Frontier Hopping Doesn't Solve Security Problems

from the leave-all-your-problems-behind dept

A great article from Simson Garfinkel talking about the technology world’s “Frontier Syndrome”. He points out that each time security/virus/spam/whatever problems get too big in the technology world, along comes a new technology that promises to be more secure than the old technology, and everyone jumps on board. At first, it works out great, because there’s just a small number of folks who are getting used to the rough edges of living out on the frontier. But, then more people arrive, and with them come the folks who caused the original problems – and it just takes them a little while to figure out where the new holes are. As he says, “the real reason that new computing platforms are usually more secure than old ones is that nobody has written attack programs for them yet.”

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Frontier Hopping Doesn't Solve Security Problems”

Subscribe: RSS Leave a comment
Anonymous Coward says:


Postfix. The new frontier.

VSFTP, the featureless but so-far-unhacked ftpd.

It’s glad to have a shred of support behind my own ranting, that the Next Shiny Untested Thing is no more secure than that which has had an expolit for each of its 20 years of existence and maintenance.

Postfix doesn’t have the market on strncpy(), despite what the slobbering masses will try to tell you.

LittleW0lf says:

Re: Ah...

Postfix. The new frontier.

I can only assume this is humor, because if this is serious, you’ve got to be kidding me.

Postfix is neither new, nor has it had an exploit a year for the last 20 years (I believe it is more like 5 years) of its existance (unless you know something you aren’t sharing.) And it has been tested, in the real world, for 5 years, and has been far better than Sendmail in regards to security. The slobbering masses are still pushing Sendmail…there are a lot of folks who have chosen not to run postfix because of its licensing issues, not because of its security issues.

I run postfix, because it is smarter at dealing with rewrites than sendmail is, but also because it has a good track record for security. Dan’s qmail program is also a good alternative to postfix, if you don’t want to use postfix.

The funny thing is that this article (if you did RTFA,) doesn’t even talk about Postfix or VSFTP, but instead talked about how folks tend to get overly excited about new frontiers in technology making old problems disappear, only to find that new problems (which look exactly like the old problems) crop up and spoil the excitement. Postfix certainly doesn’t step forward, it steps backward (which is what makes it more secure,) because it takes all the bells and whistles out of Sendmail which tends to get Sendmail into trouble. Yes, postfix has its own share of problems, but they are well documented and often easy to work around.

LittleW0lf says:

Life in the fishbowl...

But, then more people arrive, and with them come the folks who caused the original problems – and it just takes them a little while to figure out where the new holes are.

I usually like Simson Garfinkel’s articles, but for some reason this one seemed wrong. It wasn’t that what he was saying was wrong, it was the fact that he was so accurate in his argument that it seemed too terribly one-sided. While I tend to agree, that the computer world lives in a Frontier Syndrome, where is this any different than the real world. After all, we all have our own hopes and dreams, and usually to get to those hopes in dreams we need to work hard. Yet, when we reach the point where we achieve our hopes and dreams, we realize that we have even bigger hopes and dreams and that those which we wanted before really don’t mean much to us any more. This is just the way we are, and the computer security world is no different.

But just because we look forward to the golden future of computer security, where hackers are zapped by millions of volts of electricity the moment they access our computers illegally does not mean that we should discount that what we have fixed in the past. To do so would likely cause the reintroduction of the bad stuff because we forgot it was bad.

There will never be a silver bullet in security, just like there is never a silver bullet in any other line of work, but does that mean we should give up trying?

In a perfect world, security would work flawlessly, but in the real world, as in the digital world, even if we had perfect security models we would still have failures since we are human, with very limited lifespans, and as humans, we tend to take the easy way out of things, and may not implement the security model correctly all the time. Many security failures occur because we either forget to do things the right way, or are too lazy to fix things done the wrong way, and we are all guilty of this. In the future, we’ll hopefully develop systems to either reduce or eliminate human error…or at least we can hope and dream we will for the time being.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...