no 'commodity' OS is 'secure' Re: [Beowulf] Which distro for the cluster?

Mike Davis jmdavis1 at
Wed Jan 10 06:58:58 PST 2007

1. Any OS can be made more secure.
2. Good Security is "Security in depth."
3. The perfect is the enemy of the "good enough."

I would note that turbocharged piston engine aircraft are still in use 
militarily, commercially, and recreationally. One of the reasons for the 
fact that the C-130 is approaching an operational life of 50 years is 
that it can do things that C-141's, C5's, and C-20's can't. The same is 
true for linux and even (Ugh) windows.

The only secure computer is the one in the vault, with dedicated power 
and its HD stored in a safe when not in use. This is not the most 
practical approach for either a business or a research institution. So, 
we design for security at the border, subnet, and host levels. We test 
and audit. We monitor, we mirror data online and on tape. We do many 
other things as well. This is one of the things that admins get paid for.

Now, if the question is "can I compromise one of the systems?", the 
answer is yes. I've been using unix for more than 20 years and used 
mainframes and minis before that. Some of the same methods used to gain 
mainframe access will still work with a few modifications. But,.my 
abilities do not inherently make these systems insecure.

Mike Davis

Andrew Piskorski wrote:

>On Sun, Jan 07, 2007 at 03:49:50PM -0500, Robert G. Brown wrote:
>>I completely agree with this.  As I pointed out earlier in the thread,
>>companies such as banks make "conservative" seem downright radical when
>>it comes to OS upgrades.  They have to do a complete, thorough,
>>comprehensive security audit to change ANYTHING on their machines -- as
>>a requirement in federal law, IIRC.  To get them to take you seriously,
>>you MUST be prepared to support the OS they install on (once it is
>>successfully audited) forever -- until the hardware itself falls apart
>>into itty-bitty bits.
>And yet these same hyper-'secure' organizations are running Microsoft
>Windows, Linux, and/or Unix on these super important, super 'secure',
>mission-critical boxes?  Frankly, that's oxymoronic.  It sounds
>suspiciously like decision making driven by what the rules and
>paperwork says you're supposed to do (aka, CYA), and/or general
>myopia, rather than a sound assessment of what the right solution to
>the real problem actually is.
>We all know that Windows is (much) less secure than Linux, and Linux
>is presumably less secure than OpenBSD.  But if you take a step back
>and look at the bigger picture, OpenBSD and MS Windows are both in the
>same bin, and that bin is labeled, "inherently unreliable and insecure
>operating systems".
>OpenBSD calls itself "ultra-secure", which is like calling the most
>advanced World War II piston-engined fighter planes "ultra-fast".
>Yes, it's true, more or less - as long as you're only talking about
>other piston engined aircraft, and are content to ignore the existence
>of jets and rockets.
>It's not something I know much about, but I am told that much more
>reliable and secure operating systems do exist, and have been
>commercially successfull in niche markets, both now and in the past.
>Niche markets like, say, the OS that runs your advanced pacemaker,
>some network routers, or aerospace systems.
>Now, I assume that using any such non-mainstream system is probably
>(so far, to date) significantly more painful, annoying, and thus
>expensive than just running Linux.  (And thus is unlikely to be
>appropriate for a Beowulf cluster.)
>But if you're a huge organization already throwing millions of dollars
>into horribly painful manual re-audits of even trivial updates to
>"commodity" operating systems for mission-critical "highly secure"
>applications, then I strongly suspect that you're already well into
>the same cost range where investing those $millions into the use of
>secure-by-design systems might well make much more sense.
>At some point, no matter how much you like Otto-cycle engines, putting
>more and more money and effort into carefully tuning and inspecting
>your turbo-supercharged, nitrous oxide injected, hand polished and
>streamlined, piston-engined aircraft simply no longer makes sense.  If
>you care that much, you should be looking into jets...
>Like I said, I don't really know much about such secure-by-design
>systems, but I've come across thought provoking discussion in various
>places, including:

More information about the Beowulf mailing list