BT et C

Friday, January 13, 2006


There are two items at /. that provoke some thought today. And when thought gets provoked, it's usually time to post to yr blog!

The more recent of the two informs us that number & timeliness of system patches are not as important to customers as "which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage" according to Bill Hilf.

I cannot say whether Mr. Hilf is right about that. The question is: is the customer right?. More generally, "is the customer always right?". Keep abstracting away from the issue, and you'll see that the fundamental question is the same as the one behind the Efficient Market Hypothesis and thus touches upon libertarian principles: can the market fail?

We'll do more of that later; let's get back on topic. A reductio ad absurdum of the Hilf principle would suggest that what the customer would prefer Never to Patch Anything. Unlike most reductii ad absurdum this isn't absurd at all. There are two ways to bypass the patching process:
1) build a perfectly airtight operating system
2) conceal the need for patches.

And I think back to an excellent section of Neal Stephenson's In the Beginning was the Command Line
"Commercial OSes have to adopt the same official stance towards errors as Communist countries had towards poverty. For doctrinal reasons it was not possible to admit that poverty was a serious problem in Communist countries, because the whole point of Communism was to eradicate poverty. Likewise, commercial OS companies like Apple and Microsoft can't go around admitting that their software has bugs and that it crashes all the time, any more than Disney can issue press releases stating that Mickey Mouse is an actor in a suit."

History suggests that the open-source software camp have #1 as an ideal, whereas commercial OSes lean toward #2. Both are impossible to achieve completely, though, so in the meantime (which is forever), there are two ways to make the patching process less annoying.

1) have patching be rare
2) have patching be easy

Or, of course, both. This is what the customer would prefer. Wait -- did I say commercial OSes? But there's a commercial OS that does both, and which (near as I can tell) leans toward #1 above, as evidenced by a quote from one of its security response team leader.
"Of course, we could reduce the number of advisories by batching issues into a single update every month, or by not fixing those vulnerabilities rated as low severity, but that is actually detrimental and increases the risk to customers. We're not going to play the numbers game with our customers."

What OS could that be? Whatever it is, it seems to be under the illusion that what the customer prefers is not necessarily what is best for the overall computer security situation.

The second and older item that caught my eye is more interesting still: it is an attempt by Microsoft to disabuse us of the illusion that Linux runs better on older hardware. The method sure looks scientific: install Windows and Linux on old hardware and see what happens. In fact you could say it like this, using just quotes from the article:
hypothesis: "There was this pervasive belief that Linux could run on older PCs and that Windows could not"
procedure: "installing Red Hat Enterprise Linux, SUSE Pro 9.2, Mandrake 10, Linspire 4.5, Xandros Desktop 3.0, Fedora Core 3, Slackware 10.1, Knoppix 3.7, Windows XP and Windows Server 2003 out of the box on older hardware to see what happened."

Well, if your ears haven't perked up yet I'll throw out some fun facts:
-XP released October 2001 ;SUSE 9.2 released October 2004; FC3 released November 2004; Slackware 10.1 not sure exactly but it was 2005; you've probably got the idea already.
-Where's Gentoo, Debian, DSL, PuppyLinux, or one of the many distros that people actually claim run well on old hardware?
-Did you say "out of the box"?

We've got a problem, then: the hypothesis that was actually tested is "What works better on 7-year-old hardware? An out-of-the-box operating system from 5 years ago, or out-of-the-box operating systems from 1 or 2 years ago? For the sake of brevity, let's exclude 1-2 year old operating systems that are intended to be used on older hardware."

They shoulda called me. I coulda saved 'em a lot of trouble. Hilf declares: "the technical capability to modify Linux, to strip it down to run with a minimal set of services and software so that it can run on all sorts of hardware devices, has generated that larger assumption that any type of Linux distribution can run on all sorts of hardware devices."

This is an assumption I have actually not heard voiced, and I wondered how prevalent it really is. So I googled it and all I see besides the original article is a guy whoconfirms my instinct about this BS.

So it's not quite as bad as "proving" that Linux is more expensive than windows by installing Linux on an old mainframe and Windows on a desktop and then comparing the price per megabit per second. But it's pretty bad.


  • Actually, since Hilf's principle is precisely that the number of patches is irrelevant, a reductio ad absurdim could also be something like:

    The customer wouldn't mind if the system was constantly being patched every minute, as long as it was simple & efficient.

    One thing Bill leaves out that a lot of MS folks tend to ignore is the difference between efficiency and efficacy. All the patches in the world could be applied with minimum downtime and 0 system restarts, but if vulnerabilities stick around, what's the bloody point of it all?

    You're right, we don't really know if his principle, or yours, or mine is correct - mostly because it's entirely subjective to what each customer wants.

    You're 100% right that Red Hat would take that position - what the customer prefers according to you and/or Hilf may not be what is best for overall computer security according to RedHat.

    But how odd to so completely dismiss this idea (calling it an illusion) when it is anything but complete in its scope - what customers want *may* not be what is best for security. Do you honestly think that's false - that what customers want *must be* what is best for overall computer security?

    And that's precisely where you want to go with this, I assume - the "libertarian principle" that the market's judgement is the best judgement. What you're failing to realize is the minimality of the judgement - both in its derivation and its scope. As all libertarian principles, to the individual. So here it is:

    Yes, what the customer wants must be what is best *for that customer.*

    You cannot ask the question, "Can the market fail?" but you can ask a person "Did this market offering fail *you*?"

    Every person will have their own idea of what computer security is. They'll also have their own preference as to how they want to achieve their computer security. So, less complexity + more simplicity may or may not be true of Red Hat customers. If it is, Red Hat might lose those. Red Hat seem to think that that less rare and not-so-easy patches are better. And I they're keeping customers, so at least some people out there agree.

    So, the implication you seemed to be making and attributing to libertarians is that customers' (the market's) preferences are THE measure of what is best for overall computer security. When in fact, any customer's preference is best for themselves - or else why would they have that preference?

    By Blogger luke, at 2:39 PM  

Post a Comment

<< Home