Slashdot Mirror
Security Through Obsolescence
dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."
No one can break into my house because I have a moat and a drawbridge, and a dragon behind the door. Old, but effective.
Ask Slashdot: Where bad ideas meet poor googling skills.
This is simply a variation on security through obscurity. Make sure the operating system and software it runs are so old that current hacking tools won't work on it. Sure, that will stop a bunch of script kiddies. It's just like running MacOS will make you immune to most viruses.
Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.
At least with current software when a hole is found it will get patched - more quickly for some companies than others. What happens when a major flaw is found with older OSes/apps? Do you really think MS will bother to write a patch for win95 or Apple for mac os 7.1? You will not only have a security problem, but to fix it you'll have to upgrade or migrate to a new platform.
I still wouldn't rely on this for really critical security implementations.
;^)
The main problem is that most vendors stop supporting old products. This creates a huge security threat. Just because no one knows about security holes don't mean they exist.
Sure you've eliminated probably 99% of all script kiddie threats and if that's the only threat you can identify then by all means this is a cute idea. However, as security administrator at my company I do my best to secure against any and all threats which means I must presume that old versions of Solaris (for example) have gaping security holes that were never fixed and therefore running the leatest and greatest with all applied security patches and a rock hard configuration is my best bet when it comes to security.
Roblimo's friend does have a point, though regarding Macs. Old Mac's are really the most secure systems out there. Simply because they can't really do much. They weren't designed to be networked and so there aren't any services to exploit
--
Garett
Time to move my mp3 collection over to a gopher server :)
--
Don't sweat the petty things, and don't pet the sweaty things.
A few years ago, I remember researching firewall products and stumbled across one that ran on MS-DOS. According to the marketing hype, MS-DOS was the OS of choice because it was impossible for a hacker to do anything remotely with an OS that had no remote accessiblity. They had custom ethernet drivers for a small number of cards, and a homegrown GUI (definitely not Windoze). IMHO, it wasn't the best product (for a variety of reasons), but I'll bet it was every bit as intrusion-resistant as advertised.
This article just goes to show that good security is hard, and is often an afterthought.
Lasers Controlled Games!
this is a pretty flawed argument. Do these security experts actually look at "script kiddie" tools? If they cared to do a little homework they would see that many exploits and tools cover a wide array of software versions. Exploits for antique software are relatively easy to find. Now you could claim that _obscure_ software is more difficult to crack, and you would probably be right. But keep in mind that that software is obscure for a reason--it's probably junk. Just because you are running last generation's software does not mean the current cracker generation can not get to those exploits (or information needed for the software).
I believe there is a little bit of confusion in this article between obscurity in the sense of software not being widely used and obscurity in the sense of proprietary closed-source software. There is also the confusion of software _differences_, which the author of this article bungles together with software age. In any case, this article is seriously misguided. Let me explain:
There is an Object. It could be your physical hardware, your OS, or simply a version of a software package. Imagine two generic Objects, Object-A and Object-B, exact in every practical way. Now imagine an Exploit that works on Object-A (and a cracker has access to this object). It also works on Object-B (your object) because they are identical. Now imagine there is an Object-C. It is very similar to Object-A and B, but has a few slight differences. Now the Exploit will need to change to accomodate this. This is _security_. This is the same principle viruses (biological or computer) work on. The differences between objects makes them secure. The less difference, the less secure. Think of any *ix security measure. Passwords, for instance, are simply ~8 character differences (and a login name) between one *ix and the next. Attempting to break a password by trial-and-error is impractical. Crackers rely on this principle of _similarity_ of systems to break passwords. They download a system's password file and use a "word file" to crack passwords. This word file is merely commonly used passwords--again, the principle of similarity. Most *ix systems have a password file in a common format and there are common passwords. Common system properties (/etc/passwd, etc.) + common user psychology turns what is a very secure method (passwords) into a very insecure method. One small admin. change could make the difference between a system being cracked or not (such as moving daemons to a "strange" location or partition, etc.).
Software age has nothing to do with security. The article really has many seperate issues tied together and it really is not a good idea to just use older software for security sake.
Dijkstra Considered Dead
No one can steal my data!
I have no network. My backups are stored on 5 1/4" floppies.
Not only can no one read these things, they'd need a truck convoy to haul them away. No way in hell they're sneaking past security with a motherfucking semi truck!
You see? You see? Your stupid minds! Stupid! Stupid!
I had an argument with a customer a few months ago. He was running Win 95 and had to keep rebooting his machine everytime he wanted to get on the internet and he said it was our fault for providing such crappy internet service. I told him that's normal, Windows 95 is unstable. His response was that it's been out for 7 years so they must have fixed everything that was wrong with it by now.
You may want to rephrase that statement and maybe say "because older linux kernels have been around longer"
I'll give you a counter-example, and this is more to the point.
Mac OS 8.6 was *THE* standard before 9 and X. More stable, better for the environment, better for the economy, etc. etc.
There was a free upgrade available everywhere to get you from 8.5 to 8.6. Yet two years ago I ran 8.5 for a year and a half.
Why? DIDN'T need to upgrade. It gave me everything I needed, didn't crash out* (I had 1 or 2 problems with ProTools, but it was an anomaly) , and I didn't need USB support.
My system was set up in such a way that everything, CDEV's, INIT's, and all extensions got along with each other and the only time I had to reboot was when I wanted to turn my computer off.
To extend this, if you have a set up that has had the HECK tested out of it, stands up to "attack" (whether that means a "hack" for an network box, or a heavy load for a server) and doesn't give you problems, why re-invent the wheel?
In the future, I would want to not be isolated from my friends in the Space Station.
The most secure cryptosystems in the world are "open source". The encryption key is kept secret, but the method of encrypting the key is published. People are encouraged to whack at it. If a system gets broken, someone gets famous, but people know quickly.
This seems like a much better model for OS development than "let's hope no one remembers that old trick".
=brian