[PLUG] Linus and the 'Net

Mark Phillips mark at phillipsmarketing.biz
Sat Nov 7 15:53:29 UTC 2015


I liked the article a lot! It prompted me to buy "How Linux Works: What
Every Superuser Should Know" by
Brian Ward and it is a great read. I recommend it.

My point is I disagree a little with Linus' goal of rejecting all security
patches if they slow down user space. Moore's Law is still in effect (
http://www.techradar.com/us/news/computing/moore-s-law-how-long-will-it-last--1226772),
so the speed of computer hardware is still increasing faster than the drag
produced by software. I think some kernel security patches could be
implemented and in two years user space will not be affected (more or
less). As it says in the article, it is much easier to say no impact on
user space than a little impact is OK. How much is "a little" and who
decides (probably Linus)? Perhaps it is time to rethink this golden rule of
kernel development in this very aggressive game of global cyber attacks,
which are funded by foreign governments. (Although, on a side point, I
wonder how much the NSA has mapped the power grids of other nations and
installed sleeping exploits...)

A second point that Linus made, although not that well, is that if kernel
security becomes the focus of development, then we are making a big
mistake. IMO, the goal should be to have many layers of strong security
that continually evolves based on the assumption that the attacker is just
as smart as the security experts. Just relying in security in the kernel is
like building a fortified castle, but not adding a moat or rings of stout
walls around the inner keep. Also, all these security experts would love to
be able to lay the blame for exploits at the feet of the kernel, which they
do not control/maintain/develop, instead of accepting that the world of
security is ever changing and every now an then the bad guys may get
through.

Just my 2 cents....thanks for the article!!

Mark

On Sat, Nov 7, 2015 at 7:23 AM, Rich Shepard <rshepard at appl-ecosys.com>
wrote:

> On Fri, 6 Nov 2015, Patrick J. Timlick wrote:
>
> > An interesting account of the controversy surrounding Linux security.
> > Where does PLUG weigh in on security vs speed and ease of use? Is our
> > friend and neighbor Linus right or should we go with less famous
> "security
> > experts"?
>
>    From my position as a non-computer professional end user of linux since
> 1997 I think they're both correct ... from deterrent points of view.
>
>    The two recent vulnerabilities/exploitations of 'Net back-office tools
> (heartbleed and the other mentioned) were, if I recall correctly, related
> to
> bind. Bind is an essential utility but not part of the kernel. Part of GNU
> Linux (and similar systems, I'm sure), but not in the kernel. This,
> perhaps,
> gives one point to Linus.
>
>    From everything I read the greatest vulnerabilities and exploitations
> come
> from the carbonware portion of the computing corpus:
>
>    - Weak passwords.
>
>    - Accounts payable clerks who accept e-mails seeming to come from their
> bosses to wire transfer thousands of dollars to off-shore accounts without
> verifying that the request is real.
>
>    - Outdated, not upgraded applications such as PCAnywhere on parking lot
> and car wash POS systems that are compromised because the POS system
> providers do not upgrade the remote access tools and the folks who run the
> parking lots and car washes are ignorant and not expected to manage the POS
> systems they use.
>
>    - ATM and other POS exploitations based on insufficient security and
> (if I
> correctly interpret the reports) Windows vulnerabilities across almost
> every
> retailer chain.
>
> Give Linus a second point.
>
>    On the other side, there are known potential weaknesses in the kernel
> and
> the argument that adding security at the cost of some slowness in response
> is unacceptable is equivalent to claiming that putting kids in secure car
> seats and the driver using a seat belt is unacceptable because it delays
> going to the grocery store. While it seems that for too many people instant
> gratification is no longer quick enough (see Amazon's promise to deliver
> what you order as soon as you pay for it), as a society we need to accept
> the cost of added security on the Internet just as we accept a delay by
> locking the doors to our houses and apartments (a major production
> involving
> multiple locks in cities such as New York.) Score a point for the 'crazy'
> security experts.
>
>    Ideally, we'd work on both aspects. Train humans to be more security
> conscious in their use of computers (similar to pushing water uphill) while
> adding two-factor authentication more broadly and adding additional kernel
> and utility security even at the cost of slower response time.
>
> Rich
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list