Comments on: Security through diversity

By: Gain more clout with these security certifications « KBT Computers

Gain more clout with these security certifications « KBT Computers — Fri, 22 Jan 2010 20:37:04 +0000

[...] Security through diversity (cdixon.org) [...]

By: Security through diversity | Igniting Startups - nPost

Security through diversity | Igniting Startups - nPost — Wed, 20 Jan 2010 15:11:25 +0000

[...] From cdixon.org [...]

By: AnonMuse

AnonMuse — Fri, 15 Jan 2010 04:14:06 +0000

I've heard that this is was an early version of Tagged did.

By: pcimaven.com» Blog Archive » HIPS vs FIM – There is a difference…

Fri, 15 Jan 2010 03:45:19 +0000

[...] Security through diversity (cdixon.org) [...]

By: traxor

traxor — Wed, 13 Jan 2010 13:21:42 +0000

I try and use as many passwords as possible but I just tend to get confused.

By: chris dixon

chris dixon — Wed, 13 Jan 2010 05:10:01 +0000

I do say “I have no doubt that any particular organization can be compromised”

I am just saying diversity helps protect the country as a whole. Related to China, I think you could argue (and I've heard it argued by defense experts) that countries with highly centralized & standardized IT systems are more vulnerable to attack than those that are more distributed. (See LizScott's comment).

By: gbattle

gbattle — Wed, 13 Jan 2010 05:07:40 +0000

It seems your post today was quite prescient given today's Google vs. China news, however, this news also refutes your claim of security through diversity. The data doesn't support your claim. There is no well-funded, technically savvy, company who has not had a breach of some sort. Zero. Google's bold enough to just admit it in public. As long as there are locked doors, there will be locksmiths.

By: LizScott

LizScott — Wed, 13 Jan 2010 04:47:25 +0000

Interesting. I work in the DoD space, and while we routinely lament the many disparate systems we have to work with, it does add an element of cyber security that is not normally mentioned.

By: Tweets that mention Security through diversity cdixon.org – chris dixon's blog -- Topsy.com

Wed, 13 Jan 2010 04:00:25 +0000

[...] This post was mentioned on Twitter by chris dixon, kulesh, DealHorizon.com, Mahendra Palsule, NYC Tech Eqentia and others. NYC Tech Eqentia said: Security through diversity: Source: cdixon.org http://url4.eu/17971 [...]

By: David Semeria

David Semeria — Wed, 13 Jan 2010 01:23:09 +0000

This is possibly the only plausible upside to the (relatively) standard-less web we have created.

Even then, wikipedia lists only 6 types of web server servicing over 1 million sites. If, over time, you can get a sleeper on most of them – you can kill the web.

By: Mark Essel

Mark Essel — Tue, 12 Jan 2010 23:40:14 +0000

My problem with security is when it gets in the way of doing something important. There are some nifty user ID options coming down the pipes. Soon we'll have single user login that's pretty darn strong at identifying that it's actually us at the wheel, and not an untrusted infiltration.

But it's a game of cat and mouse. As probes improve, so does security. I read not too long back that bot nets are fairly significant.

Be careful or soon enough you'll be buying your cloud computing from yourself

By: doke01

doke01 — Tue, 12 Jan 2010 23:04:47 +0000

What you are saying is a bit over-simplified. What you are really saying is we are insecure in a diverse manner, which is making us a bit more secure then if we we insecure in an identical manner. Diversity, like obscurity, is not a true security measure. It is like saying every house on this block has a lock by a different manufacturer so we are more secure. While to some degree that may be true, the guy with the broken lock isn't too happy. Especially if that lock secures, for example, that national power grid. Also, the current 'diversity' wasn't designed as a security measure to begin with, meaning you just replaced the door lock above with a door handle.

By: John Galt

John Galt — Tue, 12 Jan 2010 22:44:49 +0000

Surely an attack that exploits a flaw at the server level (whether it be web/database etc server) would suffice? I'm thinking maybe a variant of the Slammer worm, something small that propagates rapidly.

By: Ivan Kirigin

Ivan Kirigin — Tue, 12 Jan 2010 22:00:11 +0000

I almost with I was incompetent enough at Tipjoy to store user passwords in clear text (they weren't) so that I could test authenticate them with email passwords. I'm surprised no one shows me a list of contacts from email if the email/pass I used to sign up works to sign into email as well. Who needs trust building in a first experience, right?

[these are just my opinions, not of any employer]
I really like your point about facebook being a central point, but one manned by a technology company. Maybe such systems can work in a distributed way and still add value for everyone. It certainly beats the current pandemic of uniform passwords.

One problem for users is that they have no idea how technical savvy you are. The facebook contact importer asks for your gmail password - just like Rock You. But Rock You is evidently incompetent, while Facebook isn't. How is a user to know? Not just for this particular issue, but generally, how are people who have no understanding of tech supposed to make decisions around it?

By: chris dixon

chris dixon — Tue, 12 Jan 2010 21:46:45 +0000

I'd recommend using password software like these: http://hunch.com/iphone-password-databases/

By: Chris Clark

Chris Clark — Tue, 12 Jan 2010 21:43:05 +0000

This may seem like a stupid question, but what is the efficient antidote to the 'single sign on system'? Someone that I, uh, know really well may fall into that category.