Linux and Internet security

[xtabber]

According to today's Washington Post, "The Internet’s future rests with a man who calls most security experts ‘completely crazy’"

I'd agree that Linus can be obnoxious at times, but I would certainly not call him crazy, or even wrong-headed about security experts.  But then, I'm not a security expert.

[MilesAhead]

Hmm, I remember reading a blog someplace where the person seriously advocated building the security into the system before the system has been made to work.  He noted that programmers leave out security measures because they are trying to get the code to work.  Then after the function is enabled they graft the security on later.  He suggested building in the security from line one of code.  Of course how to accomplish this new way of program design is never specified.

The blogger is even more inane than those people who posit that "everything should be free." 

Edit:  Sorry it was some time ago when I encountered the blog.  I have no clue where I could dig up the citation.

[Tuxman]

Linux's "security" records are awful indeed. I can't understand why anyone prefers it to other systems.

[40hz]

It's fairly straightforward to design security into a system, which basically comes down to controlling access to memory and the supervisor. The old mainframe security was virtually bulletproof in that regard. The real problem today is that this type of security can be cumbersome to deal with on a highly interactive interrupt-driven OS targeted for workstations as opposed to something intended for servers where the allowed running processes are usually very fixed and restricted. So the security usually gets "detuned" as the saying goes, until people stop complaining. AFAIK there's no easy way to work around that, so design compromises are unavoidable.

If anybody does find a way to get the absolute best of both worlds when it comes to operational transparency and strong security, they should be pleased to know there's a very large fortune and probably a Nobel Prize waiting for them to claim it.

[f0dder]

It's fairly straightforward to design security into a system, which basically comes down to controlling access to memory and the supervisor. The old mainframe security was virtually bulletproof in that regard.

-40hz (November 11, 2015, 11:27 AM)

That's only a very small part of the whole picture, though... there's a Whole Lot Of Horrible in that world because people mess up the (complicated!) security settings and then expose the boxes to the internet. Like when Anakata of PirateBay fame hacked the central Danish police mainframe.

[40hz]

It's fairly straightforward to design security into a system, which basically comes down to controlling access to memory and the supervisor. The old mainframe security was virtually bulletproof in that regard.

-40hz (November 11, 2015, 11:27 AM)

That's only a very small part of the whole picture, though... there's a Whole Lot Of Horrible in that world because people mess up the (complicated!) security settings and then expose the boxes to the internet. Like when Anakata of PirateBay fame hacked the central Danish police mainframe.

-f0dder (November 11, 2015, 11:58 AM)

To be sure. But that's not a coding issue. It's an "interface" (i.e. human) issue. If we could just get the people out of the loop, security wouldn't be an issue at all.

Easy to say.

But not practical to do.

Nor necessarily desirable, as the cautionary scifi story Colossus: The Forbin Project suggested many years ago.