[Cryptography] defaults, black boxes, APIs, and other engineering thoughts

Sun Jan 5 09:14:42 EST 2014

On Sat, Jan 4, 2014 at 9:23 PM, Jonathan Thornburg <jthorn at astro.indiana.edu
> wrote:

> > Have you noticed how the entire world is moving to a much more
> > sophisticated update model, typically dynamically, monthly?
>
> I'm not sure if that's true.  What I see is low-security consumer
> systems (e.g., the usual stuff from Microsoft, Adobe, etc) doing
> dynamic updates every month or even every week.  But OSs which make
> security a very high priority, like (say) OpenBSD, aren't moving that
> way at all -- they're staying with the old "updates are manually
> applied by a (human) system administrator" model.
>
> The OpenBSD website points out that they've only had two remote holes
> in the default install in "a heck of a long time" (I think more than a
> decade).  So perhaps the manual-updates security model remains viable....
>

Just don't, we used to laugh at UNIX security back in the days when VMS was
the only secure OS. Security is often used as ammo in standards wars, the
comparisons are rarely accurate.

I believe the point of OpenBSD is that it is not a kitchen sink O/S which
ships everything someone might want by default. That is certainly going to
offer more security if you use it for a single purpose with a stripped down
build. It also means that the O/S is not going to report a vulnerability
each time sendmail gets rolled.

But take OpenBSD and lard it up with the thirty packages that are written
by the usual C-crew and the advantage is lost. Very few Microsoft or OSX or
Linux security reports are for code in the O/S core. It is usually the
support apps that cause the issues.

The most significant differentiator in security has actually been whether
accounts have a mandatory separation of superuser privs from regular
accounts. Windows XP does not have that and so every app that runs in an
account with admin privs can bongo the machine without any trouble.

One of the reasons for that is I believe that all modern O/S have
essentially the same approach to access control which is essentially
broken. Butler Lampson thinks it is broken as well, but even he can't
change it.

The problem is that access control attributes are not attached to either
files or to the applications that run them. They are ledger entries in the
file system and grant access to users. Which makes them essentially useless
for modern uses where each machine has between zero and one user and files
move from machine to machine without the security controls being carried
with them.

I don't think the firmware on my printers has ever been updated. An the
routers were never updated till I moved from the cheap linux based ones
that last 6 months to Apple airports.

Windows XP still accounts for the majority of rooted systems. I find it
quite astounding that there are companies who still insist on using it. I
started buying my own machines when I was at VeriSign precisely because the
IT dept refused to let me run Vista.

I think the Vista hatred was mostly driven by lazyness on the part of the
IT staff who wanted to avoid having to make new builds for their machines.
The same companies that would allow their IT departments to continue to run
an operating system the provider was warning was defective would go out and
buy a million dollar firewall.

It will be interesting to see what happens when XP goes EOL in April. A lot
of IT staff are likely to find themselves looking for new jobs as they
discover that they can't get to grips with the new Windows that other
people have been working on for 7 years. Some voluntarily, quite a few not.

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140105/4c3fb4f6/attachment.html>