Sunday, February 21, 2021

If Germans are good at engineering, how come they don't dominate computer operating systems?

I recently came across a Quora question:

If Germans are good at engineering, how come they don't dominate computer operating systems or mobile operating systems?

As a native citizen of the United States, I can categorically state that I know of no widely used operating system in the US that even stands a chance of being made secure. The widespread risk taking “cowboy” attitude in the US that leads to fast innovation also leads to things like the Challenger Disaster. There were layers of management at NASA who weren’t engineers, but thought they were because they could run an Excel spreadsheet, and they had been “lucky” so far, which prevented them from learning otherwise.

There will, in about 5–10 years or so, be a complete change in the basis of operating systems worldwide.  The cowboy attitude that Linus Torvalds managed to build into Linux, with his worldwide following, has gathered another layer of people who because they can run a C compiler and make, think they know what they are doing.

In the Shuttle Disaster, the would be engineers thought that they could measure the amount of erosion of O-rings, and the probability of failure was linearly proportional to the amount of O-ring eroded. Because there were multiple rings, and only the first had eroded a maximum of 33%, they thought the had a 1 in 1000,000 odds of failure.


 The original engineers knew better, and documented their findings… if ANY erosion occurred, they indicated it was a need for a COMPLETE REDESIGN of the system because it had already failed.


In the case of Linux, there is an assumption that an operating system can be build in one large piece, a monolithic kernel, and that the users can’t be trusted. Smart and careful system administrators, and reliable careful application programmers with layers of firewalls and sandboxes can keep things safe.  If the stack is breached, they add more layers of protection.


The original engineers had built a system called Multics, and in response to some failures of computers to live up to their promises during the Viet Nam conflict, had designed a system which carefully protected itself at all layers by default. This was the multi-level secure model of computing, also known as Capability Based Security.  A process in such a system can only access the resources it has been given a capability to access, and NOTHING ELSE. 


They considered it imperative to reduce to as small as reasonably possible the amount of code that runs with full privilege to do anything what so ever, that code then manages everything else, and grants NO privileges by default. (The entire Linux kernel, on the other hand… is the kernel, millions of lines of code, any of which could take it all down).

There are some small pockets of sanity in the US, but they are unknown to most of the IT community here, and unfortunately, don’t even seem to be the system vendors of choice for our security agencies.


In Dresden, there are a team of programmers at work, slowly and methodically to build the now academic concept of a capability based operating system into a production ready operating system that is actually secure by default. They are a few years away, in my opinion, but should be gathering traction quite quickly once the need for their system is realized.

Genode is the system, and Genode Labs is the company funding the work.


I don’t work for Genode Labs, I’m not paid, and receive no compensation from them what-so-ever.  I just want sanity to prevail in the end, and they seem to be the best chance of getting it to happen.


No comments: