 |
 |
|
 |
 |
Security through obscurity
This is the alias description that Robin Miller, from NewsForge.com, gives to his article Security Through Obsolescence, which deals with a new way to secure an Internet-connected computer against intruders: "Make sure the operating system and software it runs are so old that current hacking tools won't work on it". It seems that the main advantage is that lots of people have already tried to crack them and lots of patches have been written. They are not obsolete software, but "carefully tested" and "proven" resources, says Miller.
The picture is grim: thousands of hackers poke and prod at systems searching for vulnerabilities and share with each other each scrap of information they get until the problem is completely solved and sysadmins defeated. Miller argues that when invaders try to crack a box running an operating system and server software they have never seen and about which there´s no information available, chances are that they´re going to move on to an easier target. "This is security through obscurity at its finest", says Miller, adding that low-level attackers won´t bother to study the codes and that those who have the skill level to do it "almost certainly have better things to do with their time -- like work -- and won't bother". Miller also presents a handy analogy with delivery truck fleet managers, who refuse to buy a new model during its first year or two in production: "They prefer to wait until all the kinks are worked out and all the defects and maintenance tricks have been discovered and applied by early adopters before jumping from the tried and true into something new", calling this a sane behavior: "Once you have worked with a piece of software or a truck for a number of years, you know its quirks inside and out. When it acts up in a subtle way someone not used to it might not even notice, long experience with it can point an observant sysadmin or mechanic straight to a problem, thereby saving downtime and repair costs". All´s well that ends well, but a NewForger´s reader
sent an e-mail advising that it would be good to use uncommon systems
without bells and whistles, not necessarily old systems, because
an actual old system is more likely to have buffer overruns and
long-dormant bugs. And he warns us: "Of course, you must be
prepared to switch systems if your solution starts becoming fashionable..." Related news:
|
|
The
suggestion came from Brian Aker, a programmmer that works on many
sites and runs servers of his own that host small non-profit sites
in the Seattle area. Aker says that script kiddies can´t figure
out old versions of some softwares, as they tend to focus on the
latest and the greatest, like Windows 2K/XP, Mac OS X, the most
recent Linux kernels and BSDs, the newest Solaris, and so on, which
fall victim to the latest and the greatest exploits. 
