[MUD-Dev] Information sharing (was: Re: Where are we now?)

Adam Martin amsm2 at cam.ac.uk
Mon May 7 14:24:56 New Zealand Standard Time 2001


----- Original Message -----
From: "Greg Munt" <greg.munt at btinternet.com>
To: <mud-dev at kanga.nu>
Sent: Sunday, May 06, 2001 1:02 PM
Subject: Re: [MUD-Dev] Information sharing (was: Re: Where are we now?)

> -----Original Message-----
> From: shren <shren at io.com>
> To: mud-dev at kanga.nu <mud-dev at kanga.nu>
> Date: 06 May 2001 8:05 AM
> Subject: Re: [MUD-Dev] Information sharing (was: Re: Where are we now?)

>> There are, of course, security issues involved in releasing the
>> code to an active mud.  Doing so would have to increase the chances
>> of security breakins a whole lot.

> It all depends on whether you see that as a good or a bad
> thing. Your implication is that it is a bad thing. I wouldn't
> neccessarily agree; it exposes security flaws in your
> software. That's a good thing, isn't it? When security flaws are
> known by a limited number of people, they tend to be 'secrets', and
> get exploited a lot - without administrator awareness. When the code
> is in the public domain, so are its flaws. I'd expect them to be
> reported more - especially if a community of muds that use the code
> builds up.

> High exposure to software flaws means awareness of them
> increases. Half the battle with bugfixing is finding the bug in the
> first place.  

>From a security engineering standpoint, there are two issues here
(which are probably worth pointing out since they are relevant to many
other situations with MUDs).

The first is that "security through obscurity is no security at
all". I.e.  if you need to keep the details secret in order to enforce
security, then your system is not genuinely secure, and you ought to
fix it (or else make the active decision not to expect nor require
security).

The second is that easier to find/attack systems generally receive
more attacks. By releasing the code for a particular MUD, you draw
attention to it, and can cause the incidence of attacks to sharply
increase, because now the attackers have less reverse-engineering to
perform before they can make a solid attack. Where there is a
particular probability of anyone finding a particular flaw, increasing
the number of attacks increases the chance (generally) that an
attacker will find it before a friendly person does and patches it.

So all in all, its a two edged sword, but you ought to weigh up both
sides in light of your particular context before coming to any
conclusions.

Adam M

_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev



More information about the MUD-Dev mailing list