Security Through Obsolescence
From Wikipedia, the free encyclopedia
[edit] Origin of the Term
The term Security Through Obsolescence gained initial popularity as a result of a June 06, 2002 article by Robin "Roblimo" Miller hosted on NewsForge.com.
In the article, Roblimo argued that using old, obscure Operating Systems and hardware would make a site less likely to be hacked by hostile outside parties. The author further argued that this Computer Security concept was a variant on Security through obscurity.
Proponents have argued for using older versions of more common operating systems to provide this kind of security. The rationale is the current crop of automated hacking utilities would miss the old software. This assumes that "Script Kiddies" and other hackers are only using utilities and scripts that attack current operating systems, which is simply not true. As the book "Hacking exposed" reveals, many hacking software programs still test for and exploit known holes in older platforms.
According to Roblimo's article, for Security Through Obsolescence to work, one should be running "a custom operating system used by only a few servers, running server software so oddball that cracking lessons learned on mainstream servers don't apply to it at all "
[edit] Real World Examples
According to Roblimo's article the US Department of Defense web servers "... run old versions of Mac OS and the venerable WebSTAR server suite." This configuration is made more secure by the lack of scripting and remote access capabilities.
FoxPro 6 is used by some companies to write web based applications. It's antiquated, obscure and Microsoft's last patch was released in August, 2000. Because of this it's considered a significant barrier to hackers, particularly when other server side technologies such as ASP have been disabled.
