[olug] OT: security through antiquity
Obi-Wan
obiwan at jedi.com
Wed Nov 5 20:09:42 UTC 2008
> Does a patched and
> happy older distro that offers all the functionality you need... offer
> better security ?
Only as long as people are still checking it for newly-discovered
security holes. Once a product has been EOL'd, you're reduced to
either monitoring all the security notices and checking your old
code yourself, or just crossing your fingers and hoping that you
don't get bitten by anything.
Note my recent post about the 'ed' arbitrary execution bug. I'd bet
money that the same bug has existed in 'ed' for a decade (or longer),
but do you think that 10-year-old OS's which suffer from it are going
to be fixed?
> I've been mildly interested in the possibility for a while... if you run
> older software that has all the holes fixed.... do you gain security by not
> running newer untested stuffs ?
Yes, of course, until people stop checking to verify that all the
holes are fixed.
> I guess the similar argument would be two
> exactly identical bits of code -- one has been reviewed and audited a dozen
> times -- is the reviewed code more secure than the unreviewed code ?
Well, if they're exactly identical bits of code, then obviously
neither is any more secure than the other.
--
Ben "Obi-Wan" Hollingsworth obiwan at jedi.com
The stuff of earth competes for the allegiance I owe only to the
Giver of all good things, so if I stand, let me stand on the
promise that You will pull me through. -- Rich Mullins
More information about the OLUG
mailing list