Chad Waters via plug on 19 Dec 2020 10:06:53 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OT: SolarWinds




On Sat, Dec 19, 2020, 12:51 PM Rich Kulawiec via plug <plug@lists.phillylinux.org> wrote:
On Wed, Dec 16, 2020 at 09:15:45PM -0500, JP Vossen via plug wrote:
> Heck, I doubt any one person can understand all of just Windows and we
> all know how well that does.  I can make the same argument for the Linux
> kernel, but that's both smaller and better segmented and I think there
> are people who understand their part of it well enough.

The last time that I think I understood an entire software system
top to bottom was probably when I was running Unix v6.  I had a decent
grasp of v7 and various BSDs but at some point in the process the size
of the code combined with its growth rate exceeded my ability to keep up.

There are, no doubt, a few people who understand the entire Linux kernel.
There are probably a few people who understand the entire toolchain involved
in building software (including the compilers).  There are probably a few
people who understand various GUI stacks from top to bottom.  There are
probably some people who understand a lot of userland - shell, utilities, etc.
But I very much doubt that there's even one person who has all of this in
their head.

That's a problem.

> As the "technical" complexity (because it's not just software) grows,
> it seems like securing it gets harder faster than exploiting it.
> So I think humans will become incapable of securing it long before
> they become incapable of exploiting it.  If we're not already there,
> which...it kinda seems like we might be. :-(

This is -- in a way -- a solid argument for NOT creating software which
can't be understood in its entirety by a single person...because as of this
moment, the best security tool we have is the brain of a clueful person
who has that understanding.

Yes, we have code auditing tools and fuzzers and all kinds of things that
we didn't have before.  But even the people who use these tools keep
creating software that's a hot mess of security holes.   Like clockwork.

The problem...one of the problems...one of the many problems...
is that a lot of people are in love with their own coding skills
and want to write, write, write...not realizing (or not caring)
that every additional line of code adds complexity, and that complexity
adds security holes.  The Software Tools approach (a program should
do one thing and do it well) isn't glamorous and doesn't make people
coding rockstars so it's been largely abandoned.  No, instead, the goal
is to build enormous monuments to the egos of programmers...and
this is why we have screaming security nightmares like systemd.

        [ Put aside the fact that systemd's entire design is absolute
        crap, the sort of thing I've give a sophomore a D for.  Put aside
        that it's a textbook example of the sort of thing that motivated
        the creation of Unix as an alternative.  Just count the lines
        of new code that have been cranked out in a rather short time.
        And count how many pieces of the system it's plugged into.
        It is, as the saying goes, obvious on inspection to the casual
        observer that this is a recipe for massive failure. ]

Compounding this is that much of the application architecture in place
today consists of multiple layers of libraries/supporting code that
is also subject to this same set of problems.  Thus even if we posit
application programmers who use best practices, who are frugal and
careful, who do everything "right" for a value of "right" that we could
argue about for the next year...they're building on top of very rickety
infrastructure.

This is why we can't have nice things. ;)

I could do a talk on Software Bill of Materials (SBOM) sometime. The initiative aims to gain transparency into what software components are built into a system.

Check out SPDX and SWID.


https://www.ntia.doc.gov/SoftwareTransparency

No, this wouldn't help specifically with the Solarwinds issue, but it is very related.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug