Michael Schmitz wrote:
That's pretty close!
One other factor nobody has mentioned here is SECURITY. For
buffer-overflow type security holes, remote and local, almost all of the
exploits are written for i386, so non-Intel platforms are inherently
less vulnerable. Last week's LWN security section opened with a piece
Security through obscurity? Nope, doesn't work. Thanks for playing though.
Uh, please read my post. Words like "*less* vulnerable" in this quote
were deliberately chosen.
Did you read the LWN piece? Do you really disagree with: "... a fast
worm should in theory be able to spread to all vulnerable networked
machines in the world in as little as 15 minutes, which is a whole heck
of a lot faster than I apply upgrades, so any time which heterogeneity
in OS, server software or CPU arch can buy is really crucial."?
I mean, if a cracker wants to develop shell code for Debian on i386,
PPC, Alpha and Arm and unleash them simultaneousy, then my whole network
is toast, but until then I'll always have some survivors. (Unless the
worm grabs ssh keys, logs itself in everywhere, and uses local exploits
or monitors keystrokes until it gets root access... etc. :-)
Then again, the first (disabled) rpc.statd exploit posted was for Debian
PPC (this is the exploit used so successfully by Ramen), so
"heterogeneity" seems to be the key, rather than everybody standardizing
around our glorious platform. Hardware heterogeneity will help somewhat
for buffer overflows. The ubiquity of Apache is a bit troubling, and
might make alternatives more appealing for small servers (Roxen? Caudium?).
I think the point holds. If you can present a counterargument, I'm all
ears...
Zeen,
--
-Adam P.
GPG fingerprint: D54D 1AEE B11C CE9B A02B C5DD 526F 01E8 564E E4B6
Welcome to the best software in the world today cafe!
<http://lyre.mit.edu/%7Epowell/The_Best_Stuff_In_The_World_Today_Cafe.ogg>
