[66665] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Diversity as defense

daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jan 20 00:07:44 2004

To: sgorman1@gmu.edu
Cc: nanog@merit.edu
In-Reply-To: Your message of "Mon, 19 Jan 2004 15:35:22 EST."
             <4e533b4e4f71.4e4f714e533b@gmu.edu> 
From: Valdis.Kletnieks@vt.edu
Date: Tue, 20 Jan 2004 00:06:23 -0500
Errors-To: owner-nanog-outgoing@merit.edu


--==_Exmh_1433041423P
Content-Type: text/plain; charset=us-ascii

On Mon, 19 Jan 2004 15:35:22 EST, sgorman1@gmu.edu  said:
> The diversity, monoculture and agricutlure analogy makes nice press, but how
> realistic is diversity as a defense. 

Well.. if diversity were to actually exist, it would be quite helpful.  Right now,
if you have a Windows exploit, you might as well point and pull the trigger because
you have an 86% chance of nailing the target.  Add in a Linux exploit and you're well
over 90%.  That's Russian Roulette with a 10-shooter and one bullet.

On the other hand, let's think about if there were 10 products that each have 10%
market share, and even a minimal attempt at deterring fingerprinting of the target,
you're looking at a 90% chance that the exploit you launch will fail and leave a
nasty mark on an IDS.  Suddenly, it's 9 bullets and one blank.  And even worse odds
if you haven't been picking up all the exploits in the series - or not all the products
are vulnerable.

Unfortunately, it's not a realistic scenario, because...

>                             Is cost the biggest hurdle or limited
> avaiability of competitive products, or simply no bang for the buck by
> diversifying.

I can sum up *every* problem I've had in getting people to migrate in just
3 words: "vendor lock in".  Enough said on that topic.

--==_Exmh_1433041423P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFADLdPcC3lWbTT17ARAqliAKCU1rEt9Z9lpsJbE/nDvg4OJT4fNwCfSaop
7NyHEB64kTUd8vZ1fmT/jRQ=
=0OAC
-----END PGP SIGNATURE-----

--==_Exmh_1433041423P--

home help back first fref pref prev next nref lref last post