On Mon, 10 Aug 1998, Ty Abonil wrote: > > > We can avoid this by making computer systems unique - the trick is to > > > do this while providing a uniform interface to users. We discussed > > > several approaches in: > > > > This stops the script kiddies, and O(zero) more, where O(zero) reaslly is > > my attempt to sum up the advantages of security through obscurity. > > Aain, I agree. Merely saying that we should have a different system for > everyone will not solve tha problem, in fact I believe that the situatin > will be worse of. A person running a system today can turn to thousands > of people for help on Usenet, the web, or other resources on the internet. > Books are available for almost all systems. This is becasue everyone runs > similar systems. If everyone was running their own flavour of something > then the problem of security might have been solved, but then what I think > would be a much bigger problem would arise- systems which don't run > well/efficiently, not because of crackers, but becasue of admins that have > to track down every bug themselves, with no where to turn to.. I believe we are discussing two different things here. The original post is not discussing security through obscurity or creating millions of different programs with different interfaces (and thus, an administrative nightmare) to perform one task. What the original post was discussing (I believe) is the benefit of diversification. There is no mention of "obscuring" any details of how the diversification is to be accomplished. It's kind of like basing an encryption key on a (pseudo-)random number. All algorithms are well know to all. The security comes from a large random number space. Diversification has a big drawback -- it is difficult to maintain a diverse system because different componants require different action to perform similar tasks. This is diversification on an external level. However, diversification also has a benefit. Every time an application-specific bug is found, it is diversification that allows us to avoid all the nastyness of the Morris worm. But that diversification occurs on an internal level. Now, if we could find a way couple the beneficial internal diversification with the uniform external behavior, we could provide a robust environment in which a person could, in fact, "turn to thousands of people for help on Usenet, the web, or other resources on the internet." The real solution would be for everyone to write perfect code all the time. Until that day, we need to face the fact that if we want to make systems more uniform externally, yet still robust, we need to find ways to diversify them internally. (Pretty ironic -- the road to uniformity is diversification.) As with any solution, this is not a panacea, but I do believe that it does deserve some attention. > > Ty. > -- Aaron Schwartzbard aschwartat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:06 PDT