lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3F4A4144.3090305@immunix.com>
Date: Mon, 25 Aug 2003 10:03:00 -0700
From: Crispin Cowan <crispin@...unix.com>
To: Eric Greenberg <eric@...frameworks.com>
Cc: 'Bob Rogers' <rogers-bt2@...jr.dyndns.org>,
	BUGTRAQ@...URITYFOCUS.COM
Subject: Re: Heterogeneity as a form of obscurity, and its usefulness


Eric Greenberg wrote:

>Heterogeneity has played a major role in disastor and recovery designs for
>as long as I can remember (that would be the past 20 years). Equally so, I
>
Be *very* careful here: security is fundamentally different from fault 
tolerance. FT needs to defeat random, independent faults, and 
heterogeneity helps. Security needs to defeat an intelligent adversary, 
and the adversary can defeat two heterogeneous systems with 
approximately twice the effort of defeating a single system. The 
defender, in turn, has to spend approximately twice the effort to deploy 
dual heterogeneous systems as to deploy a single system.

I argue that it is worse than that, because the effort to defeat two 
heterogeneous systems is somewhat *less* than double that of a single 
system (because the attacker can exploit common design and 
implementation failures) and the effort to deploy & operate dual 
heterogeneous systems is somewhat *more* than double that of a single 
system (because the defender must account for both consistency and 
incompatibility).

Once again, it is not that heterogeneity doesn't work. It's that for the 
goal of defending a single resource, it is not as cost-effective as due 
diligence & best practices, such as properly employed authentication, 
firewalls, and secure operating systems.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ