Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes:

> ...

Hi,

Let's keep in mind that we talk about computer systems security.

The terms of interest to me are innovation, variety, diversity, complexity.

I think innovation does not need to mean complexity as a result of it.

With regard to "law of necessary variety" I assume you mean Law of Requisite
Variety.
"In cybernetics the term variety denotes the total number of distinct states
of a system."
It describes "the condition for dynamic stability under perturbation (or
input)."
"If a system is to be stable the number of states of its control mechanism
must be greater than or equal to the number of states in the system being
controlled."
I think this law applies to building, exploitation and performance of
a defined, working, reliable, dynamic system.
It uses the term "control" in the context of interactions between system's
components, not security of the system.
The term security means "freedom from risk or danger; safety", or measures
adopted to prevent crime, attack, escape, espionage, sabotage, etc.

I like to use the term "diversity" (as opposite to "monoculture") when I want
to describe an ecosystem more capable of progress and survival.
I would apply it when I tried to explain my preference for multiplicity of OSs
(UNIX, Linux, Windows, *BSD, Mac, etc) or kernels (monolithic, micro, hybrid,
etc).
Diversity per se does not ensure security, which (once again) means measures
undertaken and a state achieved as a result of them.
Having a multitude of security measures ((sub-)systems) per se does not ensure
security.

Complexity means multitude of components in intricate arrangement.
An assumption that complex systems need per se variety of internal complex
security sub-systems or external complex security systems is of questionable
value.
Let me concentrate on one important explanation of why complex systems
(security systems inclusive) are prone to fail.
There is an inherent conflict between level of complexity and benefits of
complexity.
Complex systems require very high costs just to maintain them, not to mention
costs to expand them.
This is validated by decreasing net return on input to complex systems.
I think complex monolithic kernels, complex system/application/library APIs,
complex security models (consisting of multitude of different security
(sub-)systems) are not effective.

We forget that people write software and have to account for all the diversity
of system and application programming issues, also with regard to security.
We forget that people administer those hardware and software systems and have
to understand them from functional and operational point of view.
Consider multitude of OSs and programming languages/scripts that are involved,
which must be learned to various extent by the above two groups of
professionals and which bring their own inherent security problems to
the table.
There are also multitude of managers and analysts (business, architecture,
systems, security, etc) who want/have to understand these issues to a greater
or lesser extent as well in order to be able to manage and build them for
themselves or clients.

I say once again, MORE complexity is LESS security.

That's why complex systems (civilizations, societies, economies, financials,
computing, etc) are inevitably destined to fail or fall.
I am tempted to say - it is a law of nature.

JB

Well, I think we deserve it ...

Jerome Hines, Paul Plishka - Verdi - Don Carlo - Il Grande Inquisitor
http://www.youtube.com/watch?v=IOTm_ec42z4



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux