Monday, August 29, 2005

Apocalypse Now - Version 0.02 (rambling)

I'm sorry for the lenght of this post, I haven't had time to make it shorter.

On Windows Bashing:
I started this conversation when I noticed things poking through the layers of security in my systems, which happen to be Windows based. It is my belief that Linux is no better, given sufficient market penetration.

Byran makes some very good criticisms of version 0.01 of this thread. I may be guilty of a bit of Chicken Little syndrome, or Crying Wolf, or Cassandra, or not... only time will tell.

Open source & Bugs:
When people point out that Open source should reduce the number of bugs in a program, I believe they are right. While fewer bugs are good, it's not going to drive the number to zero. Real security requires Zero exposed bugs, ever. (Which may well be impossible)

George Ou points out that progress is being made on many fronts, including the buffer overflow issues, and a lot of work is being put into tightening things up by many parties, and I applaud everyone's efforts.

I feel that the threat is going to continue to grow in terms of strength. I believe that one needs to be fairly paranoid these days, and that capabilities are just the right amount of paranoid thinking to be encoded into an operating system. ;-)

Byran makes the case that Capabilities can be emulated with the right combination of ACLs. The technical arguments surrounding this get very tricky, very quickly. I believe (and am willing to change my opinion based on the facts and/or good argument) that Capabilities embody a concept which is missing from the current crop of OSs:
Don't trust the code

In a capabilities based system, everything is essentially living in it's own sandbox. The only interactions possible are via the capabilities provided to a given piece of code. A capablities based system should be able to run mobile code without any risk of compromise. Think of capablities as the Java sandbox on steriods.

There are many marvelous programs and components out there, waiting to be written. Java gives a hint as to where this could go. The demo scene (DOS programs limited to 64k) points to the really cool things that can be done, if mobile code could be somehow run safely.

I believe that retrofitting the Capabilities model into the existing Windows and Linux code base is possible, but it'll be a large chunk of work in either case. I believe that efforts in both camps should be supported. It would be nice if they interoperated, or could somehow share code, but I realize that's not likely.

It's been an interesting thread, thanks to Doc Searls, David Berlind, George Ou, and Bryan from AdminFoo for all the support and constructive criticism.