Rich Kulawiec via plug on 19 Dec 2020 09:51:15 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OT: SolarWinds


On Wed, Dec 16, 2020 at 09:15:45PM -0500, JP Vossen via plug wrote:
> Heck, I doubt any one person can understand all of just Windows and we
> all know how well that does.  I can make the same argument for the Linux
> kernel, but that's both smaller and better segmented and I think there
> are people who understand their part of it well enough.

The last time that I think I understood an entire software system
top to bottom was probably when I was running Unix v6.  I had a decent
grasp of v7 and various BSDs but at some point in the process the size
of the code combined with its growth rate exceeded my ability to keep up.

There are, no doubt, a few people who understand the entire Linux kernel.
There are probably a few people who understand the entire toolchain involved
in building software (including the compilers).  There are probably a few
people who understand various GUI stacks from top to bottom.  There are
probably some people who understand a lot of userland - shell, utilities, etc.
But I very much doubt that there's even one person who has all of this in
their head.

That's a problem.

> As the "technical" complexity (because it's not just software) grows,
> it seems like securing it gets harder faster than exploiting it.
> So I think humans will become incapable of securing it long before
> they become incapable of exploiting it.  If we're not already there,
> which...it kinda seems like we might be. :-(

This is -- in a way -- a solid argument for NOT creating software which
can't be understood in its entirety by a single person...because as of this
moment, the best security tool we have is the brain of a clueful person
who has that understanding.

Yes, we have code auditing tools and fuzzers and all kinds of things that
we didn't have before.  But even the people who use these tools keep
creating software that's a hot mess of security holes.   Like clockwork.

The problem...one of the problems...one of the many problems...
is that a lot of people are in love with their own coding skills
and want to write, write, write...not realizing (or not caring)
that every additional line of code adds complexity, and that complexity
adds security holes.  The Software Tools approach (a program should
do one thing and do it well) isn't glamorous and doesn't make people
coding rockstars so it's been largely abandoned.  No, instead, the goal
is to build enormous monuments to the egos of programmers...and
this is why we have screaming security nightmares like systemd.

	[ Put aside the fact that systemd's entire design is absolute
	crap, the sort of thing I've give a sophomore a D for.	Put aside
	that it's a textbook example of the sort of thing that motivated
	the creation of Unix as an alternative.  Just count the lines
	of new code that have been cranked out in a rather short time.
	And count how many pieces of the system it's plugged into.
	It is, as the saying goes, obvious on inspection to the casual
	observer that this is a recipe for massive failure. ]

Compounding this is that much of the application architecture in place
today consists of multiple layers of libraries/supporting code that
is also subject to this same set of problems.  Thus even if we posit
application programmers who use best practices, who are frugal and
careful, who do everything "right" for a value of "right" that we could
argue about for the next year...they're building on top of very rickety
infrastructure.

This is why we can't have nice things. ;)

None of this surprises me.  What surprises me -- although mildly at this
point -- is that people keep doing these things despite their unbroken
record of failure.  But I am mindful of one of the things Marcus Ranum
said:

	Information security's response to bitter failure, in any area
	of endeavour, is to try the same thing that didn't work --
	only harder.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug