Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis.
Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.
So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".
— Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel, by Linus Torvalds, kerneltrap.org, Monday, October 1, 2007 - 7:04 am
Linus Torvalds, inventor of Linux and thus originator of its associated industry, continues:
Another difference is that when it comes to schedulers, I feel like I actually can make an informed decision. Which means that I'm perfectly happy to just make that decision, and take the flak that I get for it. And I do (both decide, and get flak). That's my job.
In contrast, when it comes to security, I see people making IDIOTIC arguments, and I absolutely *know* that those arguments are pure and utter crap, and at the same time, I see that those people are supposed to be "experts".
For example, you security guys still debate "inodes" vs "pathnames", as if that was an either-or issue.
Quite frankly, I'm not a security person, but I can tell a bad argument from a good one. And an argument that says "inodes _or_ pathnames" is so full of shit that it's not even funny. And a person who says that it has to be one or the other is incompetent.
Yet that is *still* the level of disagreement I see.
His examples may be about schedulers and filesystem concepts, but his point applies to many other realms of security, as well.
-jsq
I also subscribe to the theory that the security market, for good or worse, is a market in silver bullets. The underlying reason is that there is an absence of hard objective science to base on, primarily because the attacker doesn't let you get away with dry & dusty theories or statistical models.
Out of that arises a world of best practices on the side of the buyer, a.k.a. outsourcing your security wisdom; on the part of the seller, it is whatever sells and whoever can talk the most complicated blah blah. As security experts never get tested on the results of their work by the market, the only thing that counts is appearance.
Posted by: Iang | October 11, 2007 at 09:33 AM
Irony: "a literary technique, originally used in Greek tragedy, by which the full significance of a character's words or actions are clear to the audience or reader although unknown to the character."
Irony: using qualitative labels ("real", "hard") to describe confidence (certainty) of data in a statement that expresses a lack of confidence in the use of qualitative labels.
Posted by: Alex | October 11, 2007 at 10:50 AM
Alex: Linus is a pretty canny fellow; I doubt irony is unknown to him.
Also, I don't see what he wrote as ironic. Schedules have performance metrics. Security does not. Some is greater than none. QED.
Iang: Let's see, complicated blah blah, appearance, and ingratiating with the customer. So IT security is basically politics?
Posted by: jsqrisk | October 12, 2007 at 02:36 PM
John,
Are you saying:
1.) Security does not have performance metrics?
or
2.) Security does not have metrics?
3.) Linus understands that the only difference between the metrics he likes and the metrics security can be using is a matter of certainty? If so, then he may be canny, but his patience and temperance leaves something to be desired.
Posted by: Alex | October 12, 2007 at 05:44 PM
If security has metrics showing how application of security techniques affects the business performance of the companies that purchase it, it's odd that nobody presented them at the recent Metricon, a workshop dedicated to the measurement of security.
Security has various measurements of this and that, such as patches applied, intrusions detected, etc., but what do they mean to the people paying for them? If the CIO goes to the CEO's staff meeting or a board meeting and says "we spent $x and that let us apply Y patches" that's like the VP of Marketing saying "we spent $X and sent out Y press releases." So? How many press stories did those press releases produce, and which of those produced how many sales? And what's the equivalent for security?
OS schedulers tend to be measurable in very concrete terms related to what you can do with the operating system. Show me the security measures about which security techniques keep the OS up, available, and unimpaired by how much, preventing security problems or rapidly ameliorating them, and how much this affects the corporate bottom line. Better yet, present them at the next Metricon.
Posted by: jsqrisk | October 12, 2007 at 07:27 PM