The"Biggest Target" paradigm and its consequence

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Tue, 03 Oct 2006 07:39:14 -0400, Jesse F. Hughes wrote:

> Erik Funkenbusch <erik RemoveThis @despam-funkenbusch.com> writes:
>
>> Security is one of those funny things. You can talk about being
>> "more" secure, but there's no such thing. A vulnerability is a
>> vulnerability, and even one makes you just as insecure as anyone
>> else. Security is a binary condition, either you are or you aren't.
>
> Right. So why bother with passwords? Or firewalls? After all, there
> are plenty of known security issues on Windows, so you're just wasting
> your time.

I agree, you are wasting your time, but not in the way you suggest.

You're wasting your time running around patching problems rather than
engineering solutions that make them impossible to occur in the first
place. Firewalls, Passswords, etc.. are reactions to people trying to gain
access to your system.

I certainly don't know what the solution is to these problems, but it's not
any of the existing ones which all only work to certain point.

Jesse F. Hughes · External Since: Nov 04, 2004 Posts: 301

Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> writes:

> On Tue, 03 Oct 2006 07:39:14 -0400, Jesse F. Hughes wrote:
>
>> Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> writes:
>>
>>> Security is one of those funny things. You can talk about being
>>> "more" secure, but there's no such thing. A vulnerability is a
>>> vulnerability, and even one makes you just as insecure as anyone
>>> else. Security is a binary condition, either you are or you aren't.
>>
>> Right. So why bother with passwords? Or firewalls? After all, there
>> are plenty of known security issues on Windows, so you're just wasting
>> your time.
>
> I agree, you are wasting your time, but not in the way you suggest.
>
> You're wasting your time running around patching problems rather than
> engineering solutions that make them impossible to occur in the first
> place. Firewalls, Passswords, etc.. are reactions to people trying to gain
> access to your system.
>
> I certainly don't know what the solution is to these problems, but it's not
> any of the existing ones which all only work to certain point.

Right. And until those solutions exist, let's all pretend that there
are no gradations in security. You're either secure or you aren't and
also no one is. So let's use Windows!

--
Jesse F. Hughes
"To [mathematicians] amateur mathematicians are worse than scum, and
scarier than nuclear bombs."
-- James S. Harris on mathematicians' phobias

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Tue, 03 Oct 2006 20:52:14 -0400, Jesse F. Hughes wrote:

>> I certainly don't know what the solution is to these problems, but it's not
>> any of the existing ones which all only work to certain point.
>
> Right. And until those solutions exist, let's all pretend that there
> are no gradations in security. You're either secure or you aren't and
> also no one is. So let's use Windows!

You're still not getting my point.

Let's examine this from a different perspective. Suppose you have a
personal forefield generator that makes you impervious from any attack.
Except, of course, that there's an unknown, and difficult to exploit flaw
that allows the entire thing to be defeated.

You can walk around through warzones, into a nuclear reactor, whatever.
You're safe. You're "secure".

Then, as you're walking through the woods, you stumble across a hornets
nest, and thinking you're secure, kick it. Turns out, the hornets secrete
a hormone that cancels out your forcefield, and you get stung to death by
10,000 hornets.

Someone watching, records this evidence, and posts it to the internet.
Within hours, thousands of attackers have crafted hormone coated weapons
and are busy killing their enemies that have also been using the shields,
but have thought themselves invulnerable to "practical" attacks.

What changed? Not your defense, but the knowledge of how to successfully
attack. That means your defense was never secure in the first place. All
it took was the right knowledge to become available for all your defenses
to become as useless as if you had no defense at all, despite a few hours
earlier feeling as if you were "totally secure".

In other words, you were secure by the eboscurity of the information needed
to compromise you. And, as we all know, security by obscurity is no
security at all.

So, if "security by obscurity is no security at all", how can you claim
that you can be "more secure" when merely having the right knowledge will
make you totally vulnerable?

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

> So, if "security by obscurity is no security at all", how can you claim
> that you can be "more secure" when merely having the right knowledge will
> make you totally vulnerable?

Because the force field reduces the number of attack vectors.

And you can then take other actions for the attack vectors that are
still available.

--
"The reason (for) new versions is not to fix bugs. ... It's the stupidest
reason to buy a new version I ever heard. When we do a new version we put in
lots of new things that people (ask) for. And so, in no sense, is stability
a reason to move to a new version. It's never a reason." -- Bill Gates

Tim Smith · External Since: Apr 26, 2004 Posts: 2610

In article <16u6ycy87oof8.dlg.DeleteThis@funkenbusch.com>,
Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> wrote:
> In other words, you were secure by the eboscurity of the information needed
> to compromise you. And, as we all know, security by obscurity is no
> security at all.
>
> So, if "security by obscurity is no security at all", how can you claim
> that you can be "more secure" when merely having the right knowledge will
> make you totally vulnerable?

So by that argument, if you encrypted your credit card number using the
RSA algorithm with N=12696419543959060573 and and exponent of 3, and I
encrypted mine with N=
1297093612225579302319381138985109799104817684082555175048354173395794924
7515770257735092393173163490696050721033969636771100513416859740264847216
9778293276218438993043461618282881113797291399312269896156727540888777667
3532557049723874784462187337601480023897508284577955665330636962338624800
39866202156962157 and an exponent of 3, we'd be equally secure? Either
can be trivially broken given the right knowledge (the factors of N).

--
--Tim Smith

Handover Phist · External Since: May 04, 2005 Posts: 504

Erik Funkenbusch :
> On Tue, 3 Oct 2006 10:36:54 +0000 (UTC), High Plains Thumper wrote:
>
>> Here is something that didn't happen by itself:
>>
>> http://news.netcraft.com/archives/2006/09/overallc.gif
>>
>> Apache market share at 62% and Windows at 31% (Sep 2006).
>> Yep, the technique boys are at it again.
>
> Stop making that same stupid mistake. That's not "Market Share". "Market
> Share" is how many physical servers Apache or IIS is installed on. The
> netcraft survey counts hostnames, not servers.
>
> According to the last Netcraft survey where they published physical server
> counts, Microsoft accounted for > 50% of the physical servers.
>
> That's Market Share.

IIS gets marketshare because it cant handle the load that Apache does.

Isn't it ironic.

Dontchya think?

--
COLD:
When the local flashers are handing out written descriptions.

http://www.websterscafe.com

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Wed, 04 Oct 2006 00:26:33 GMT, Handover Phist wrote:

>> That's Market Share.
>
> IIS gets marketshare because it cant handle the load that Apache does.

I guess that's why all the single largest domain parking site in the world
runs on Windows. Yeah, that must be it.

> Isn't it ironic.
>
> Dontchya think?

The real answer is that the majority of servers on the internet host only a
single (or a small number) of web sites. It has nothing to do with
capability, but rather need.

Jesse F. Hughes · External Since: Nov 04, 2004 Posts: 301

Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> writes:

> On Wed, 04 Oct 2006 00:26:33 GMT, Handover Phist wrote:
>
>>> That's Market Share.
>>
>> IIS gets marketshare because it cant handle the load that Apache does.
>
> I guess that's why all the single largest domain parking site in the world
> runs on Windows. Yeah, that must be it.

Domain parking sites have heavy loads? Thousands of typo-domains each
getting a rare hit (and serving a static page) is a sign of IIS's
remarkable abilities?

Very impressive.

--
Jesse F. Hughes
"Ultimately, I can bring the entire mathematical establishment to its
knees... Live in a fantasy world if you wish, but to me that's just
an expression of your intellectual inferiority." --James Harris

Handover Phist · External Since: May 04, 2005 Posts: 504

Erik Funkenbusch :
> On Wed, 04 Oct 2006 00:26:33 GMT, Handover Phist wrote:
>
>>> That's Market Share.
>>
>> IIS gets marketshare because it cant handle the load that Apache does.
>
> I guess that's why all the single largest domain parking site in the world
> runs on Windows. Yeah, that must be it.

Heh, I'll have to do some research before I can answer that. The family
calls.

>> Isn't it ironic.
>>
>> Dontchya think?
>
> The real answer is that the majority of servers on the internet host only a
> single (or a small number) of web sites. It has nothing to do with
> capability, but rather need.

Need requires capability. A single site can run whatever host. When
multiple hosts are required, what can fill the requirements?

Again, research is required. From my own experience though, Linux fills
the need really nicely.

--
How do I type "for i in *.dvi do xdvi $i done" in a GUI?
-- Discussion in comp.os.linux.misc on the intuitiveness of interfaces

http://www.websterscafe.com

High Plains Thumper · External Since: Mar 06, 2005 Posts: 716

Erik Funkenbusch wrote:
> High Plains Thumper wrote:
>
>> Here is something that didn't happen by itself:
>>
>> http://news.netcraft.com/archives/2006/09/overallc.gif
>>
>> Apache market share at 62% and Windows at 31% (Sep 2006).
>> Yep, the technique boys are at it again.
>
> Stop making that same stupid mistake. That's not "Market
> Share". "Market Share" is how many physical servers Apache
> or IIS is installed on. The netcraft survey counts
> hostnames, not servers.

http://news.netcraft.com/archives/web_server_survey.html

Graphic is titled, "Market Share for Top Servers Across All
Domains August 1995 - September 2006"

> According to the last Netcraft survey where they published
> physical server counts, Microsoft accounted for > 50% of
> the physical servers.
>
> That's Market Share.

Graphic title, "Totals for Active Servers Across All Domains
June 2000 - September 2006"

http://news.netcraft.com/archives/2006/09/overalld.gif

Apache accounted for 62.05% at 28,812,118.

Microsoft accounted for 32.13% 15,108,073.

--
HPT

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Wed, 4 Oct 2006 02:20:00 +0000 (UTC), High Plains Thumper wrote:

> Erik Funkenbusch wrote:
>> Stop making that same stupid mistake. That's not "Market
>> Share". "Market Share" is how many physical servers Apache
>> or IIS is installed on. The netcraft survey counts
>> hostnames, not servers.
>
> http://news.netcraft.com/archives/web_server_survey.html
>
> Graphic is titled, "Market Share for Top Servers Across All
> Domains August 1995 - September 2006"

Netcraft needs to seriously reconsider their terminology.

>> According to the last Netcraft survey where they published
>> physical server counts, Microsoft accounted for > 50% of
>> the physical servers.
>>
>> That's Market Share.
>
> Graphic title, "Totals for Active Servers Across All Domains
> June 2000 - September 2006"
>
> http://news.netcraft.com/archives/2006/09/overalld.gif
>
> Apache accounted for 62.05% at 28,812,118.
>
> Microsoft accounted for 32.13% 15,108,073.

Again, their terminology is borked. It's not Active Servers, it's Active
Sites.

Notice that the table above that graphic is labled "Active Sites" and it
matches the numbers shown on the graph.

Netcraft posted numbers a few years ago that showed the real physical
server counts.

http://survey.netcraft.com/index-200106.html

Note the section titled:

Operating Systems used by Computers running public Internet Web Sites

Yes, it's 5 years old, but at the time Microsoft had 20% market share,
today it's 11% higher. I can't think of any rational reason why that
percentage of physical servers would be *LOWER* today than then.

High Plains Thumper · External Since: Mar 06, 2005 Posts: 716

Handover Phist wrote:
> Erik Funkenbusch :
>> High Plains Thumper wrote:
>>
>>> Here is something that didn't happen by itself:
>>>
>>> http://news.netcraft.com/archives/2006/09/overallc.gif
>>>
>>> Apache market share at 62% and Windows at 31% (Sep 2006).
>>> Yep, the technique boys are at it again.
>>
>> Stop making that same stupid mistake. That's not "Market
>> Share". "Market Share" is how many physical servers
>> Apache or IIS is installed on. The netcraft survey counts
>> hostnames, not servers.
>>
>> According to the last Netcraft survey where they published
>> physical server counts, Microsoft accounted for > 50% of
>> the physical servers.
>>
>> That's Market Share.
>
> IIS gets marketshare because it cant handle the load that
> Apache does.
>
> Isn't it ironic.
>
> Dontchya think?

Well, FedEx replaced 40 Microsoft servers with 1
multiprocessor Linux server. True, it is ironic:

http://www.networkworld.com/graphics/2002/1118inf1.gif

Perhaps if he quoted it first, it would be considered fact,
not stupid mistakes. This is ironic.

--
HPT

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Wed, 4 Oct 2006 02:27:21 +0000 (UTC), High Plains Thumper wrote:

> Handover Phist wrote:
>> Erik Funkenbusch :
>>> High Plains Thumper wrote:
>>>
>>>> Here is something that didn't happen by itself:
>>>>
>>>> http://news.netcraft.com/archives/2006/09/overallc.gif
>>>>
>>>> Apache market share at 62% and Windows at 31% (Sep 2006).
>>>> Yep, the technique boys are at it again.
>>>
>>> Stop making that same stupid mistake. That's not "Market
>>> Share". "Market Share" is how many physical servers
>>> Apache or IIS is installed on. The netcraft survey counts
>>> hostnames, not servers.
>>>
>>> According to the last Netcraft survey where they published
>>> physical server counts, Microsoft accounted for > 50% of
>>> the physical servers.
>>>
>>> That's Market Share.
>>
>> IIS gets marketshare because it cant handle the load that
>> Apache does.
>>
>> Isn't it ironic.
>>
>> Dontchya think?
>
> Well, FedEx replaced 40 Microsoft servers with 1
> multiprocessor Linux server. True, it is ironic:
>
> http://www.networkworld.com/graphics/2002/1118inf1.gif
>
> Perhaps if he quoted it first, it would be considered fact,
> not stupid mistakes. This is ironic.

I just realized, this is a VMWare server. It's still running 20-30 (as the
graphic says) Virtual Machines.

What VMWare does is better utilize hardware. You can use spare CPU cycles
that would be wasted on a standalone machine for other VM's that need them.
It's like overbooking a flight, knowing that some people won't show up.

As for why it's running on Linux, well, VMWare ESX server is only hosted on
Linux, as that's what it uses for it's base OS. And, honestly, it doesn't
make much sense to run a full featured OS if it's only going to host VM's,
so a stripped down Linux box is perfect.

Tim Smith · External Since: Apr 26, 2004 Posts: 2610

In article <1o7sun1pc8u5t.dlg DeleteThis @funkenbusch.com>,
Erik Funkenbusch <erik DeleteThis @despam-funkenbusch.com> wrote:
> As for why it's running on Linux, well, VMWare ESX server is only hosted on
> Linux, as that's what it uses for it's base OS. And, honestly, it doesn't
> make much sense to run a full featured OS if it's only going to host VM's,
> so a stripped down Linux box is perfect.

Actually, VMWare ESX doesn't run on Linux. To quote vmware.com:

ESX Server installs on the "bare metal" and allows multiple
unmodified operating systems and their applications to run in
virtual machines that share physical resources.

--
--Tim Smith

The Ghost In The Machine · External Since: Aug 04, 2005 Posts: 3878

In comp.os.linux.advocacy, Jesse F. Hughes
<jesse RemoveThis @phiwumbda.org>
wrote
on Tue, 03 Oct 2006 21:13:10 -0400
<87wt7ghoih.fsf RemoveThis @phiwumbda.org>:
> Erik Funkenbusch <erik RemoveThis @despam-funkenbusch.com> writes:
>
>> On Wed, 04 Oct 2006 00:26:33 GMT, Handover Phist wrote:
>>
>>>> That's Market Share.
>>>
>>> IIS gets marketshare because it cant handle the load that Apache does.
>>
>> I guess that's why all the single largest domain parking site in the world
>> runs on Windows. Yeah, that must be it.
>
> Domain parking sites have heavy loads? Thousands of typo-domains each
> getting a rare hit (and serving a static page) is a sign of IIS's
> remarkable abilities?

It might be a sign of Microsoft's marketing abilities. Smile

>
> Very impressive.
>

Might impress the n00bs. "Gosh, look at our IIS acceptance numbers!
We're kicking Linux's butt! Here, buy Windows Vista Server Edition
(which isn't quite out yet but we're working on it)".

(Blecch. Pardon my cynicism.)

http://news.netcraft.com/archives/web_server_survey.html

mentions a sort of "hostname arms race" between GoDaddy, 1&1,
Windows Live Spaces, and Google's Blooger. Clearly this
skews the numbers.

--
#191, ewill3 RemoveThis @earthlink.net
"Woman? What woman?"

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

> http://survey.netcraft.com/index-200106.html
>
> Note the section titled:
>
> Operating Systems used by Computers running public Internet Web Sites
>
> Yes, it's 5 years old, but at the time Microsoft had 20% market share,
> today it's 11% higher. I can't think of any rational reason why that
> percentage of physical servers would be *LOWER* today than then.

Maybe Microsoft actually improved the efficiency of their code?

--
I'd rather have a bottle in front of me
than a frontal lobotomy.

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

> I just realized, this is a VMWare server. It's still running 20-30 (as the
> graphic says) Virtual Machines.
>
> What VMWare does is better utilize hardware. You can use spare CPU cycles
> that would be wasted on a standalone machine for other VM's that need them.
> It's like overbooking a flight, knowing that some people won't show up.

Ahhh, that explains why my Win 2000 runs better in a Linux-hosted VM
than it ever did by itself.

> As for why it's running on Linux, well, VMWare ESX server is only hosted on
> Linux, as that's what it uses for it's base OS. And, honestly, it doesn't
> make much sense to run a full featured OS if it's only going to host VM's,
> so a stripped down Linux box is perfect.

And it doesn't even need to be stripped down.

That's the beauty of Linux.

--
"No! There are no significant bugs in our released software that any
significant number of users want fixed." -- Bill Gates, FOCUS interview
http://www.cantrip.org/nobugs.html

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Tim Smith belched out this bit o' wisdom:

> In article <1o7sun1pc8u5t.dlg.DeleteThis@funkenbusch.com>,
> Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> wrote:
>> As for why it's running on Linux, well, VMWare ESX server is only hosted on
>> Linux, as that's what it uses for it's base OS. And, honestly, it doesn't
>> make much sense to run a full featured OS if it's only going to host VM's,
>> so a stripped down Linux box is perfect.
>
> Actually, VMWare ESX doesn't run on Linux. To quote vmware.com:
>
> ESX Server installs on the "bare metal" and allows multiple
> unmodified operating systems and their applications to run in
> virtual machines that share physical resources.

Ah, good catch.

--
Boot your Windows operating system in a virtual machine on Linux
It's safer.
-- http://fabrice.bellard.free.fr/qemu/

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Tim Smith belched out this bit o' wisdom:

> In article <16u6ycy87oof8.dlg.RemoveThis@funkenbusch.com>,
> Erik Funkenbusch <erik.RemoveThis@despam-funkenbusch.com> wrote:
>> In other words, you were secure by the eboscurity of the information needed
>> to compromise you. And, as we all know, security by obscurity is no
>> security at all.
>>
>> So, if "security by obscurity is no security at all", how can you claim
>> that you can be "more secure" when merely having the right knowledge will
>> make you totally vulnerable?
>
> So by that argument, if you encrypted your credit card number using the
> RSA algorithm with N=12696419543959060573 and and exponent of 3, and I
> encrypted mine with N=
> 1297093612225579302319381138985109799104817684082555175048354173395794924
> 7515770257735092393173163490696050721033969636771100513416859740264847216
> 9778293276218438993043461618282881113797291399312269896156727540888777667
> 3532557049723874784462187337601480023897508284577955665330636962338624800
> 39866202156962157 and an exponent of 3, we'd be equally secure? Either
> can be trivially broken given the right knowledge (the factors of N).

Ah, a nice answer to Erik's creamed-corn logic.

(As in Kramer's famous line, spoken after a massage -- "Man, I'm looser
than creamed corn!" Appropriate, too, seeing how Erik will massage fact
and meaning.)

--
Real programmers don't use Pascal.

Jesse F. Hughes · External Since: Nov 04, 2004 Posts: 301

Erik Funkenbusch <erik.TakeThisOut@despam-funkenbusch.com> writes:

> So, if "security by obscurity is no security at all", how can you
> claim that you can be "more secure" when merely having the right
> knowledge will make you totally vulnerable?

I don't believe the "security by obscurity" saying should be literally
interpreted. *Of course* security by obscurity is better than nothing
at all, for as long as the security secrets aren't generally known.

Just as clearly, using passwords is better than not using them, even
though "the right knowledge [namely, the password] will make you
totally vulnerable".

Just as clearly, security holes are serious issues. But an O/S with
forty-nine easily exploited holes is *less secure* than an O/S with
one hole that takes considerable effort to exploit. The fact is that
the latter will be more easily and readily compromised, all other
things being equal.

Only an idiot would claim that both O/Ses are just as insecure.

(The numbers of exploits above were purely hypothetical. Duh.)

--
Jesse F. Hughes

"C is for Cookie. That's good enough for me."
Cookie Monster