[LINK] Expert: Simplicity is key to keeping code secure

Rachel Polanskis grove@zeta.org.au
Fri, 9 Aug 2002 21:40:42 +1000 (EST) 

On Fri, 9 Aug 2002 hartr@interweft.com.au wrote:

> On  9 Aug, Bernard Robertson-Dunn wrote:
> > Expert: Simplicity is key to keeping code secure
> > By Ashlee Vance
> > 9 August, 2002 9:22 SAN FRANCISCO, U.S.
> > Australian ComputerWorld
> > http://www.computerworld.com.au/idg2.nsf/All/FF4B11A15610C150CA256C100002147C!OpenDocument&NavArea=Home&SelectedCategoryName=News
>
> <Snip>
>
> > "Today, nobody has any clue what is running on their computer," he said.
> > "The complexity curve has passed us."
>
> Good grief!
>
> I can accept that an organisation may have little idea what is running
> on its desktop machines, but they need to beat their IT staff against a
> handy wall if the IT staff cannot answer definitively what is happening
> on the servers...this implies very lax security, logging and IT
> policies/procedures!

Errm, I recall reading several years ago in a C users Journal an editorial
by PJ Plauger (Famous C personality) who said the curve of knowing what was
on his systems went beyond him several years ago.

He mentioned that while ever he was coding on UNIX Systems, he could probably
identify most of the files on the platform he was working on and why they
had a right to exist there.

It was only after he started using Windows based systems that the curve
left him behind as there was no way of controlling what files were installed
by what applications, nor was there any documented information about the
properties of the file.

On UNIX you can have a swathe of shared objects (like .DLL files for the IT blind!)
but they usually have a reasonably appropriate name (at least to a sysadmin).
Likewise most config files have a sort of connection to their application.

This makes it easy to identify what's what on your system, once you learn the
lingo.

On a Microsoft platform, all bets are off.  Files that share different properties
can have the same name (but not in the same location) or the same file can
be named to something else, but have the same overall properties.
Also, Windows can install just about anything it likes without control in the
OS system directories, including all sorts of rubbish that potentially
causes "DLL Hell". This is when older versions of a file overwrite newer,
more current ones because they share the same name.

There's not much you can do about this until after damage is done.
There are also not very many tools available to examine and audit
such files ( I think there are some) unless you are a developer
and know what to look out for.   I think there may be some windoze apps
that hunt down "orphan" files but I do not know how successful they are.

I defy most even hardcore Windoze admins to tell me just what some of
those cryptic named files actually do or if they have a right to exist,
whereas at least on a UNIX box, I can say with a reasonable amount of
certainty what a file does and why it is there.  And if I do not,
I have tools at my disposal built into the OS to help me work out what
they are.

I haven't even mentioned the mess that is possibly on most Windoze
servers, either......


rachel

-- 
Rachel Polanskis                 Kingswood, Greater Western Sydney, Australia
grove@zeta.org.au                http://www.zeta.org.au/~grove/grove.html
      "People don't say sorry in this country" - Max Connors (Seachange)

----------
For Link list information see http://sunsite.anu.edu.au/link/