This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

Security through obsolescence

By on June 06, 2002 (8:00:00 AM)

Share    Print    Comments   

- By Robin "Roblimo" Miller -
Here's an interesting way to secure an Internet-connected computer against intruders: Make sure the operating system and software it runs are so old that current hacking tools won't work on it. This was suggested by Brian Aker, one of the programmers who works on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs several servers of his own that host a number of small non-profit sites in the Seattle area. "I have one box still running a version of Solaris that's so old none of the script kiddies can figure it out," Brian says. "They tend to focus on the latest and greatest, and don't have the slightest idea how to handle my old Sun box."
Brian points out that some of the most secure Department of Defense Web sites -- ones that don't make headlines by getting cracked all the time -- run old versions of Mac OS and the venerable WebSTAR server suite. "[Mac is] a great operating system for that application," he says. "No scripting or remote capability at all, so there's no way for them to get in."

Not only that, the hacker/cracker crowd is fixating, as usual, on the latest versions of everything, like Windows 2K/XP, Mac OS X, the most recent Linux kernels and BSDs, the newest Solaris, and so on. What fun is there in breaking into a system running something so ancient only a dad would even consider using it? There's also an obscurity factor to consider here, and not the one proprietary software advocates usually trot out when discussing security issues.

True "security through obscurity"

Most Web site takedowns and system intrusions make use of known vulnerabilities in a particular operating system or server software package. These vulnerabilities are typically discovered, a little at a time, by thousands of bad hackers who poke and prod at systems, port-scanning and probing them, sharing the information they gain from their (mostly failed) attempts with each other. A million monkeys with Internet connections may not reproduce any Shakespeare plays -- they need to use old-fashioned typewriters to do that -- but they sure as bleep are going to find vulnerabilities in any host they contact sooner or later simply by sheer weight of numbers, especially if the operating system or software they attack is popular enough that they have many instances of it out there to look and poke at. It doesn't matter whether the operating system and server software under attack is proprietary or Open Source. Sooner or later, with enough monkeys scratching at it, every single chink or opening can be discovered and exploited.

Imagine a custom operating system used by only a few servers, running server software so oddball that cracking lessons learned on mainstream servers don't apply to it at all. Or imagine running a DOS variant or an OS like AIX that has never been widely used for Net-attached servers but is adequate for handing out simple Web pages and receiving responses through online forms and handling email, which are the primary tasks performed on most publicly-accessible servers.

Now imagine your local script kiddie trying to crack a box running an operating system and server software he's never seen before, about which no information is available in the usual online hacker hangouts. Chances are, he's going to move on to an easier target.

This is security through obscurity at its finest. Even if the custom operating system and server software are Open Source, low-level attackers aren't going to bother poring over the code thoroughly enough to find its vulnerabilities, and those few who have the skill level needed almost certainly have better things to do with their time -- like work -- and won't bother.

Really dumb stuff

Never forget, most intrusions and defacements exploit really stupid administrator or user mistakes, like using "password" as the password for remote access or running all kinds of unnecessary services that create security holes so big a whale could dive through them. These lapses have nothing to do with the operating system or software being used. No operating system or application ever written is immune to user stupidity. Some just take more stupidity to botch than others, you might say. But that's enough about that. Let's go back to talking about old operating systems.

Age before beauty

One advantage of mature software is that lots of people have already tried to crack it and lots of patches have been written. A smart sysadmin like Brian, running an ancient version of Solaris, has kept up with security updates over the years and has installed all of them he has found. What some people might sneer at as "obsolete" software, others might call "carefully tested" or "proven." Indeed, Debian Linux users often point to the fact that Debian's stable branch does not include the latest kernel or software as one of its great strengths; Debian lets others explore the latest and greatest -- and fall victim to the latest and greatest exploits -- before all the kinks are worked out to the Debian maintainers' satisfaction.

Note that an awful lot of servers out there are still running on Red Hat 6.1 or 6.2, not Red Hat 7.x, and that it takes a long time for the latest version of Apache to trickle out into the world full-strength. Because these programs have zero licensing cost attached to updates, why would so many sysadmins keep using old versions when new ones no doubt offer more and slicker features? Obviously, those sysadmins have the same outlook as delivery truck fleet managers who refuse to buy a new model during its first year or two in production. They prefer to wait until all the kinks are worked out and all the defects and maintenance tricks have been discovered and applied by early adopters before jumping from the tried and true into something new.

This is sane behavior for a conservative business manager whether she is running a fleet of Web servers or a fleet of trucks -- or even a fleet of Web servers for a trucking company. But it may be even more sane to hold on to the same servers and trucks even when others sneer at them as being old, even if new versions are smoother and easier to administer or drive. Quite simply, once you have worked with a piece of software or a truck for a number of years, you know its quirks inside and out. When it acts up in a subtle way someone not used to it might not even notice, long experience with it can point an observant sysadmin or mechanic straight to a problem, thereby saving downtime and repair costs.

Because "Total Cost of Ownership" is the big management buzz phrase that cuts across all business areas, and anything new requires a learning curve, sometimes it is best to just keep on using the old whatever as long as it does its job reasonably well.

At some point -- hopefully before Microsoft stops supporting it -- Windows NT may be reasonably secure against most common exploits. If nothing else, by that time there will be hundreds of thousands of sysadmins who have learned how to secure it as hard as possible, even if they had to learn some lessons the hard way -- by getting cracked. At the same time, the script kiddies and malicious hackers who ran roughshod over NT servers when they first appeared have aged. Most of them probably have jobs and responsibilities by now, and aren't getting their kicks playing in other people's systems but are busily securing ones they run themselves.

The next generation of bad-kid hackers probably won't mess much with NT -- or pre-X Mac OS or Linux pre-2.5 kernels or Apache pre-2.x or any of the other operating systems and server applications their fathers or older siblings ran "back in the day," while those same fathers and older siblings will have piled up endless experience securing those old, now-obscure programs, making them harder targets than the latest stuff.

You never read about this kind of "security through obscurity," which can just as correctly be called "security through obsolescence." Despite this lack of publicity, it may be as effective a tactic as any other, and it can be implemented without spending a dime.

Share    Print    Comments   

Comments

on Security through obsolescence

Note: Comments are owned by the poster. We are not responsible for their content.

The same as...

Posted by: Anonymous Coward on June 06, 2002 09:11 PM
...security by obscurity. It's a false sense of security. As the tools get better, skript kiddies become better enabled.

#

Linux is it!

Posted by: Anonymous Coward on June 10, 2002 11:54 AM
There already is an OS that is obscure enough to not warrant a large hacking effort. It's name is Linux!!!

#

Re: Linux is it!

Posted by: Anonymous [ip: 99.232.213.11] on December 26, 2007 01:44 PM
Wow, such a dated comment. =)

#

i can agree with that

Posted by: Steve Hunt on June 11, 2002 01:24 AM
I know people with a server which runs on some ancient version of BSD. It seems to run OK, but nobody there knows how to use it. So, they don't have to worry about cracker attacks, since if the people there don't know how to use it, hackers probably won't know how to either!

#

I think they've just stopped supporting NT!

Posted by: joe_pr on June 06, 2002 09:12 PM
I think MS have already stopped releasing service packs for NT - they want us to upgrade to W2K of WXP servers. My comment: NO WAY! I'll rather learn a bit about linux and setup Samba for our brach. BTW: still running Novell Netware 4.x as our main file server (one of those good old things that never need any restarts).

#

The diversity and simplicity protection

Posted by: ruohtula on June 06, 2002 10:02 PM
I think the really beneficial thing here would be using uncommon systems without
bells and whistles, and not necessarily old systems. An actual old system is more likely to
have buffer overruns, or long-dormant bugs (like the zlib vulnerability that was such a hassle a few months ago). Taking a reputable current operating system that is not near the
top of Netcraft website summaries (OpenBSD?) and running a current but rare and simple
server (one such might be thttpd) would probably be safer against script kiddies
than using "dusty-deck" software.


Of course, you must be prepared to switch systems if your solution starts becoming
fashionable...


Using "diverse" software is not necessarily "security by obscurity" as another
comment claimed. It would actually be a variant of the biological strategy that has
among other things prevented any single disease from wiping out the human race.
The Warhol worm and other nasties discussed in the recent research paper "How to 0wn
the Internet in your spare time" depend on the existence of large numbers of sites
with identical vulnerable software. Being different protects you from that (and other
indiscriminate attacks). But it does not necessarily protect you from a skilled attacker
who is determined to crack your site in particular.

#

Lessons from cryptography

Posted by: Anonymous Coward on June 06, 2002 11:07 PM
This is like saying a cryptographic message is secure because no one knows the algorithm. We all that is not really security, it's luck. It's luck because you're hoping that this "script-kiddy" doesn't know your OS, not because your system is really secure.

#

W3 security FAQ discusses this somewhat

Posted by: DCallaghan on June 06, 2002 11:23 PM
http://www.w3.org/Security/Faq

Q3 discusses os platform's impact on web security. A stripped down Mac with bare bones web server is the most secure, bcs functionality can expose vulnerability.

There are problems even with the old software, of course. See Q20 to see how to get the log files from a default WebStar configuration, for instance.

#

Re:W3 security FAQ discusses this somewhat

Posted by: Anonymous Coward on June 07, 2002 12:22 AM
Missing the point slightly. A default configuration will yield results whether current or old, whether OS or WWW, whether FTP or BIND, whether SQL*Server or Oracle etc...

The point the article makes is that by running systems deemed 'obsolete', you won't show up on the usual radar. As the man says, the kiddiots will simply move to easier targets.

The point is that you have years of experience of hardening those particular products - which certainly doesn't include leaving it in a 'default' (or un-hardened) state.

It means *keeping* those obsolete systems hardened by patching and reading the advisories rather than installing the old 'default' software and promptly going to sleep.

Makes sense - no?

#

Re:W3 security FAQ discusses this somewhat

Posted by: DCallaghan on June 07, 2002 01:16 AM
I know that the W3 FAQ was not making the same point as this article. I just thought the W3 FAQ made nice reading in addition to this article.

I thought both made valid and interesting points about what consititutes a reliable, usable system. I felt the similarities lay in their treatment of security, not in the context of a new security product, but in managing any system with an eye towards using the minimum amount of hardened services necessary to do the job.

You make a valid point about the ultimate importance of making sure your system, no matter what it is or when it was made, has the latest patches applied by a knowledgeable admin. Its a nice point in addition to this article, as well :)

#

Thats luck not security

Posted by: Anonymous Coward on June 07, 2002 01:49 AM
Its actually social engineering rather than real security. How about older systems having more known vulnerabilities and once the cracker.hacker figures out the version, the system can well be a part of the history not to mention the data.

#

So what?

Posted by: Anonymous Coward on June 07, 2002 02:09 AM
Now even my grandpa will be able to hack you. Like there is nobody else out there that hacks except teenagers.

Wake Up fool

#

Re:So what?

Posted by: Anonymous Coward on June 07, 2002 01:21 PM
There may be a few twenty-five-year-olds that hack; just as there are some who live with their parents.

#

Don't forget sploit patches....

Posted by: Anonymous Coward on June 07, 2002 05:15 AM
.... Older OSes may not be patched (or, closed source, unpatchABLE) to support more newly discovered holes..

And, of course, neither the latest-n-greatest nor the golden-oldies are safe from administrative incompetence...

#

There are costs, too

Posted by: Anonymous Coward on June 07, 2002 05:39 AM
You have to hire people that have been in the industry for numerous years and call for a large salary and benefits. If you lose them, it is very difficult to replace them with someone who still remembers out-dated technology. Of course, there are the limitations of what you can do with old technology as well. It is called advancement. In every industry, as pointed to in the article, there are dangers with any new item. People that face those dangers are called pioneers and are akin to the people that settled new lands so the less daring could reap the benefits. Just MHO.

#

Good point - but you have to be careful

Posted by: Anonymous Coward on June 07, 2002 04:08 PM
For example, if you were to use the obscure system a/ux (the original apple unix) some of the attack scripts will work quite well on it. To use this system, you need to have a good idea of the software, the configuration and the problem areas. Gnu stuff can be used to replace broken parts, but... you are introducing new stuff, and there is plenty of bug squashing to do just to get the gnu stuff to work. Source code is not available for this system so that you can apply fixes yourself.

If money is not an object, you can go for something like an as/400. Even if you hack the web server, once you get below it, the windows/unix based script kiddie will run into a stone wall. Even the rpg for dummies books are obscure. Oh, for someone who knows the as/400, setting security to 'obscenely paranoid' is not too hard. Unix does not even come close.

In the end though, it comes down to the admin. You have to have two of them who know the obscure/obsolete system well enough to make it secure and operate it properly. In time one of them will leave and you may find it less expensive to upgrade to something more popular and constantly maintain it, than to find some geek who thinks Xenix is the best thing since sliced bread...

btw - last month I threw out my old mac2si running a/ux because the thing wouln't boot any more. Nice machine, but maintaining it was not worth the effort compared to running my dual pentium mmx 166 with 512mb ram, rh7.3... great samba server... (a bit of a problem finding spare parts for old macs in Latvia, and shipping the stuff from the states is DEFINITELY not worth the effort and cost)

#

Re:Good point - but you have to be careful

Posted by: Anonymous Coward on June 07, 2002 06:04 PM
Running a webserver on an AS/400 may be secure, but you can get pretty secure on unix too.

You could run your webserver in a chroot jail, for example. It's not impossible to break out of there, but it is very, very difficult.

Or you could use the NSA's secure kernel (or one of the other secure kernel projects out there), and run your webserver in a separate security level from the rest of your OS, so that if it's hacked it can't actually mess up anything.

#

Solaris support

Posted by: sgp321 on June 08, 2002 10:49 AM
What nobody seems to have spotted yet, is that although one poster suggest that NT is no longer supported by MS, Sun still support SunOS4, even though Solaris 2.5,2.5,1,2.6,7,8,and 9 are now available.

So most of the comments are pointless - SunOS4 is still supported, you can buy a support contract, you can download patches, same as with Solaris 8 or 9.

The strength here is not Security through Obsolecence, but Security through LackofInterest. And because Sun are a Hardware company who provide a damn' good OS, not a Software company who rely on bugs to force users to upgrade.

#

oh well...

Posted by: Anonymous Coward on June 16, 2002 07:07 AM
well let's look at this topic.
what is said here is take an old operation system and install it and most "hackers" will go away.
this is probably true, an old OS will probably get visited as much as a new one but most will leave it alone, but then again these should qualify as the low level "hackers" which uses pre made exploits and automatic "hacker" tools, these are the ones you can most easily protect yourself from by hardening you OS, new or old version. the other kind is the more high level hackers which are the ones you really want to know about and these will probably figure out what you are up to and attack if it pleases them.
the question is what the gain of using an older OS would be, do you want to get the attack rate down or keep them out?
to take this a step further why not get a few guys together and start building your own OS which no one else knows about now in this kind of thinking this would make it really secure since no one knows how to use it. but does that make is secure? sure you will get most "hackers" to turn back but the most "dangerous" ones are, if they are interested in what you have, attack anyway and perhaps even just because it's a challange.
the only times I would use an older system (which should be patched up and hardened in any case) is if I want a really stable OS (for instance use the 2.2.x kernel instead of the newer 2.4.x) or if the hardware is to old to handle the newer more demanding software.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya