May 22, 2006

It is no longer acceptable to be complex

Great things going on over at FreeBSD. Last month was the surprising news that Java was now distro'd in binary form. Heavens, we might actually see Java move from "write once, run twice" to numbers requiring more than 2 bits, in our lifetimes. (I haven't tried it yet. I've got other things to do.)

More serious is the ongoing soap opera of security. I mean over all platforms, in general. FreeBSD still screams in my rankings (sorry, unpublished, unless someone blogs the secret link again, darnit) as #2, a nose behind OpenBSD for the top dog spot in the race for hard core security. Here's the story.

Someone cunning (Colin?) noticed that a real problem existed in the FreeBSD world - nobody bothers to update, and that includes critical security patches. That's right. We all sit on our haunches and re-install or put it off for 6-12 months at a time. Why?

Welll, why's a tricky word, but I have to hand it to the FreeBSD community - if there is one place where we can find out, that's where it is. Colin Percival, security czar and general good sort, decided to punch out a survey and ask the users why? Or, Why not? We haven't seen the results of the survey, but something already happened:

Polite, professional, thoughtful debate.

No, really! It's unheard of on an Internet security forum to see such reasoned, considered discussion. At least, I've never seen it before, I'm still gobsmacked, and searching for my politeness book, long lost under the 30 volume set of Internet Flames for Champions, and Trollers Almanacs going back 6 generations.

A couple of (other) things came out. The big message was that the upgrade process was either too unknown, too complex, too dangerous, or just too scary. So there's a big project for FreeBSD sitting right there - as if they need another. Actually this project has been underway for some time, it's what Colin has been working on, so to say this is unrecognised is to short change the good work done so far.

But this one's important. Another thing that delicately poked its nose above the waterline was the contrast between the professional sysadmin and the busy other guy. A lot of people are using FreeBSD who are not professional sysadmins. These people haven't time to explore the arcania of the latest tool's options. These people are impressed by Apple's upgrade process - a window pops up and asks if it's a good time, please, pretty please? These people not only manage a FreeBSD platform or 10, but they also negotiate contracts, drive buses, organise logistics, program big apps for big iron, solve disputes with unions and run recruiting camps. A.k.a., business people. And in their lunchbreaks, they tweak the FreeBSD platforms. Standing up, mouth full.

In short, they are gifted part-timers. Or, like me, trained in another lifetime. And we haven't the time.

So it is no longer - I suggest - acceptable for the process of upgrades and installs to be seriously technical. Simplification is called for. The product is now in too many places, too many skill sets and too many critical applications to demand a tame, trained sysadmin full time, right time.

Old hands will say - that's the product. It's built for the expert. Security comes at a cost.

Well, sort of - in this case, FreeBSD is hoisted on its own petard. Security comes at a risk-management cost. FreeBSD happens to give the best compromise for the security minded practitioner. I know I can install my machine, not do a darn thing for 6 months, and still be secure. That's so valuable, I won't even bother to install Linux, let alone look up the spelling of whatever thing the Microsoft circus are pushing this month. I install FreeBSD because I get the best security bang for buck: No necessary work, and all the apps I can use.

Which brings us to another thing that popped out of the discussion - every one of the people who commented was using risk management. Seriously! Everyone was calculating their risk of compromise versus work put in. There is no way you would see that elsewhere - where the stark choice is either "you get what you're given, you lucky lucky microsoft victim" all the way across to the more colourful but unprintable "you will be **&#$&# secure if you dare *@$*@^# utter the *#&$*#& OpenBSD install disk near your (*&@*@! machine in vein."

Not so on FreeBSD. Everyone installs, and takes on their risks. Then politely turns around and suggests how it would be nice to improve the upgrade process, so we can ... upgrade more frequently than those big anniversaries.

Posted by iang at May 22, 2006 05:38 PM | TrackBack

> So it is no longer - I suggest - acceptable for the process of upgrades
> and installs to be seriously technical. Simplification is called for.

you are #^?$*&*#^% UTTERLY CORRECT

Posted by: Jape at May 22, 2006 06:25 PM

"Everyone was calculating their risk of compromise versus work put in."

I'd love to see exactly *how* they were calculating this. Was there a framework or methodology they followed, or was it more a gut check?

Posted by: Alex Hutton at May 29, 2006 09:17 AM

Alex, good question. I think there are several equations here. One is that the compromise rate on FreeBSD (and similar variants) is so low that many people are simply going with the strength. I.e., they make one calculation and stick with it for years, in terms of brand of OS. (I've been with FreeBSD for about 10 years now.)

The calculation as to when to upgrade is generally done through a number of trigger points: external ones like new hardware turning up are random for our purposes. I would hazard a guess, maybe from my own behaviour, that the major internal upgrade signals is to rapidly skim security reports and identify if any of them effect me. As most security reports effects applications that I don't use, there is nothing for me to do.

Thankfully, because I consider upgrade time to be dead time, it takes me away from productive things.

Posted by: Iang at May 29, 2006 09:50 AM

Generally a good article.

I'd have to say that I like FreeBSD's way of assuming and optimising for competent users. Still there's got to be some tradeoffs, and as a professional sysadmin/programmer (ok, and company director, etc), I still find the OS upgrade process is something to be done as rarely as possible as it carries with it a significant risk of downtime, and my servers are mostly not in the same country as I am, so that risk includes possible international travel to fix things.

Recently I've started getting into using out of band management cards so that I can administer a machine remotely even without a working kernel, or with a messed up firewall. The best I've used so far have been the Dell DRAC4 cards, with which I can even install the operating system from another country, using a CD on my laptop. I can't change a bad hard drive, or add more memory, but *anything* screwed up during an OS upgrade can be recovered, and that reduces the risk of upgrades and firewall changes massively.

The binary OS upgrades have hit my radar a bit too. I haven't tried them yet, but they sound like an excellent idea.

Posted by: Andrew McNaughton at May 31, 2006 07:02 AM

Hi,I'am confused for design this site,my respect.It's exciting

Posted by: Carlover at July 29, 2007 06:49 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.