Re: [PLUG] download from WHERE?

Rich Freeman via plug on 13 May 2020 07:30:51 -0700
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] download from WHERE?
From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: Fred Stluka <fred@bristle.com>
Subject: Re: [PLUG] download from WHERE?
Date: Wed, 13 May 2020 10:30:32 -0400
Cc: Joe Rosato <rosatoj@gmail.com>, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>, PaulNM <plug@paulscrap.com>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
On Wed, May 13, 2020 at 9:05 AM Fred Stluka <fred@bristle.com> wrote:
>
> On 5/8/20 4:46 PM, Rich Freeman via plug wrote:
>
> > Uh, have you seen what those same 20 year olds are doing with FOSS
> > today?
>
> Yes, I have.  As I said, I don't trust them.  Do you?

That was my point.  This isn't an MS vs FOSS thing.  This is more of a
change in paradigms in software development which is relatively
universal.

> > Half of the newer programming languages are almost impossible
> > to package because their build systems just download random
> > dependencies online, are statically linked, and so on.
>
> What do you suggest?  Stop using yum, apt, pip?  Do you prefer
> running .EXE and .MSI files over Unix shell scripts for installing
> things?

No, my point is that these paradigms are problematic wherever they occur.

>
>
> > You're not going to avoid these problems by avoiding Microsoft.
>
> True.  Not any more.  Microsoft has lowered the bar so much,
> and put out so much low quality inexpensive software that
> other companies have had to cut corners to compete on price.

Honestly, I don't think this is really an MS thing.  I think it is
more of a Facebook and general internet-speed thing.

A perfect solution delivered in two years is going to end up with zero
market share when faced with a cobbled-together solution delivered in
six months.

In the early days there was a lot of talk about Facebook facing
architecture problems.  They were growing so fast that their initial
design just couldn't scale.  They had to throw TONS of money at
keeping the old system on life support while basically having to
refactor the whole thing.

This was touted by many as evidence that Facebook did things the wrong
way.  In reality, it was evidence that they did things the right way.
Yes, doing it over probably cost 10x what doing it "right" the first
time cost.  However, the first time out they were paying for the whole
thing with very scarce capital while their staff was living like
college students.  When they had to redo everything they had money
flooding in from every direction, and thus their biggest problem
wasn't coming up with the money, but spending it fast enough to keep
growing.  If they hadn't been in the market at the right time they
might never have succeeded at all.  It is better to spend $10M to make
$1B than to spend $100k and lose it all.  It is better still to spend
that $10M in installments of $25k before you're making money and
$9.975M when you're making $10M per month.

> Also, most programmers with under 20 years experience have
> never seen a computer with real security.  Have not used a
> mainframe, VAX, Unix or Linux system.  Or even a Mac (OSX is
> BSD Unix).  Only Windows PCs.

So, I have a few concerns with this.

First, modern windows is MUCH more secure than what people were using
in the 90s.

Second, you're comparing multi-user setups with single-user setups.
Unless you're using a linux desktop with SELinux/etc and a LOT of
tailoring those operating systems are not actually all that secure in
a single-user paradigm, and could arguably be less secure than windows
against remote intrusion in some ways.

This has already been argued to death so I'll be brief.  Suppose you
are hit by a zero-day on Windows vs Linux in your browser, which is
probably any desktop user's single biggest vulnerability window (that
and their MUA I guess).  Now some remote code has the ability to
execute arbitrary commands using your UID.  Unless you're
containerizing your browser/etc that code can already read all your
personal info in both scenarios - the only thing it can't do on either
platform is modify the core of the OS.  I'd argue that on Windows it
can probably tamper with fewer of your settings/etc due to the whole
UAC mechanism, while on linux pretty-much anything in
.config/.whateverrc and so on is editable without priv escalation.

Now, I will concede that Linux has more tools available to lock this
stuff down like containerizing applications, or SELinux with
fine-grained permissions so that random processes can't just go
editing your .bashrc or whatever.  However, most of this stuff is not
configured in a typical desktop environment, and even distros that use
SELinux by default probably don't lock it down to that degree - it
would require a lot more conventions around what goes where in a
user's home directory and so on.

Now, one thing users do have a lot of exposure to is mobile operating
systems, and this is an environment where these sorts of controls
actually are fairly routine.  Perhaps they're still not as extensive
as might be desirable, but something like Android or iOS does a LOT
more to sandbox application and user configuration data than your
typical desktop Linux distro or windows.

Finally, you also have to consider physical security.  VAX and
Mainframe systems typically store all their data in secured
facilities.  Modern desktop users keep a ton of personal data on
phones/laptops/etc.  Now, Android runs Linux and is generally
configured to have a pretty high level of physical security, and I
suspect that in practice iOS is more secure.  Windows is often not so
secure by default but it actually has a number of tools for full-disk
encryption and so on available, often with check-box-level
configurability assuming you have the right version of Windows.  Most
Linux distros lag in this area.  Many do offer home directory
encryption these days, but none that I'm aware of back it with a TPM
so that it is impossible to break if the drive is separated from the
computer.  Almost no distros do any kind of verification of the OS
itself to prevent tampering.  Windows does most of that out of the
box, as do most mobile operating systems.

So, I think on the security front you have a fairly complex situation,
with various options offering various security protections out of the
box, and with others available if an administrator deploys them.

> So, they've accepted the lower bar and learned a lot of bad
> habits.  And now they write mission critical systems in hospitals,
> medical devices, military, air traffic control, nuclear power plants,
> etc.  Scary!

So, having seen some of the stuff in at least one area of healthcare I
do have concerns, but you also have to consider that the controls go
way beyond the software.

Typically these sorts of processes and systems have tiers of
procedures and processes around them that together make it relatively
difficult for an attacker to have a serious impact on life/etc.

Now, for stuff that is of obvious strategic significance that is
likely to be targeted by a state actor I completely support the idea
that we probably need to be doing a lot more.  These sorts of systems
need multiple lines of defense from the applications to the OSes to
the networks to the processes and so on.

I will note though that these sorts of areas are the one place you
won't see many of the modern programming paradigms we were talking
about at the start of this email.  It is almost always
highly-waterfalled development paradigms with layers of change and
configuration management moving at a glacial pace.

> > Also,
> > it seems like half of this whole discussion is as dated as the 1991
> > post on that website...
>
> Rich, I have to say that I'm a little disappointed at the dismissive
> and inaccurate nature of that comment.  You usually seem to to
> pay more attention to detail than that.  And I usually find that
> you have something to say that's worth listening to.

So, I'll agree that this may have come across a bit personally when it
was more directed at the general MS pile-on attitude that is prevalent
in this thread.  It has always been fashionable to bash MS, but IMO a
lot of the issues they had in the 90s are not the same issues they or
other vendors have today.

I don't think that you personally should be called out on that - it is
actually a fairly prevalent attitude in the community.  My words may
have been a bit harsh in that regard.

>
> The article is my current opinion of Microsoft after
> observing their behavior, working around their bugs, hacking
> easily into their systems, and warning people of their weak
> security since I was first forced to use Microsoft software at a
> job 19 years ago.

And that is my point.  I didn't say the information was incorrect.  I
said it was DATED.

You can't really assign a reputation to anything that lasts 20 years,
but that is especially true of a company.  People can change over
time.  Companies change people ALL the time.  Change the CEO and
suddenly the company can have a completely different personality.
Obviously there is some inertia but you have to be careful about
applying judgements 20 years later.

> 1. Do you claim they did NOT intentionally install DLLs on my
>      computer to sabotage Netscape?
>
> 2. Do you claim they did NOT extort $40,000 from my father?

Of course not.  Hence the reason I used the word "dated."  I don't
think you're making things up - they were different back then.  Maybe
if they had more market power they'd be still doing that stuff today.
Maybe if RedHat had that kind of market power today they'd be doing
that stuff too.

>
> 3. Do you claim they did NOT lower the bar in software quality
>      compared to their Unix and mainframe predecessors, as I
>      described?  Or that Linux and FOSS are NOT better and
>      safer alternatives?

So, I already shared my thoughts on that above.  And MS software in
the 90s was very different from what it is today.

Obviously I'm a fan of Linux in general and prefer it for a lot of
solutions for a lot of reasons, and security can be one of them.
However, I don't think that you're automatically more secure because
you're using an Ubuntu desktop running Firefox instead of a Windows
desktop running Firefox.

> 4. Do you claim that most of the world's bugs and security
>      problems are NOT on Windows systems?  That Windows PCs
>      are NOT the majority of machines in malicious botnets?

So, I think that is more a result of who operates those machines and
their level of network access.  I've heard tales from family members
who got scammed into giving somebody remote access to their Windows
boxes and paying them for the privilege.  I'm not sure that they'd
have been any more secure if they were using most conventional Linux
distros.  Specialized ones like Android/ChromeOS/etc can be more
secure because they basically aim to protect the user from themselves
with almost no way to override that which doesn't involve flipping
switches, attaching USB cables to other computers, and wiping the
device in the process and getting hit with security nag screens on
every boot.

Even then I'd think we'd see a LOT more old mobile phones targeted for
botnets if it wasn't for the fact that mobile networks are fairly
locked down.  You can't get a worm spreading between mobile phones
because they're all completely firewalled from incoming connections,
often behind a NAT as well.

> 5. Do you claim they are NOT dishonorable people in general?

No moreso than anybody really.  You're talking about a company with
tens of thousands of employees.  Most of them are going to be just
like you or I.  Often you get some really scummy ones at all levels.
The ones at the bottom usually are leaches on the company, and the
ones at the top tend to be leaches on all of society, but often are
leaches on the company too.

> If not, what exactly ARE you saying?

I just think that a bit of nuance is necessary.  When evaluating
security you need to look at the entire ecosystem, especially the
user.  When you look at companies you need to look at what they're
DOING today, and not really go too much on reputation one way or
another.

One big advantage of FOSS is that you're less beholden to any
company's reputation, because you get the source, and you can see for
yourself what is going on, and pay anybody you choose to do so as well
and to maintain it if your relationship with the original vendor
sours.  Now, that isn't always a reasonably-priced option, but it is
still an option.

However, with the lower barrier to entry you don't have to be
thoroughly indoctrinated in the ways of change management in order to
get access to the COBOL interpreter.  That creates both opportunity
and danger, and it is important to use the right programming paradigms
in the right places.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
Follow-Ups:
- Re: [PLUG] download from WHERE?
  - From: Fred Stluka via plug <plug@lists.phillylinux.org>
References:
- Re: [PLUG] download from WHERE?
  - From: Fred Stluka via plug <plug@lists.phillylinux.org>
- Re: [PLUG] download from WHERE?
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>
- Re: [PLUG] download from WHERE?
  - From: Fred Stluka via plug <plug@lists.phillylinux.org>
Prev by Date: Re: [PLUG] download from WHERE?
Next by Date: Re: [PLUG] An alternative to Zoom: Sangoma Meet
Previous by thread: Re: [PLUG] download from WHERE?
Next by thread: Re: [PLUG] download from WHERE?
Index(es):
- Date
- Thread