[GTALUG] security threats of Open Source

David Thornton northdot9 at gmail.com
Wed Nov 25 15:13:01 EST 2020 

Fair points,

All of the service contracts I've worked behind say effectively: If we
can't keep it from happening, then we can't be held responsible for it
happening.

You paid for a managed linux server, linux has a bug and you crash, we are
not responsible. We'll patch when it comes out, we'll add a firewall rule
to mitigate. But we could not have kept it from happening.

It's pretty weak I know, but one thing I have learned is that there is a
lot of conscious and unconscious, communicated and uncommunicated
acceptance of risk in many industries.

I advocate for professional , responsible, management and communication of
risk in my day to day activities.

I feel like I've done my best work when I can talk to clients directly and
honestly about risk, and how we can manage it.

I can do what I can, but I can't worry about  or fret about stuff I can't
do anything about.

(Which is , I think, basically what you are saying above )

I can do a lot of reasonable things to protect against uncontrolled aspects
of operation.

We had only one hard drive and it failed, so we went to a pair of mirrored
disks.

We had only one web server and it failed so we went to a cluster of 2 to a
bagilion web servers.

We used open source software and it was a hot mess so we .....um hullo?
anyone else?

.... Canonical, Microsoft, Redhat, Oracle, Amazon, Google , what have you..

They can do mitigation and management in ways I can't.

I lived and breathed Redhat for along time, and we sold linux under "Redhat
is good, redhat can make it go"

They added safety and consistency. I mean it wasn't / isn't perfect, but it
worked. It got a lot of stuff done in a short amount of time for us.

Risk management never gets old, it is as old as the first profession (
Prostitution: "Will my primary mate catch me." ) ( Which of course led to
the second oldest professions : Lawyers )

P.S. I decided to give email another go, for old-time sake, that's why I
revived thethread I guess: I read my mail :)

David

On Sat, Nov 21, 2020 at 12:06 PM D. Hugh Redelmeier <hugh at mimosa.com> wrote:

> | From: David Thornton via talk <talk at gtalug.org>
> | Date: Fri, 20 Nov 2020 15:25:42 -0500
>
> Thanks for reviving this thread 10 months later.  What prompted you to do
> that?  Note: this is not a complaint.  I continue to think that this is an
> important and unresolved topic.
>
> | As administrators we have a responsibility to vet. Even if it's to
> | "deligate" the vetting, we have to vet the deligate.
>
> "have to" means "responsibility to".  Unfortunately, responsibility
> without
> capability is a recipe for disaster.
>
> Clearly you've thought about this in a setting with customers.  How do you
> discharge this responsibility?
>
> The GPL says: you get what we offer but we accept no responsibility.
>
> Many commercial software contract and EULAs disclaim responsibility
> and forbid using the software in safety-critical settings.  They then
> often fall back on saying at most you can get back the purchase cost.
>
> So a responsible decision-maker cannot delegate the responsibility yet has
> no practical or even theoretical tools to discharge the
> responsibility.  Except bankruptcy law.
>
> - you can ask your customer / client / employer that "here are the risks
>   that I can imagine, are you willing to accept them?"
>
> - you can make sure that there are no assets available that can be lost
>   when and if problems arise
>
> - you can work to reduce risks.  This quickly hits the law of diminishing
>   returns, long before the risks are eliminated.  But I'm sure we can
>   do better than the industry norms, as long as customers
>   understand that they must and should pay for the up-front cost.
>
> Customers / clients often think that they are safer with large
> corporations.  In that role, I've found the help from large companies (eg.
> Microsoft, Sun Microsystems (back in the day), ...) to inferior
> to help from small companies.  Both are eclipsed by support from FLOSS
> communities.  But support only deals with problems in the future, not
> damage that has happened.
>
> In the area of security, the worst breaches are the ones you never learn
> about.
>
> | Npm is a hot mess, and most people get that now.
> |
> | Galaxy / puppetforge / helm stuff ? Take a number.
> |
> | It sprouts faster than you can get on it sometimes.
> |
> | Pays the mortgage :)
>
> You can't live with them and you can't live without them?
>


-- 
David Thornton
https://wiki.quadratic.net
https://github.com/drthornt/
https://twitter.com/northdot9/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20201125/47c45fe9/attachment.html>

More information about the talk mailing list