LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Relicensing and rebasing LibreOffice

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security through obsolescence (Register)

[Posted June 12, 2002 by dennis]

Article

Here's an interesting way to secure an Internet-connected computer against
intruders: Make sure the operating system and software it runs are so old
that current hacking tools won't work on it. This was suggested by Brian
Aker, one of the programmers who works on Linux.com, NewsForge, Slashdot, and
other OSDN sites; he runs several servers of his own that host a number of
small non-profit sites in the Seattle area. "I have one box still running a
version of Solaris that's so old none of the script kiddies can figure it
out," Brian says. "They tend to focus on the latest and greatest, and don't
have the slightest idea how to handle my old Sun box."

Brian points out that some of the most secure Department of Defense Web sites
-- ones that don't make headlines by getting cracked all the time -- run old
versions of Mac OS and the venerable WebSTAR server suite. "[Mac is] a great
operating system for that application," he says. "No scripting or remote
capability at all, so there's no way for them to get in."

Not only that, the hacker/cracker crowd is fixating, as usual, on the latest
versions of everything, like Windows 2K/XP, Mac OS X, the most recent Linux
kernels and BSDs, the newest Solaris, and so on. What fun is there in
breaking into a system running something so ancient only a dad would even
consider using it? There's also an obscurity factor to consider here, and not
the one proprietary software advocates usually trot out when discussing
security issues.

True "security through obscurity"

Most Web site takedowns and system intrusions make use of known
vulnerabilities in a particular operating system or server software package.
These vulnerabilities are typically discovered, a little at a time, by
thousands of bad hackers who poke and prod at systems, port-scanning and
probing them, sharing the information they gain from their (mostly failed)
attempts with each other. A million monkeys with Internet connections may not
reproduce any Shakespeare plays -- they need to use old-fashioned typewriters
to do that -- but they sure as bleep are going to find vulnerabilities in any
host they contact sooner or later simply by sheer weight of numbers,
especially if the operating system or software they attack is popular enough
that they have many instances of it out there to look and poke at. It doesn't
matter whether the operating system and server software under attack is
proprietary or Open Source. Sooner or later, with enough monkeys scratching
at it, every single chink or opening can be discovered and exploited.

Imagine a custom operating system used by only a few servers, running server
software so oddball that cracking lessons learned on mainstream servers don't
apply to it at all. Or imagine running a DOS variant or an OS like AIX that
has never been widely used for Net-attached servers but is adequate for
handing out simple Web pages and receiving responses through online forms and
handling email, which are the primary tasks performed on most
publicly-accessible servers.

Now imagine your local script kiddie trying to crack a box running an
operating system and server software he's never seen before, about which no
information is available in the usual online hacker hangouts. Chances are,
he's going to move on to an easier target.

This is security through obscurity at its finest. Even if the custom
operating system and server software are Open Source, low-level attackers
aren't going to bother poring over the code thoroughly enough to find its
vulnerabilities, and those few who have the skill level needed almost
certainly have better things to do with their time -- like work -- and won't
bother.

Really dumb stuff
Never forget, most intrusions and defacements exploit really stupid
administrator or user mistakes, like using "password" as the password for
remote access or running all kinds of unnecessary services that create
security holes so big a whale could dive through them. These lapses have
nothing to do with the operating system or software being used. No operating
system or application ever written is immune to user stupidity. Some just
take more stupidity to botch than others, you might say. But that's enough
about that. Let's go back to talking about old operating systems.

Age before beauty
One advantage of mature software is that lots of people have already tried to
crack it and lots of patches have been written. A smart sysadmin like Brian,
running an ancient version of Solaris, has kept up with security updates over
the years and has installed all of them he has found. What some people might
sneer at as "obsolete" software, others might call "carefully tested" or
"proven." Indeed, Debian Linux users often point to the fact that Debian's
stable branch does not include the latest kernel or software as one of its
great strengths; Debian lets others explore the latest and greatest -- and
fall victim to the latest and greatest exploits -- before all the kinks are
worked out to the Debian maintainers' satisfaction.

Note that an awful lot of servers out there are still running on Red Hat 6.1
or 6.2, not Red Hat 7.x, and that it takes a long time for the latest version
of Apache to trickle out into the world full-strength. Because these programs
have zero licensing cost attached to updates, why would so many sysadmins
keep using old versions when new ones no doubt offer more and slicker
features? Obviously, those sysadmins have the same outlook as delivery truck
fleet managers who refuse to buy a new model during its first year or two in
production. They prefer to wait until all the kinks are worked out and all
the defects and maintenance tricks have been discovered and applied by early
adopters before jumping from the tried and true into something new.

This is sane behavior for a conservative business manager whether she is
running a fleet of Web servers or a fleet of trucks -- or even a fleet of Web
servers for a trucking company. But it may be even more sane to hold on to
the same servers and trucks even when others sneer at them as being old, even
if new versions are smoother and easier to administer or drive. Quite simply,
once you have worked with a piece of software or a truck for a number of
years, you know its quirks inside and out. When it acts up in a subtle way
someone not used to it might not even notice, long experience with it can
point an observant sysadmin or mechanic straight to a problem, thereby saving
downtime and repair costs.

Because "Total Cost of Ownership" is the big management buzz phrase that cuts
across all business areas, and anything new requires a learning curve,
sometimes it is best to just keep on using the old whatever as long as it
does its job reasonably well.

At some point -- hopefully before Microsoft stops supporting it -- Windows NT
may be reasonably secure against most common exploits. If nothing else, by
that time there will be hundreds of thousands of sysadmins who have learned
how to secure it as hard as possible, even if they had to learn some lessons
the hard way -- by getting cracked. At the same time, the script kiddies and
malicious hackers who ran roughshod over NT servers when they first appeared
have aged. Most of them probably have jobs and responsibilities by now, and
aren't getting their kicks playing in other people's systems but are busily
securing ones they run themselves.

The next generation of bad-kid hackers probably won't mess much with NT -- or
pre-X Mac OS or Linux pre-2.5 kernels or Apache pre-2.x or any of the other
operating systems and server applications their fathers or older siblings ran
"back in the day," while those same fathers and older siblings will have
piled up endless experience securing those old, now-obscure programs, making
them harder targets than the latest stuff.

You never read about this kind of "security through obscurity," which can
just as correctly be called "security through obsolescence." Despite this
lack of publicity, it may be as effective a tactic as any other, and it can
be implemented without spending a dime.

© Newsforge. All rights reserved.



Cash'n'Carrion Reg Shop    Register Recruitment — Real jobs for real
people

Register Services

TheRegUS.com

Reg Recruitment

Reg Reader Research

Reg Merchandise

IT-minds bookstore
















Mobile Internet Broadband e-business The Mac Channel Channel Flannel BOFH:
Whole Shebang The Vulture Central Mailbag About The Register   The Reg
Newsletter

To receive our daily news digest free of charge, just enter your email
address below and click the ‘Subscribe’ button.





Get the Reg Screensaver.   Join the Reg SETI group.   Join Reg Cancerbusters.
(Log in to post comments)

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds