|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Thu, 29 Jan 2004 11:32:46 -0500 From: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca> To: vivienm@dyndns.org, doug@nanog.con.com Cc: nanog@merit.edu Errors-To: owner-nanog-outgoing@merit.edu This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_D2F386D6.30501651 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: inline While acknowledging that I am falling for a troll does not excuse the act itself, I would like to float an idea I think is useful.=20 If you look at security as control, then you can measure it as the ratio = of=20 controls to features. That is, for N in/egress points there are X active = policy=20 enforcement gateways. Similarly, for all functions in a peice of = software,=20 there are X configurable controls of their inputs and outputs and=20 en/disabled-state.=20 The reason we have "security" vulnerabilities is that we are building (or = evolving) systems that lack adequate controls relative to the sheer volume of their = features.=20 While access to source-code does not guarantee that the user will exercise = their=20 control over the software, it does provide more granular control than say, = a config=20 file, or a clickity-click-configurator. The idea behind commercial = software is that it=20 is a service in which responsibility for control is maintained by the = vendor, with=20 a few options available to the user to customize. Open source provides = total control to the user, limited only by their skills or access to information.= =20 Now, whether this control I am talking about is applicable to "security" = as we=20 understand it, I will leave that to the reader, but I would speculate that = this=20 simile could allow for something like cybernetics to be applied to = evaluating=20 the security of complex systems, and possibly offer more practical = solutions=20 than the political economy of security that characterizes alot of research = in=20 the field.=20 Best,=20 -j -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre=20 Corporate Security, MBS =20 416 327 2324=20 >>> <doug@nanog.con.com> 01/29/04 09:26am >>> Microsoft software is inherently less safe than Linux/*BSD software. This is because Microsoft has favored usability over security. This is because the market has responded better to that tradeoff. This is because your mom doesn't want to have to hire a technical consultant to manage her IT infrastructure when all she wants to do is get email pictures of her grandkids. doug --=_D2F386D6.30501651 Content-Type: text/plain Content-Disposition: attachment; filename=TEXT.htm Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD> <BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>While acknowledging that I am falling for a troll does not excuse the act</FONT></DIV> <DIV><FONT size=1>itself, I would like to float an idea I think is useful. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>If you look at security as control, then you can measure it as the ratio of </FONT></DIV> <DIV><FONT size=1>controls to features. That is, for N in/egress points there are X active policy </FONT></DIV> <DIV><FONT size=1>enforcement </FONT><FONT size=1>gateways. Similarly, for all functions in a peice of software, </FONT></DIV> <DIV><FONT size=1>there are X configurable controls of their inputs and outputs and </FONT></DIV> <DIV><FONT size=1>en/disabled-state. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>The reason we have "security" vulnerabilities is that we are building (or evolving)</FONT></DIV> <DIV><FONT size=1>systems that lack adequate controls relative to the sheer volume of their features. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>While access to source-code does not guarantee that the user will exercise their </FONT></DIV> <DIV><FONT size=1>control </FONT><FONT size=1>over the software, it does provide more granular control than say, a config </FONT></DIV> <DIV><FONT size=1>file, or </FONT><FONT size=1>a clickity-click-configurator. The idea behind commercial software is that it </FONT></DIV> <DIV><FONT size=1>is a service in which responsibility for control is maintained by the vendor, with </FONT></DIV> <DIV><FONT size=1>a few options available to the user to customize. Open source provides total</FONT></DIV> <DIV><FONT size=1>control to the user, limited only by their skills or access to information. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>Now, whether this control I am talking about is applicable to "security" as we </FONT></DIV> <DIV><FONT size=1>understand it, I will leave that to the reader, but I would speculate that this </FONT></DIV> <DIV><FONT size=1>simile could allow for something like cybernetics to be applied to evaluating </FONT></DIV> <DIV><FONT size=1>the security of complex systems, and possibly offer more practical solutions </FONT></DIV> <DIV><FONT size=1>than the political economy </FONT><FONT size=1>of security </FONT><FONT size=1>that characterizes alot of research in </FONT></DIV> <DIV><FONT size=1>the field. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>Best, </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>-j</FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><BR> </DIV> <DIV> </DIV> <DIV>--<BR>Jamie.Reid, CISSP, <A href="mailto:jamie.reid@mbs.gov.on.ca">jamie.reid@mbs.gov.on.ca</A><BR>Senior Security Specialist, Information Protection Centre <BR>Corporate Security, MBS <BR>416 327 2324 <BR>>>> <doug@nanog.con.com> 01/29/04 09:26am >>><BR><BR>Microsoft software is inherently less safe than Linux/*BSD software.<BR><BR>This is because Microsoft has favored usability over security.<BR><BR>This is because the market has responded better to that tradeoff.<BR><BR>This is because your mom doesn't want to have to hire a technical<BR>consultant to manage her IT infrastructure when all she wants to do is get<BR>email pictures of her grandkids.<BR><BR>doug<BR><BR></DIV></BODY></HTML> --=_D2F386D6.30501651--
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |