[Cryptography] Use Linux for its security

J.M. Porup jm at porup.com
Fri Sep 30 09:30:50 EDT 2016


On Thu, Sep 29, 2016 at 10:07:07PM -0700, Ray Dillinger wrote:
> 
> 
> On 09/29/2016 05:45 AM, J.M. Porup wrote:
> > On Wed, Sep 28, 2016 at 12:39:15PM -0400, Jerry Leichter wrote:
> 
> >> The fundamental criticism is that Linux is way behind the times: 
> >> It's still trying to squish one security bug at a time, rather than
> >> using more modern techniques that close off entire classes of
> >> attacks, even if no specific ones have been identified...
> 
> > As the author of the Ars Technica article mentioned, I concur. If
> > this subject interests you, please go to the primary sources and
> > watch the videos--you can read me quoting Kees Cook, or you can watch
> > his talk yourself.
> 
> Given the writ to do a clean slate design, the mandate to design for
> security, and a tolerance for performance costs implicit in secure
> design, I think we really could fix most of the problem.

That's a lot of givens. :)

The one big takeaway I'd like to offer here, after being locked in a
room for two days at the Linux Security Summit, is this:

The problem is political, not technical.

The solutions you outline are difficult but technically achievable.
That is clear. The real problem is the current governance structure
of Linux.

No one could reasonably accuse Linus Torvalds of poor stewardship, and
certainly not of a lack of good intentions. But the benevolent
dictatorship model is creaking under the strain.

If you care about this problem, I would urge you to divide your time
equally between solving the technical challenges and confronting
the political ones. 

Without core leadership that prioritizes security, proposed technical
solutions are likely to languish for years, as Brad Spengler has 
discovered the hard way.

jmp



More information about the cryptography mailing list