Monday, September 20, 2004
Say what you want, but...
All software is fucked! All software has bugs. All software has vulnerabilities. How can I make such claims? Well, I'm sure there are a few minor situations where bugs and vulnerabilities have been tirelessly and relentlessly hunted and eliminated, however my guess is that you are more likely to trip over a lawn dart, bang your head off a pinto and cause a minor explosion then you are to encounter a piece of bug free, vulnerability free piece of software. Why is that? Software is very expensive, extremely expensive. It is the one thing in the computer industry that is next to impossible to automate or pass off to a piece of machinery. It is something that has to be touched by humans. We all know anything that is touched by humans is bound to be about as "perfect" as humans "are". Even this software I am using to post this blogs fails to work properly about as often as it performs nominally. How many fellow bloggers have had double posts on their blogs because you have posted a blog, received a nasty little error message and wondered "what the devil?" just happened and hit the browsers refresh button? Magically it worked on the second try but you found out you now have two postings of the same story.
If you have heard any of the Windows vs Linux, closed versus open source arguements you may have heard many people say something like xx is better then yy because it is more reliable, or more secure or has more rabid goats per line of code, etc. However let me make one thing very clear they are all wrong. Any difference from one to another is marginal at best and is more subjective then objective and must be evaulated within specific context. The context is very important consider SUVs, many buy SUVs because they claim it makes them feel safer driving down the road. This may be true, on a truly technical basis a 5000 to 6000 pound vehicle may be safer then say a 2000 to 3000 pound vehicle. Many studies have found the safer a vehicle is technically the less safe a driver drives it, which in the end makes the vehicle less safe. This is basic human nature, if you feel you are invicible you are going to act differently then you would if you truly knew how fragile you really are. Back to software, some people may run a "safer" piece of software then next person, however because they think the software is safer then the next they may take their time applying patches or use weak passwords. In the end through sloppy administration end up with a vulnerable system because of complacency.
So if anyone claims their software is more secure then someone else's, their just trying to sell you some swamp land. If we all approach software as buggy and vulnerable we will make it safer through better administration.
If you have heard any of the Windows vs Linux, closed versus open source arguements you may have heard many people say something like xx is better then yy because it is more reliable, or more secure or has more rabid goats per line of code, etc. However let me make one thing very clear they are all wrong. Any difference from one to another is marginal at best and is more subjective then objective and must be evaulated within specific context. The context is very important consider SUVs, many buy SUVs because they claim it makes them feel safer driving down the road. This may be true, on a truly technical basis a 5000 to 6000 pound vehicle may be safer then say a 2000 to 3000 pound vehicle. Many studies have found the safer a vehicle is technically the less safe a driver drives it, which in the end makes the vehicle less safe. This is basic human nature, if you feel you are invicible you are going to act differently then you would if you truly knew how fragile you really are. Back to software, some people may run a "safer" piece of software then next person, however because they think the software is safer then the next they may take their time applying patches or use weak passwords. In the end through sloppy administration end up with a vulnerable system because of complacency.
So if anyone claims their software is more secure then someone else's, their just trying to sell you some swamp land. If we all approach software as buggy and vulnerable we will make it safer through better administration.
