seriously misguided. Let me explain:
There is an Object. It could be your physical hardware, your OS, or simply a version of a software package. Imagine two generic Objects, Object-A and Object-B, exact in every practical way. Now imagine an Exploit that works on Object-A (and a cracker has access to this object). It also works on Object-B (your object) because they are identical. Now imagine there is an Object-C. It is very similar to Object-A and B, but has a few slight differences. Now the Exploit will need to change to accomodate this. This is _security_. This is the same principle viruses (biological or computer) work on. The differences between objects makes them secure. The less difference, the less secure. Think of any *ix security measure. Passwords, for instance, are simply ~8 character differences (and a login name) between one *ix and the next. Attempting to break a password by trial-and-error is impractical. Crackers rely on this principle of _similarity_ of systems to break passwords. They download a system's password file and use a "word file" to crack passwords. This word file is merely commonly used passwords--again, the principle of similarity. Most *ix systems have a password file in a common format and there are common passwords. Common system properties (/etc/passwd, etc.) + common user psychology turns what is a very secure method (passwords) into a very insecure method. One small admin. change could make the difference between a system being cracked or not (such as moving daemons to a "strange" location or partition, etc.).
Software age has nothing to do with security. The article really has many seperate issues tied together and it really is not a good idea to just use older software for security sake.
Dijkstra Considered Dead
The box survived three or for "security tests" from consulting terms with no issues. It was one of three NT machines in the company that survived, the other two of which were actually OS/2 boxes running SAMBA.
Just goes to show...
-WS
An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
"...don't have access to any source code, yet they still find the holes."
You don't need the source code, you just need to have Windows. Understanding of Windows features leads to understanding of how to be annoying to other Windows user.
On the other hand, I would have no idea how to attack a Linux user. If I were to get familiar with Linux, I could start to cook up ideas.
"Derp de derp."
Actually, most of them *don't* find the holes; they learn about them from somebody else. The point being that if there are enough people trying to break into your system, somebody will succeed. If you are using a well-known OS, you are effectively under constant attack by thousands of hackers, because information they learn about one system is immediately portable to all the others. If you are using an obscure system, you just have to worry about rare hacker who stumbles across your system.
It's a little like locking your door. You won't stop the rare really skilled thief with a lockpick, but it'll deter all the guys who go around trying every doorknob.
I'll give you a counter-example, and this is more to the point.
Mac OS 8.6 was *THE* standard before 9 and X. More stable, better for the environment, better for the economy, etc. etc.
There was a free upgrade available everywhere to get you from 8.5 to 8.6. Yet two years ago I ran 8.5 for a year and a half.
Why? DIDN'T need to upgrade. It gave me everything I needed, didn't crash out* (I had 1 or 2 problems with ProTools, but it was an anomaly) , and I didn't need USB support.
My system was set up in such a way that everything, CDEV's, INIT's, and all extensions got along with each other and the only time I had to reboot was when I wanted to turn my computer off.
To extend this, if you have a set up that has had the HECK tested out of it, stands up to "attack" (whether that means a "hack" for an network box, or a heavy load for a server) and doesn't give you problems, why re-invent the wheel?
In the future, I would want to not be isolated from my friends in the Space Station.
Scriptkiddies just run programs, and typically poorly coded ones at that. Their concept of "hacking" is double-clicking on "Shortcut to WinNuke.exe". Thus, if they were using a program that had the directory c:\winnt hardcoded in (like some simple, hacked together in an hour exploit demonstration code), they probably wouldn't be able to make even that simple change.
That's it. I'm no longer part of Team Sanity.
Seems like a lot of people here need a refresher course on why security through obscurity is bad. It's not bad because it relies on the attacker not knowing something--most security relies on that. It's bad because the thing that it relies on the attacker not knowing is poorly defined.
Take the common example of the "secret URL". Noone could possibly guess the secret URL to my admin page, right? Maybe, but it's a moot point, since they don't have to. Your browser doesn't know the URL is supposed to be secret, and neither does your webserver. It can leak out via literally dozens of paths. I find "secret" pages virtually every time I take a look at my webserver referrer logs.
use constant PERL_IS_BROKEN => $] >= 5.006;