[Cryptography] Use Linux for its security

Kent Borg kentborg at borg.org
Thu Sep 29 09:33:49 EDT 2016


On 09/28/2016 09:20 AM, Ralf Senderek wrote:
> On Tue, 27 Sep 2016, Jerry Leichter wrote:
>
>> Not.
>
> Everyone who complains about this situation should have asked himself:
> "When did I last donate my time and effort to essential code review?"

Good point.

But Linus Torvalds seems to think that security is well handled by (#1) 
writing good code in the first place, and (#2) letting the distributions 
patch whatever vulnerabilities might fall through. There has been some 
hard work to improve Linux security (such as grsecurity) but it doesn't 
get much encouragement. Linux is too busy moving forward as best it 
can--conquering the world--to worry about such cruft.

> (including efforts to reduce complexity).

Those efforts don't have enough mindshare for me to have noticed them. 
At least nothing beyond #1 above.

> And what are the alternatives? Use Apple for its security?

The situation is bad.

There is a trade-off between the constructive power that can be built of 
complexity (features!), and the dangers that will be camouflaged in that 
complexity. The incentives to build features are quite real, but there 
is no back-pressure asking whether any given feature is worth the added 
complexity. Complexity isn't seen to be a liability, it is seen as an 
asset.

Has anyone ever been fired for adding some big useful feature? How about 
for removing one?

The costs of complexity are real, but they aren't felt directly. A bit 
like pouring untreated waste in a river: the benefits are mine, but 
costs are someone else's.

-kb, the Kent who thinks computer security might somehow be jiu jitsu-ed 
into a needed counter-pressure.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160929/3ead9b79/attachment.html>


More information about the cryptography mailing list