Diversity as defense

• Previous message (by thread): Diversity as defense
• Next message (by thread): Diversity as defense
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 19 Jan 2004 15:35:22 EST, sgorman1 at gmu.edu  said:
> The diversity, monoculture and agricutlure analogy makes nice press, but how
> realistic is diversity as a defense. 

Well.. if diversity were to actually exist, it would be quite helpful.  Right now,
if you have a Windows exploit, you might as well point and pull the trigger because
you have an 86% chance of nailing the target.  Add in a Linux exploit and you're well
over 90%.  That's Russian Roulette with a 10-shooter and one bullet.

On the other hand, let's think about if there were 10 products that each have 10%
market share, and even a minimal attempt at deterring fingerprinting of the target,
you're looking at a 90% chance that the exploit you launch will fail and leave a
nasty mark on an IDS.  Suddenly, it's 9 bullets and one blank.  And even worse odds
if you haven't been picking up all the exploits in the series - or not all the products
are vulnerable.

Unfortunately, it's not a realistic scenario, because...

>                             Is cost the biggest hurdle or limited
> avaiability of competitive products, or simply no bang for the buck by
> diversifying.

I can sum up *every* problem I've had in getting people to migrate in just
3 words: "vendor lock in".  Enough said on that topic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040120/9cf94eac/attachment.sig>

• Previous message (by thread): Diversity as defense
• Next message (by thread): Diversity as defense
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]