[GTALUG] security threats of Open Source
David Thornton
northdot9 at gmail.com
Wed Nov 25 15:13:01 EST 2020
Fair points,
All of the service contracts I've worked behind say effectively: If we
can't keep it from happening, then we can't be held responsible for it
happening.
You paid for a managed linux server, linux has a bug and you crash, we are
not responsible. We'll patch when it comes out, we'll add a firewall rule
to mitigate. But we could not have kept it from happening.
It's pretty weak I know, but one thing I have learned is that there is a
lot of conscious and unconscious, communicated and uncommunicated
acceptance of risk in many industries.
I advocate for professional , responsible, management and communication of
risk in my day to day activities.
I feel like I've done my best work when I can talk to clients directly and
honestly about risk, and how we can manage it.
I can do what I can, but I can't worry about or fret about stuff I can't
do anything about.
(Which is , I think, basically what you are saying above )
I can do a lot of reasonable things to protect against uncontrolled aspects
of operation.
We had only one hard drive and it failed, so we went to a pair of mirrored
disks.
We had only one web server and it failed so we went to a cluster of 2 to a
bagilion web servers.
We used open source software and it was a hot mess so we .....um hullo?
anyone else?
.... Canonical, Microsoft, Redhat, Oracle, Amazon, Google , what have you..
They can do mitigation and management in ways I can't.
I lived and breathed Redhat for along time, and we sold linux under "Redhat
is good, redhat can make it go"
They added safety and consistency. I mean it wasn't / isn't perfect, but it
worked. It got a lot of stuff done in a short amount of time for us.
Risk management never gets old, it is as old as the first profession (
Prostitution: "Will my primary mate catch me." ) ( Which of course led to
the second oldest professions : Lawyers )
P.S. I decided to give email another go, for old-time sake, that's why I
revived thethread I guess: I read my mail :)
David
On Sat, Nov 21, 2020 at 12:06 PM D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> | From: David Thornton via talk <talk at gtalug.org>
> | Date: Fri, 20 Nov 2020 15:25:42 -0500
>
> Thanks for reviving this thread 10 months later. What prompted you to do
> that? Note: this is not a complaint. I continue to think that this is an
> important and unresolved topic.
>
> | As administrators we have a responsibility to vet. Even if it's to
> | "deligate" the vetting, we have to vet the deligate.
>
> "have to" means "responsibility to". Unfortunately, responsibility
> without
> capability is a recipe for disaster.
>
> Clearly you've thought about this in a setting with customers. How do you
> discharge this responsibility?
>
> The GPL says: you get what we offer but we accept no responsibility.
>
> Many commercial software contract and EULAs disclaim responsibility
> and forbid using the software in safety-critical settings. They then
> often fall back on saying at most you can get back the purchase cost.
>
> So a responsible decision-maker cannot delegate the responsibility yet has
> no practical or even theoretical tools to discharge the
> responsibility. Except bankruptcy law.
>
> - you can ask your customer / client / employer that "here are the risks
> that I can imagine, are you willing to accept them?"
>
> - you can make sure that there are no assets available that can be lost
> when and if problems arise
>
> - you can work to reduce risks. This quickly hits the law of diminishing
> returns, long before the risks are eliminated. But I'm sure we can
> do better than the industry norms, as long as customers
> understand that they must and should pay for the up-front cost.
>
> Customers / clients often think that they are safer with large
> corporations. In that role, I've found the help from large companies (eg.
> Microsoft, Sun Microsystems (back in the day), ...) to inferior
> to help from small companies. Both are eclipsed by support from FLOSS
> communities. But support only deals with problems in the future, not
> damage that has happened.
>
> In the area of security, the worst breaches are the ones you never learn
> about.
>
> | Npm is a hot mess, and most people get that now.
> |
> | Galaxy / puppetforge / helm stuff ? Take a number.
> |
> | It sprouts faster than you can get on it sometimes.
> |
> | Pays the mortgage :)
>
> You can't live with them and you can't live without them?
>
--
David Thornton
https://wiki.quadratic.net
https://github.com/drthornt/
https://twitter.com/northdot9/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20201125/47c45fe9/attachment.html>
More information about the talk
mailing list