Security through obscurity

By Carole Fennelly, Unix Insider |  Security

Sadly, the today's system test department is an unfunded, loosely organized group of technologists, commonly referred to as hackers. Many hackers provide exploit code to demonstrate the bug in question -- just as I did when I was in system test. The big difference is that these hackers release the exploit to the public at large, not just to the vendor. Some people, particularly Marcus Ranum (of TIS FWTK fame), object to this practice and feel it causes more harm than good.

"Ranum in the Lion's Den," Lewis Z. Koch (Inter@ctive Week, September 21, 2000) -- (,4164,2630983,00.html).

Others, particularly Mudge (of L0pht fame) vehemently disagree.

"The Other Side of the Story" Lewis Z. Koch (Inter@ctive Week, September 28, 2000) -- sequel to above story (,4164,2634819,00.html).

Despite what Ranum would like to believe, most software manufacturers lack the self-motivation to fix bugs. Motivation is provided by fear of public embarrassment. Ranum seems to believe that the danger of script kiddies using an exploit is reason enough to obscure information about vulnerabilities. Great, we'll be protected from script kiddies who aren't bright enough to figure out that Back Orifice won't work on a Unix system.

If you're protecting your systems from script kiddies, you're wasting a huge amount of time and money. Script kiddies, though highly annoying and often immature, generally don't know what to do with a system once they've broken in. Command-line access is their electronic equivalent of a fantasy date: they seek it, but none of them know what to do once they've got it.

The real danger is from corporate spies who use an unknown exploit and cover all signs of their intrusion. Mostly, the exploits they use are not public knowledge -- and they don't want them to be. If the information about the vulnerability is made public, companies can analyze the exploit and properly evaluate their risk. If there's no patch or workaround, they have the option (and justification!) to take certain critical systems off the Net, and monitor their systems more closely. Admittedly, many corporations will not do this. They also will not apply patches once the vendor gets around issuing them. Those who truly are concerned about security should not have to suffer for this negligence.

Join us:






Answers - Powered by ITworld

Ask a Question