1   07 May, 2020
 2
 3Simplicity (mostly) guarantees security
 4
 5This is why I meme mnmlsm so much
 6
 7   Although it is a very comfy one, it's not just an aesthetic. Simplicity
 8   and minimalism, in technology, is great for security too. I say
 9   "mostly" in the title because human error cannot be discounted, and
10   nothing is perfect. However, the simpler your tech stack is, it is
11   inherentely more secure than complex monstrosities.
12
13   Let's look at systemd, for example. It's got over 1.2 million lines of
14   code. "Hurr durr but LoC doesn't mean anything!" Sure ok, but can you
15   imagine auditing this? How many times has it even been audited? I
16   couldn't find any audit reports. No, the developers are not security
17   engineers and a trustworthy audit must be done by a third-party. What's
18   scarier, is this thing runs on a huge percentage of the world's
19   critical infrastructure and contains privileged core subsystems.
20
21   "B-but Linux is much bigger!" Indeed, it is, but it has a thousand
22   times (if not more) the number of eyes looking at the code, and there
23   have been multiple third-party audits. There are hundreds of
24   independent orgs and multiple security teams looking at it. That's not
25   the case with systemd -- it's probably just RedHat.
26
27   Compare this to a bunch of shell scripts. Agreed, writing safe shell
28   can be hard and there are a ton of weird edge-cases depending on your
29   shell implementation, but the distinction here is you wrote it. Which
30   means, you can identify what went wrong -- things are predictable.
31   systemd, however, is a large blackbox, and its state at runtime is
32   largely unprovable and unpredictable. I am certain even the developers
33   don't know.
34
35   And this is why I whine about complexity so much. A complex,
36   unpredictable system is nothing more than a large attack surface. Drew
37   DeVault, head of [1]sourcehut wrote something similar (yes that's the
38   link, yes it has a typo).:
39
40   [2]https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/
41
42   He manually provisions all sourcehut infrastructure, because tools like
43   Salt, Kubernetes etc. are just like systemd in our example -- large
44   monstrosities which can get you RCE'd. Don't believe me? See [3]this.
45
46   This was day 3 of the #100DaysToOffload challenge. It came out like a
47   systemd-hate post, but really, I couldn't think of a better example.
48
49References
50
51   1. https://sourcehut.org/
52   2. https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/
53   3. https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/