[10867] in bugtraq
Re: Diversity
daemon@ATHENA.MIT.EDU (Adam Shostack)
Mon Jun 21 13:15:01 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990621113532.A4810@weathership.homeport.org>
Date: Mon, 21 Jun 1999 11:35:32 -0400
Reply-To: Adam Shostack <adam@HOMEPORT.ORG>
From: Adam Shostack <adam@HOMEPORT.ORG>
X-To: David <david@kalifornia.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3769B6C3.94F6BCCF@kalifornia.com>; from David on Thu, Jun 17,
1999 at 08:02:27PM -0700
On Thu, Jun 17, 1999 at 08:02:27PM -0700, David wrote:
| Diversity can certainly be thought about. The open source model encourages
| program development. Many people writing differing versions of software.
| Naturally this diversity means an exploit in one program is unlikely to be
| found in another.
This is not my experience. Different people tend to make the same
mistakes in different ways. See, for example the variety of bugs that
have happened when you combine web servers with NTFS (::$DATA,
'file%20', 'file.'). Diversity doesn't help here. (I know you
focused on unix systems, but there was a large and diverse group who
worked on the web servers that had these problems.) Also, OS
diversity doesn't always help. The rlogin -froot bug occured in both
AIX and linux. (I believe it was the same person who wrote the code
both times) Lots of versions of dump/restore have had the same link
management problems.
| Encourage diversity. No one operating system should dominate. Only OS
| zealots would differ with this view.
Having a dominant local OS means you can hire an expert or two in that
OS, rather than needing experts in three or four OSs, tracking of bug
reports across each of them, etc. Lots of costs associated with this.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
