(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


This, Too, Shall Pass: Reflections on Secure Computing

2024-02-27 09:05:04+00:00

My friend Daniel posted something perky, positive, and constructive, and so I had to reply with my sentiment:

A good report by the @WhiteHouse (ONCD) on the path to secure and measurable software … With memory safe languages being pushed to the front of the queue.

Oh, how I wish, my sweet summer children, but alas the world does not work that way; I’ve been doing this stuff professionally since 1988 which makes it 36 years or so, plus another 5 year or so as a larval hacker-nerd, so in my 40 years of experience I have seen:

at least 2 previous iterations of “AI is coming and will destroy everything”, including the “Fourth Generation Languages Which Will Write Themselves” in the era of BASIC, and the second-wave AI of the 1980s which even then was glorified pattern-matching

at least two previous iterations of “memory safe languages will fix everything” including Erlang (which would have meant that we could live-patch machines, because “functional”, and therefore we would not need DevOps!) and Java (which could/would never, ever, ever, be unsafe, because of a hand-tooled and unproven software theorem checker validator dynamic loader which people would know never to hack-around as a deployment convenience.

software dynamic loader which people would know never to hack-around as a deployment convenience. the death of VMS and Unix — macOS and *BSD does not count — and their replacement in the enterprise by Windows and Linux… where both of the former had their flaws but were actually engineered to be good for the enterprise, as opposed to agglomerated-and-fixed (Linux) or overstretched desktop software (Windows)

we used to have code injection; then we had SQL injection and XSS; now we have prompt injection. It seems that “injection” is perennial

In the 1980s practically every university computer science department had a “Sun Lounge” or “Solarium” filled with Sun computers; and when the students left they went into Wall Street and dragged what they knew along with them, and Sun’s fortunes boomed.

Sun axed its educational sales to focus on Wall Street and the pipelines of expertise collapsed, leaving students to “grow up” on Linux and Windows; and when they left they went into Industry and dragged what they knew along with them, and Linux and Windows became deployment platforms in spite of their deficiencies.

My first experience of the cultural generational mismatch was around y2000 at Sun where EDS had been brought in to manage a datacentre of Starfires and other enterprise kit which were supposed to maintain beyond-5-nines of uptime, and where literal millions of dollars hinged upon them delivering that; the “expert” from EDS instituted “weekly reboots” to keep them fresh — just like Windows — and EDS was promptly kicked-out of the datacentre within 48 hours.

Various “web” platforms arose, and built heavily over-engineered deployment solutions like “Enterprise Java Beans” and whatnot, but nobody at school actually learned them, so when they got into Industry they threw them out in favour of what they were comfortable with – often stuff that (like at school) they had either rolled for themselves (and therefore understood) or that they got from friends whom they trusted (and could therefore get community help)

Summary Learnings

There is no magic wand, no silver bullet; there is no language which will “fix everything”, and any candidate language for fixing even a chunk of the problem will have a limited shelf-life until the demographic which finds it sexy gets promoted to management and the newhires want to use something which they built themselves. Dick Gabriel was/is perennially correct that “Worse is Better” (there are several versions of that, check them all out) and any much-hyped new “win” will fade with time and human memory.

The only winning move is not to play a game of “this time, for sure!” and instead teach people how security works, ideally at school.

Hence: https://en.wikipedia.org/wiki/This_too_shall_pass

Postscript

The full version of Dick Gabriel’s essay is attached and is very much worth reading even if you do not speak Lisp; if you believe in memory safe languages as being impactful then you will be able to read between the lines regarding the development process:

https://www.dreamsongs.com/WIB.html
[END]

[1] URL: https://alecmuffett.com/article/109271
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.