While acknowledging that I am falling for a troll does not
excuse the act
itself, I would like to float an idea I think is useful.
If you look at security as control, then you can measure it as
the ratio of
controls to features. That is, for N in/egress points
there are X active policy
enforcement gateways. Similarly,
for all functions in a peice of software,
there are X configurable controls of their inputs and outputs
and
en/disabled-state.
The reason we have "security" vulnerabilities is that we are
building (or evolving)
systems that lack adequate controls relative to the
sheer volume of their features.
While access to source-code does not guarantee that the user
will exercise their
control over the software, it does provide
more granular control than say, a config
file, or a clickity-click-configurator.
The idea behind commercial software is that it
is a service in which responsibility
for control is maintained by the vendor, with
a few options available to the user to customize. Open source
provides total
control to the user, limited only by their skills or access to
information.
Now, whether this control I am talking about is applicable to
"security" as we
understand it, I will leave that to the reader, but I would
speculate that this
simile could allow for something like cybernetics to be
applied to evaluating
the security of complex systems, and possibly
offer more practical solutions
than the political economy of security
that characterizes alot of research in
the field.
Best,
-j
--
Jamie.Reid, CISSP,
jamie.reid@mbs.gov.on.caSenior
Security Specialist, Information Protection Centre
Corporate Security,
MBS
416 327 2324
>>> <doug@nanog.con.com> 01/29/04
09:26am >>>
Microsoft software is inherently less safe than
Linux/*BSD software.
This is because Microsoft has favored usability over
security.
This is because the market has responded better to that
tradeoff.
This is because your mom doesn't want to have to hire a
technical
consultant to manage her IT infrastructure when all she wants to do
is get
email pictures of her
grandkids.
doug