Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Through Obsolescence

Posted by Hemos on from the security-through-elderly dept.

dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."

27 of 263 comments (clear)

  1. This is great! by Rantastic · · Score: 5, Funny

    No one can break into my house because I have a moat and a drawbridge, and a dragon behind the door. Old, but effective.

    --
    Ask Slashdot: Where bad ideas meet poor googling skills.
    1. Re:This is great! by Rantastic · · Score: 3, Funny

      As you glide in, guns blazing, your last thought, as your body is charred by dragon flame, is that you should have remebered that dragons (at least good ones) have thick armoured scales.

      I wonder if there is something useful I can do with metal lump that is left from the frame of your melted hang-glider. Perhaps I can setup an old AIX server to hand out some simple web pages...

      --
      Ask Slashdot: Where bad ideas meet poor googling skills.
    2. Re:This is great! by sharkey · · Score: 3, Funny

      the dragon is enchanted

      Silver .50BMG, of course.

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
    3. Re:This is great! by PaulBellini · · Score: 3, Funny

      Yeah, but have you ever tried to get a permit for a dragon? It's hell.

  2. Just Obscurity, not Security by crow · · Score: 5, Insightful

    This is simply a variation on security through obscurity. Make sure the operating system and software it runs are so old that current hacking tools won't work on it. Sure, that will stop a bunch of script kiddies. It's just like running MacOS will make you immune to most viruses.

    Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.

    1. Re:Just Obscurity, not Security by NanoGator · · Score: 5, Interesting

      "Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities. "

      You lightly touched on one of the biggest vulnerabilities to any system: Consistancy. If you can research an OS, you can find out how to break in.

      What about a case where somebody builds their own OS and runs their apps on it? (I realize that is extremely unlikely, so use your imagination a bit...) How would a would-be hacker get into that? I'm sure it's possible, but without a model to work from, how would they know what to do?

      My company used to run IIS. When we got hit with Nimda, I noticed that 'CMD.exe' was getting called a lot. What'd I do? I renamed CMD.exe and replaced it with Calc.exe. I had originally intended to write my own VB App that'd notify me if it was ever ran. Never got around to it, though. Essentially, I hid a commonly known function of WinNT. Anybody breaking into the system would have to figure out what I did since it's no longer the same type of server other people run.

      It is for this reason I'm really interested in Linux as server. If I were to get really deep down into the nitty gritty, I could make the OS so unfamiliar that only the most determined hacker would get in.

      --
      "Derp de derp."
    2. Re:Just Obscurity, not Security by WinterSolstice · · Score: 3, Interesting
      This is actually a good point. We had a Windows NT server at a certain company I happen to work for with this "advantage". It was originally an OS/2 box, then upgraded to WinNT. NT was put into C:\OS\Win\Winnt.

      The box survived three or for "security tests" from consulting terms with no issues. It was one of three NT machines in the company that survived, the other two of which were actually OS/2 boxes running SAMBA.

      Just goes to show...

      -WS

      --
      An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
    3. Re:Just Obscurity, not Security by NanoGator · · Score: 3, Interesting

      "...don't have access to any source code, yet they still find the holes."

      You don't need the source code, you just need to have Windows. Understanding of Windows features leads to understanding of how to be annoying to other Windows user.

      On the other hand, I would have no idea how to attack a Linux user. If I were to get familiar with Linux, I could start to cook up ideas.

      --
      "Derp de derp."
    4. Re:Just Obscurity, not Security by screwballicus · · Score: 3, Informative

      It's not like there aren't readily available sources for information on older OSs, after all.

    5. Re:Just Obscurity, not Security by PurpleFloyd · · Score: 3, Interesting

      Scriptkiddies just run programs, and typically poorly coded ones at that. Their concept of "hacking" is double-clicking on "Shortcut to WinNuke.exe". Thus, if they were using a program that had the directory c:\winnt hardcoded in (like some simple, hacked together in an hour exploit demonstration code), they probably wouldn't be able to make even that simple change.

      --

      That's it. I'm no longer part of Team Sanity.
    6. Re:Just Obscurity, not Security by gnovos · · Score: 3, Informative

      The problem is that while you could probably get rid f most script kiddies by using some non-standard OS that you wrote yourself, you don't get rid of the real problem, which is that a *determined* hacker (say an ex-employee who wants to steal your secrets to sell to a competitor, or an evil black-hat who wants to steal you credit card database, etc) will be able to get in. Obscurity may stop the "nuiscance" hacks, but those hacks don't really cost you much in reality. The scary hacks that actually do cost your company money will not be stopped.

      --
      "Your superior intellect is no match for our puny weapons!"
  3. Just introducing new problems by jerrytcow · · Score: 4, Insightful

    At least with current software when a hole is found it will get patched - more quickly for some companies than others. What happens when a major flaw is found with older OSes/apps? Do you really think MS will bother to write a patch for win95 or Apple for mac os 7.1? You will not only have a security problem, but to fix it you'll have to upgrade or migrate to a new platform.

  4. Nice points but... by garett_spencley · · Score: 5, Insightful

    I still wouldn't rely on this for really critical security implementations.

    The main problem is that most vendors stop supporting old products. This creates a huge security threat. Just because no one knows about security holes don't mean they exist.

    Sure you've eliminated probably 99% of all script kiddie threats and if that's the only threat you can identify then by all means this is a cute idea. However, as security administrator at my company I do my best to secure against any and all threats which means I must presume that old versions of Solaris (for example) have gaping security holes that were never fixed and therefore running the leatest and greatest with all applied security patches and a rock hard configuration is my best bet when it comes to security.

    Roblimo's friend does have a point, though regarding Macs. Old Mac's are really the most secure systems out there. Simply because they can't really do much. They weren't designed to be networked and so there aren't any services to exploit ;^)

    --
    Garett

  5. No it's not by ChanxOT5 · · Score: 3, Insightful

    It's Security through time.
    They've got the argument all wrong - it's not more secure because it's obscure - it's more secure because older software has been around longer, and the kiddies have already found the obvious bugs and they've been patched.

    Would you run a 2.5 kernel on a computer where you worried about security? I'd hope not.

    1. Re:No it's not by scott1853 · · Score: 5, Insightful

      I had an argument with a customer a few months ago. He was running Win 95 and had to keep rebooting his machine everytime he wanted to get on the internet and he said it was our fault for providing such crappy internet service. I told him that's normal, Windows 95 is unstable. His response was that it's been out for 7 years so they must have fixed everything that was wrong with it by now.

      You may want to rephrase that statement and maybe say "because older linux kernels have been around longer"

  6. Gopher by arson1 · · Score: 5, Funny

    Time to move my mp3 collection over to a gopher server :)

    --


    --
    Don't sweat the petty things, and don't pet the sweaty things.
  7. Fort Knox; aka MS-DOS by dcavanaugh · · Score: 5, Interesting

    A few years ago, I remember researching firewall products and stumbled across one that ran on MS-DOS. According to the marketing hype, MS-DOS was the OS of choice because it was impossible for a hacker to do anything remotely with an OS that had no remote accessiblity. They had custom ethernet drivers for a small number of cards, and a homegrown GUI (definitely not Windoze). IMHO, it wasn't the best product (for a variety of reasons), but I'll bet it was every bit as intrusion-resistant as advertised.

    1. Re:Fort Knox; aka MS-DOS by NewtonsLaw · · Score: 5, Funny

      I remember researching firewall products and stumbled across one that ran on MS-DOS. According to the marketing hype, MS-DOS was the OS of choice

      Cool... just what everyone needs... a single-user, single-tasking firewall.

      Why not call it a brick-wall? :-)

  8. Sounds like the ATC's position... by southpolesammy · · Score: 3, Informative

    Per yesterday's /. article on the current state of Air Traffic Control systems, is sounds like this is standard fare for them as well. They've certified that the ATC systems that STARS is replacing are hack-proof, simply because the systems are so old that few people in the IT world today were even alive when they were introduced.

    Of course, a system like this is still subject to physical abuse, and an old system that is broken into pieces is just as bad as a new system that is the subject of a DoS....

    --
    Rule #1 -- Politics always trumps technology.
  9. Dammit, don't let the secret out! by allism · · Score: 3, Funny

    We ship DOS based and Windows based medical data collection software out of our shop, and we've had WAY fewer problems (one, to be exact, compared with over a dozen) with people hacking into our DOS stuff vs our Windows stuff, despite the fact that we have 50 times more DOS units in the field than Windows.

    Not to mention that the laptops we ship the DOS software on gets stolen a lot less frequently, since our DOS software will run on 286s...

    --
    Denver Isuzu Suzuki
  10. MVS - S360 - S370 - S390 - ZSeries by John+Harrison · · Score: 5, Interesting
    I was talking to a member of IBM's ethical hacking group a few months ago. He said he had gone down to DefCon and took one of his System 390 manuals as a bartering item. He said that he got all sorts of cool offers for it. Most of the hackers had never seen any documentation on the system so it was a total black box to them. The guy from IBM thought it was all rather funny since after he traded it away for items worth several times its value he went home and ordered another copy off of Amazon.

    This article just goes to show that good security is hard, and is often an afterthought.

    --
    Lasers Controlled Games!
  11. Flawed.. by reflective+recursion · · Score: 5, Interesting

    this is a pretty flawed argument. Do these security experts actually look at "script kiddie" tools? If they cared to do a little homework they would see that many exploits and tools cover a wide array of software versions. Exploits for antique software are relatively easy to find. Now you could claim that _obscure_ software is more difficult to crack, and you would probably be right. But keep in mind that that software is obscure for a reason--it's probably junk. Just because you are running last generation's software does not mean the current cracker generation can not get to those exploits (or information needed for the software).

    I believe there is a little bit of confusion in this article between obscurity in the sense of software not being widely used and obscurity in the sense of proprietary closed-source software. There is also the confusion of software _differences_, which the author of this article bungles together with software age. In any case, this article is seriously misguided. Let me explain:

    There is an Object. It could be your physical hardware, your OS, or simply a version of a software package. Imagine two generic Objects, Object-A and Object-B, exact in every practical way. Now imagine an Exploit that works on Object-A (and a cracker has access to this object). It also works on Object-B (your object) because they are identical. Now imagine there is an Object-C. It is very similar to Object-A and B, but has a few slight differences. Now the Exploit will need to change to accomodate this. This is _security_. This is the same principle viruses (biological or computer) work on. The differences between objects makes them secure. The less difference, the less secure. Think of any *ix security measure. Passwords, for instance, are simply ~8 character differences (and a login name) between one *ix and the next. Attempting to break a password by trial-and-error is impractical. Crackers rely on this principle of _similarity_ of systems to break passwords. They download a system's password file and use a "word file" to crack passwords. This word file is merely commonly used passwords--again, the principle of similarity. Most *ix systems have a password file in a common format and there are common passwords. Common system properties (/etc/passwd, etc.) + common user psychology turns what is a very secure method (passwords) into a very insecure method. One small admin. change could make the difference between a system being cracked or not (such as moving daemons to a "strange" location or partition, etc.).

    Software age has nothing to do with security. The article really has many seperate issues tied together and it really is not a good idea to just use older software for security sake.

    --
    Dijkstra Considered Dead
  12. My new filing technique is unstoppable! by Junior+J.+Junior+III · · Score: 4, Funny

    No one can steal my data!

    I have no network. My backups are stored on 5 1/4" floppies.

    Not only can no one read these things, they'd need a truck convoy to haul them away. No way in hell they're sneaking past security with a motherfucking semi truck!

    --
    You see? You see? Your stupid minds! Stupid! Stupid!
  13. Security through obscurity by gregbaker · · Score: 3, Insightful

    This is a good example of security through obscurity, particularly the MacOS example in the article. Obscurity is no basis for a security model, but a little obscurity thrown in on top of some real security can't hurt.

    For example, a tech I know runs a MySQL server that shouldn't be exposed to the outside world. It's behind a firewall and the port is blocked, fine. It's also run on a non-standard port. Why? Because if somebody cracks the main network, they still have some work to do to get to find the MySQL server. That's time to discover the intrusion and fix the leak.

    Summary: Security through obscurity: bad. Security + obscurity: good.

  14. Security through Maturity by thepoolguy · · Score: 3, Insightful

    Security through obsolescence may be a bit of a misnomer. When I take an older OS release and apply all of the relevant patches, I know that the patch OS is considerably more mature that a newer version. Espicially a new major release with a newer or different components which have not been extensibly tested.

    This is not to say that OS and software companies do not try to thoroughly test their software. They do. But even in the largest, most sophisticated test lab, one cannot recreate all of the possible conditions that will be revealed when the software is released into the real world.

    The reasons older (obsolete) software may be more secure are really two fold. Older software, due to creaping featurism which haunts all software development activities adds features, which adds chances for security holes and errors. I assert the increased features, and espicially increased interfaces (user, programmatic and otherwise) increases the likelyness of security issues. The second issue with older (obsolete) software is that it is more mature. Please understand this carefully- older software that has been patched ot the current patch level will be more secure than software that has not been patched.

    I think equating obsolete software with security is quite a stretch. I do agree with the thought that mature software will have fewer security issues. Added to this the fewer interfaces on older software gives it a greater chance to be free from security issues.

    -tpg.

  15. your man is an idiot, but this is what they mean: by mekkab · · Score: 4, Interesting

    I'll give you a counter-example, and this is more to the point.

    Mac OS 8.6 was *THE* standard before 9 and X. More stable, better for the environment, better for the economy, etc. etc.
    There was a free upgrade available everywhere to get you from 8.5 to 8.6. Yet two years ago I ran 8.5 for a year and a half.

    Why? DIDN'T need to upgrade. It gave me everything I needed, didn't crash out* (I had 1 or 2 problems with ProTools, but it was an anomaly) , and I didn't need USB support.

    My system was set up in such a way that everything, CDEV's, INIT's, and all extensions got along with each other and the only time I had to reboot was when I wanted to turn my computer off.

    To extend this, if you have a set up that has had the HECK tested out of it, stands up to "attack" (whether that means a "hack" for an network box, or a heavy load for a server) and doesn't give you problems, why re-invent the wheel?

    --
    In the future, I would want to not be isolated from my friends in the Space Station.
  16. Look at crypto. by surfcow · · Score: 4, Informative

    The most secure cryptosystems in the world are "open source". The encryption key is kept secret, but the method of encrypting the key is published. People are encouraged to whack at it. If a system gets broken, someone gets famous, but people know quickly.

    This seems like a much better model for OS development than "let's hope no one remembers that old trick".

    =brian