> But they don't. They don't know that it exists, they don't know that
> I exist. Looking for potential security holes is dull, unrewarding,
> pedestrian work, no fun at all compared to hacking out a new disk
> optimization program.
To you, perhaps. But lots of other people *live* for this. They
couldn't care less about a new disk optimization program. Tune into
bugtraq or alt.2600.* or any other place where they gather, and you
can almost feel the excitement. I've done a little bit myself from
time to time, and while it's not my forte or even my first choice
of what I'd like to do, it can be pretty darn interesting.
> That matters not the slightest bit. A single high-visibility, high-
> cost security breach doesn't just hurt the organization whose system
> is compromised; it hurts the OS and its developers forever. Even if it
> is fixed immediately and never happens again! Suppose someone broke
> into a Linux server at CitiBank and stole the ATM Pin file; Linux use
> would drop by 10% globally.
First of all, if someone broke into a server at CitiBank and stole
the ATM Pin file, then it is almost certain that you would never hear
about it. I've done two consulting jobs for Fortune 100 companies
which were penetrated by hackers; in both cases, I've signed
nondisclosure agreements that forbid me from telling you much more
than is contained in this sentence. Let's just say that I helped
them solve their problems.
This kind of information control is industry standard practice...
not because they care about the possible impact on their technology
du jour, but because they care about their stock price, and other
related things with lots of 0's in them. It *DOES* hurt the
organization whose system is compromised, which is why they tend
to be very eager to get it fixed quietly and quickly and at any cost.
Second, ten years ago this month, a decent chunk of the Internet
was crippled by the Morris worm. (Which, by the way, doesn't have
any redundant or self-healing code. I know. I disassembled it that
day, and published the results via FTP.) The point is that quite a
few VAX and Sun UNIX boxes were nailed by the worm, with no
effect on their continued adoption. We still all bought 'em
as fast as we could budget 'em. Nobody went back to VMS.
Third, there have already been attacks far more widespread than
the one you describe above: the ping o' death, for example, could have
potentially caused far more trouble (technically and financially)
around the world than merely stealing a file of ATM Pins. Yet we
haven't seen a hasty retreat from the deployment of Windows machines
in corporate environments as a consequence.
fourth, the open-source model provides far higher security than
the closer-source model, because it allows the code to be inspected
by a very large community. As I have learned: the cracker community
*already* has the source code to your OS and your applications (including
NT and Oracle and SAP and Exchange and everything else). By using
closed-source software such as this, you put yourself at a disadvantage
to your opponents. By going open-source, you at least level the playing
field and give yourself a fighting chance to find (and fix) the holes
before they take advantage of them. Or to simply modify the code in
such a way as to make breakin-by-rule more difficult. (Trivial example:
one site I've architected has every internal mail server listening somewhere
other than port 25. They're all different. Not that this is going
to fool anybody for long, but since *ANY* connection to port 25 anywhere
inside that network will set off alarms all over the place, it will --
and it has -- snagged intruders that aren't clueful enough to be careful.)
You can't do this sort of thing with closed-source software.
---Rsk
Rich Kulawiec
[EMAIL PROTECTED]
____________________________________________________________________
--------------------------------------------------------------------
Join The Web Consultants Association : Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------
