On Fri, 7 Aug 1998, Anil B. Somayaji wrote: [much snipped] > The main purpose of that paper was to discuss the fact that computer > systems today are amazingly homogeneous at a binary level, and this > lack of diversity leads to many of the security problems that we see. > One cracker writing a script to break in to one machine is generally > not a big deal; one cracker spreading a script on the net that can > break into thousands of machines _is_ a problem. With all due respect, because I really do believe you to be an intelligent person, I have to disagree in part. First off: Things that I can do on my machine to stop script kiddies, slow them down, or even make it easy for me to catch klutzy script kiddies (eg tripwire) are good. OTOH, the goal is not simply to stop script kiddies. > We can avoid this by making computer systems unique - the trick is to > do this while providing a uniform interface to users. We discussed > several approaches in: This stops the script kiddies, and O(zero) more, where O(zero) reaslly is my attempt to sum up the advantages of security through obscurity. Saying "we need to make all these computers a little different from one another" is really just saying "we need to obscure various details about this computer that, when known, will make the attack possible again." Again, yes, it's good if it stops script kiddies. Some people run domains that are so low-on-the-totem-pole that any 31337 4@|<3|~ who's looking to really land the big fish will bother. But both proprietary and open source offerings are trying to win spots in "bet your business on this" lists, and military contractors, nuclear research centers, and naval warships to name 3 will regard things which "make it annoying to build the same exploit that runs everywhere" (my rather rude characterization :-) as being on the order of zero. Then again, maybe not, since the above named things also think obscurity is a great security tool. =( jim
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:51 PDT