Control. (was Re: MS is vulnerable)

• Previous message (by thread): Subject: Re: MS is vulnerable
• Next message (by thread): [Nanog] RE: MS is vulnerable
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While acknowledging that I am falling for a troll does not excuse the act
itself, I would like to float an idea I think is useful. 

If you look at security as control, then you can measure it as the ratio of 
controls to features. That is, for N in/egress points there are X active policy 
enforcement gateways. Similarly, for all functions in a peice of software, 
there are X configurable controls of their inputs and outputs and 
en/disabled-state. 

The reason we have "security" vulnerabilities is that we are building (or evolving)
systems that lack adequate controls relative to the sheer volume of their features. 

While access to source-code does not guarantee that the user will exercise their 
control over the software, it does provide more granular control than say, a config 
file, or a clickity-click-configurator. The idea behind commercial software is that it 
is a service in which responsibility for control is maintained by the vendor, with 
a few options available to the user to customize. Open source provides total
control to the user, limited only by their skills or access to information. 

Now, whether this control I am talking about is applicable to "security" as we 
understand it, I will leave that to the reader, but I would speculate that this 
simile could allow for something like cybernetics to be applied to evaluating 
the security of complex systems, and possibly offer more practical solutions 
than the political economy of security that characterizes alot of research in 
the field. 

Best, 

-j








--
Jamie.Reid, CISSP, jamie.reid at mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 
>>> <doug at nanog.con.com> 01/29/04 09:26am >>>

Microsoft software is inherently less safe than Linux/*BSD software.

This is because Microsoft has favored usability over security.

This is because the market has responded better to that tradeoff.

This is because your mom doesn't want to have to hire a technical
consultant to manage her IT infrastructure when all she wants to do is get
email pictures of her grandkids.

doug
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TEXT.htm
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040129/a18a0c81/attachment.ksh>

• Previous message (by thread): Subject: Re: MS is vulnerable
• Next message (by thread): [Nanog] RE: MS is vulnerable
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]