SecurityFocus

Re: Buffer overflow prevention Aug 14 2003 05:26PM
Mariusz Woloszyn (emsi ipartners pl) (6 replies)

Re: Buffer overflow prevention Aug 14 2003 11:27PM
Shaun Clowes (shaun securereality com au) (1 replies)

Re: Buffer overflow prevention Aug 15 2003 06:48PM
Crispin Cowan (crispin immunix com) (1 replies)

Re: Buffer overflow prevention Aug 17 2003 11:09PM
Shaun Clowes (shaun securereality com au) (1 replies)

Re: Buffer overflow prevention Aug 17 2003 10:42PM
Crispin Cowan (crispin immunix com) (2 replies)

Heterogeneity as a form of obscurity, and its usefulness Aug 21 2003 02:00AM
Bob Rogers (rogers-bt2 rgrjr dyndns org) (1 replies)

Re: Heterogeneity as a form of obscurity, and its usefulness Aug 22 2003 03:56AM
Crispin Cowan (crispin immunix com) (1 replies)

Re: Heterogeneity as a form of obscurity, and its usefulness Aug 22 2003 06:21PM
Nicholas Weaver (nweaver CS berkeley edu)

Re: Buffer overflow prevention Aug 18 2003 06:07PM
Mark Handley (M Handley cs ucl ac uk) (1 replies)

>Heterogeneity increases survivability of the *species*, but does little
>to protect the individual.

What you're not taking into account is contagion. Amongst a
homogeneous population, a pathogen that infects your friends can
likely infect you. Amongst a heterogeneous population, if the same
pathogen infects a friend, there's a significantly lower probability
it can infect you.

Now, if you're promiscuous and come into contact with enough
strangers, you'll catch the pathogen either way. But if you're not
promiscuous, you greatly reduce the change of contracting the pathogen
if you are part of a heterogeneous population.

How does this affect networks? Well, if you're a webserver or
mailserver that talks to everyone, the heterogeneity doesn't buy you
so much (other than, as you said, there might be more pathogens for
popular systems). But if you're configured to not talk to the whole
world (via a firewall, or something equivalent), then you're a whole
lot safer if the machines you do communicate with are different from
you in ways that make contagion harder.

Cheers,
Mark

[ reply ]

Re: Buffer overflow prevention Aug 18 2003 08:11PM
Crispin Cowan (crispin immunix com)

Re: Buffer overflow prevention Aug 14 2003 07:37PM
Theo de Raadt (deraadt cvs openbsd org) (3 replies)

Re: Buffer overflow prevention Aug 16 2003 01:14PM
sauron (unixlabs noos fr)

Re: Buffer overflow prevention Aug 14 2003 09:14PM
Gerhard Strangar (gerhard brue net) (1 replies)

Re: Buffer overflow prevention Aug 14 2003 09:43PM
Theo de Raadt (deraadt cvs openbsd org) (1 replies)

Re: Buffer overflow prevention Aug 14 2003 10:19PM
Gerhard Strangar (gerhard brue net)

Re: Buffer overflow prevention Aug 14 2003 08:09PM
Matt D. Harris (vesper depraved org)

Re: Buffer overflow prevention Aug 14 2003 07:17PM
Timo Sirainen (tss iki fi) (1 replies)

Re: Buffer overflow prevention Aug 14 2003 08:15PM
Jedi/Sector One (j pureftpd org) (1 replies)

Re: Buffer overflow prevention Aug 15 2003 09:54AM
Peter Busser (peter trusteddebian org)

Re: Buffer overflow prevention Aug 14 2003 06:47PM
Jedi/Sector One (j pureftpd org) (2 replies)

Re: Buffer overflow prevention Aug 15 2003 09:41AM
Peter Busser (peter trusteddebian org) (2 replies)

Re: Buffer overflow prevention Aug 16 2003 01:36AM
Mark Tinberg (mtinberg securepipe com) (2 replies)

Re: Buffer overflow prevention Aug 18 2003 08:43PM
Crispin Cowan (crispin immunix com)

Re: Buffer overflow prevention Aug 18 2003 08:41PM
Peter Busser (peter trusteddebian org)

Re: Buffer overflow prevention Aug 15 2003 05:55PM
stealth (stealth segfault net)

Re: Buffer overflow prevention Aug 14 2003 08:24PM
Miod Vallat (miod online fr)

Re: Buffer overflow prevention Aug 14 2003 06:27PM
Thomas Sjögren (thomas northernsecurity net)

Re: [Full-Disclosure] Re: Buffer overflow prevention Aug 14 2003 04:51PM
KF (dotslash snosoft com)