Team Murder No Brain No Headache.

18Oct/02Off

Too Many Buildings, Not Enough People

God. Someone linked to this interview with Gene Spafford about the general state of security and I cannot remember where I first saw it. In any case I'm all too happy to play Ronald Reagan and Christopher Columbus and claim that I discovered it all by myself because I forgot who told me about it. That didn't really work so I'm just going to move along now...

Spafford is generally critical of operating system security and has criticized Linux especially. I can't argue with the majority of his criticisms but many of them are nearly impossible to address when you're talking about a non-traditional system of development. He is the first to admit that he doesn't have problems with the actual Linux kernel since it's development is tightly controlled. It's too crucial not to be. His main issue with Linux is that defining the it of Linux is next to impossible. There is no canonical definition of what a GNU/Linux operating system is. The kernel is the only consistent part that transcends distributions and architectures.

While it's important to clarify these distinctions it also makes giving a GNU/Linux a definitive thumbs up or down for security purposes. While Windows is a very cohesive chunk of code that is rigidly controlled to say the least that doesn't include a great number of applications within it's default install. When you buy a boxed version of Windows off the shelf you're getting a set of instructions for handling IRQ requests, sets of protocols for drawing things to the screen, and a bunch of drivers. Arguably there isn't a whole lot there to begin with. Linux, on the other hand, can also be evaluated as a kernel without any real core user level interaction but this would be silly. It's silly because you're never going to find this situation. While I know a fair number of people who've rolled up their sleeves and undertaken the gargantuan effort required to build a Linux From Scratch system from the ground up I know very few that build systems by just grabbing things from around the internet and installing them. It's way too much work. So we have distributions ,god bless 'em, to make things easier. Unfortunately the same flexibility that makes GNU/Linux on your machine so appealing also gives potential for many security problems to crop up.

All of that admitted and out of the way, making comparisons between the two is problematic at the very least. Windows historically has not been the slightest bit concerned with security and even after the last round of announcements and furrowed brows I'm reluctant to take any of those promises very seriously. They will make every effort to assure you that security is guaranteed, though. Linux doesn't have a central mouthpiece. We have a bunch of loud mouths, though, some more credible than others who despite their widely varying temperaments. I've never heard a single one of them claim that a GNU/Linux system is inherently secure "out of the box." While patches are fast and furious and for the most part all the cards are out on the table when it comes to shortcomings and flaws no one is going to say that anything but the kernel is secure.

Another response is: "Because it's open source; it's easier to fix." Maybe. It depends on where the code's used. If it's used in a certified environment or an embedded application, and from my standpoint, whether or not I can do all the maintenance on my own car... if I have to go back and install a fix to the breaks every time it crashes and kills somebody, I don't view that as more secure. Secure means it doesn't need the patches. It's done right the same time. So the people who are saying that their code is more secure and it still needs patches every other week--whether it's proprietary or open source--are playing fast and loose with the semantics of what security means.

This is the part that I don't buy. I don't believe in inherent security cause god knows I've personally flattened some things that were supposed to be bullet-proof. Even if every piece of software intended to run on a GNU/Linux platform was rigorously reviewed by a "team of experts" I don't think it is humanly possible to predict every possible circumstance nor is it reasonable to try. Security is kind of a best effort endeavor. While ideally everything would be tightly integrated and hermetically sealed in the real world with inter-operation and simply being able to use powerful tools is a necessity there is going to be compromise. The old and creaky "the only secure computer is one disconnected from any network and sealed in a lead vault" example immediately comes to mind.

The point that I'm desperately trying to make in less than a thousand words is that trying to evaluate the security of some kind of monolithic Linux entity is probably a bad idea. This is a different case when you're coding for embedded Linux which needs very rigorous review and auditing for each piece of software you're using. However I don't think that a majority of the software used in the embedded sphere comes from a beta Source Forge project. One of the key ideas that people need to come away with is that you need to be aware of the environment you're intended to use an operating system for. Obviously it's going to be difficult (for the end user) to patch an embedded device but at the same time you can't code everything for the lazy end user. If you're an admin who gets all huffy about patching things you might want to consider a career change. Unfortunately there isn't a system out there ready for enterprise level deployment that will take care of itself. The necessity for someone to run patches, hit cntl-alt-delete, or just make sure the machine is still physically there is not going anywhere. Then there's this attitude:

For me one of the most telling things, is here you have this huge community of open source, but where are all the open source testing tools? Where are all the robust coding tools? There aren't any.

which may indicate that the source of information and insight in the interview is, um, insane.

Like I said a gazillion words ago, I don't have as many problems with his arguments as I do with the methodology that he uses to form them. Go read. I've said too much already.

Filed under: General Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.