Firewall Wizards mailing list archives
Re: Personal Firewall Day?
From: Dragos Ruiu <dr () kyx net>
Date: Tue, 7 Oct 2003 02:26:33 -0700
On October 6, 2003 01:50 pm, Marcus J. Ranum wrote:
Crispin Cowan wrote:I submit that dumb terminals are dead & goneI said we needed to kill general-purpose computing, not go to dumb terminals. Why did everyone assume I was talking about dumb terminals? Basically, I think we need to go to locked-down devices that do all the intesting processing locally but store their interesting stuff on a backend. There are plenty of examples of viable and excellent divisions between front-end appliances and backend systems that allow the front-end to be "disposable" yet still do 99.9% of the processing. AOL is a good example, as are some of the massively multiplayer games. It should be feasible (technically) to produce a desktop that can drive an IMAP client, a browser, an office automation suite, HTML editor, and image editor on the front end with remote file storage of personal data (non system info) on a backend. None of this is rocket science. But we're addicted to general purpose computing because we (mistakenly) perceive a need to upgrade system components in order to save costs over time. We also ae addicted to general purpose computing because our software base is so buggy that we need to upgrade software components constantly in hopes of finding something that doesn't crash. General purpose computing also brings gigantic hidden costs in terms of system administration and GP systems vulnerability to trojans and viruses. Reverting to a monoculture would actually help us address a lot of these issues.
But distributed storage and computing is much more fault tolerant than centralized systems. Proposing putting all your eggs into one basket is never wise. I can't actually believe you are sugesting a monoculture is a good thing. I administered quite a few big Unix boxes, and MIS departments in their empire building attempts to justify recentralizing always omit some of the notable disadvantages to centralization like the fact that small incremental upgrades to newer processors, oses, and software are impossible or difficult. You don't have to get a large capital allocation to replace the big box, you can buy some zippy new small boxes for key apps. And there are counltess others. System upgrades don't have to be massive all or nothing multi-year committee study efforts in a distributed environment... just a pain in the ass for the IT department to find the stragglers... :-) Moore's law killed mainframes not any addiction to software. The system rack next to my desk has more computing power and storage than all the supercomputers in the world combined back when I used to administer such things. Tough to argue with that. As far as vulnerability to virii, sure theoretically your alcolytes and high priests that administer the central monolith can likely be counted to not click on the wicked screensaver, but with that monolith architecture all it takes is one mess up to knock everything off line as opposed to n% of a distributed architecture manned by undertrained users. Locked down devices also presumes that the locker knows better than the users what they want to do with the device. I doubt that. When I worked at HP we had(I believe they still use/sell it) this wonderful innovation called Common Operating Environment. COE pretty much assured that if you wanted to get something done you had to abide by the mediocre software set available in it as opposed to the applications you really wanted. You could opt out, but it was an all or nothing deal - with considerable disincentives like inability to participate in any central volume purchasing discounts and substantial budget charges. In practice it always took longer for fixes to roll out in the COE system than the time a knowledgeable user would take to deploy it individually as needed, because of the substantial additional complexity of testing it for everyone. COE software was perpetually one or more versions behind current. Uh, blech. A key disadvantange to centralized locked down systems is that for the sake of consistency you have to hobble your knowledgeable users to the lowest common denominator of capabilities. Every coin has two sides. I know which side I'll call on this issue. cheers, --dr -- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp pgpkey http://dragos.com/ kyxpgp _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Personal Firewall Day?, (continued)
- Re: Personal Firewall Day? Christopher Hicks (Oct 06)
- Re: Personal Firewall Day? Crispin Cowan (Oct 06)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 06)
- Re: Personal Firewall Day? Crispin Cowan (Oct 07)
- Re: Personal Firewall Day? Gary Flynn (Oct 07)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
- Re: Personal Firewall Day? David Lang (Oct 07)
- Re: Personal Firewall Day? Bill Royds (Oct 11)
- Re: Personal Firewall Day? Devdas Bhagat (Oct 11)
- Re: Personal Firewall Day? Christopher Hicks (Oct 06)
- Re: Personal Firewall Day? Devdas Bhagat (Oct 07)
- Re: Personal Firewall Day? Dragos Ruiu (Oct 07)
- Re: Personal Firewall Day? Christopher Hicks (Oct 07)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
- Re: Personal Firewall Day? Adam Shostack (Oct 07)
- Re: Personal Firewall Day? R. DuFresne (Oct 07)
- Re: Personal Firewall Day? Frank Knobbe (Oct 16)
- Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
- Re: OfficeTV (was: Personal Firewall Day?) Dragos Ruiu (Oct 07)
- Re: Personal Firewall Day? David Lang (Oct 06)
- Re: Personal Firewall Day? Adam Shostack (Oct 07)
- Re: Personal Firewall Day? Crispin Cowan (Oct 07)