Zed Shaw - The ACL is Dead - CUSEC 2008 (blog.cusec.net)
Recorded almost a year ago (before the bank busts, and shortly after Zed’s first famous rant), this presentation was given to about 400 Canadian undergraduate software engineers and computer scientists. Zed talks about management and his ACL-killer at a bank job accompanied by Factor-powered slideware. Also: steaks, strippers, and statistics.
N.B. This video might damage your vision of Zed swearing all the time and may make it seem like the last year of ranting was a terrible joke gone wrong. Oops.
P.S. - Check out this year’s lineup (Ingalls, Stallman, Bryant, Culver, Hwang, and Bowkett are just the keynotes). This is one of Canada's best kept secrets, and tickets are super cheap.
54 comments
[ 2.4 ms ] story [ 117 ms ] threadHe's actually really entertaining to listen to. I like his real-world examples of problems.
Steak will never be the same.
------------------------------------
~9:29: "law is actually kind of a turing complete language"
Law is fuzzy; ACLs are fuzzy. ACLs can't handle real law because they're not Turing complete.
~11:20: had a business manager learn Ruby, had him implement poorly specified/tough features --> result: he modified/eliminated requirement
~12:20: a bunch of if statements are easier & better than an ACL
~13:50: in one case, 1000 users and 1000 containers would have required 270,000 ACL entries to implement one compliance rules; and 5 minute polling updates, because rule was time-based; --> couldn't audit, handle real-time changes; would've required 12 beefy boxes to execute.
14:40: Instead, re-write all rules in 400 lines of Ruby; analysts could read the code and say if implementation was right.
15:45: So a language wins, right? No -- "this is where the Suck begins" -- where management comes and crushes your soul. Bad product was substrate for document management system.
17:50: How do they sell this stuff? Connections, subterfuge? No.... "Steak and strippers, baby."
19:00: "This is one reason I want women to be in charge."
20:00: "What happens when they give you an MBA is they give you a lobotomy... and you walk out going 'Synergy! Synergy! Synergy!'"
21:00: MBAs are trained in manufacturing -- programming is not manufacturing -- you're going to work in an environment where they think you're worker bees on an assembly line.
22:00: So what to do about it?
1) Managers see people sitting there, they think nothing is going on. If management says "I demand all of your creativity but trust none of your judgement," you have to gather evidence that makes you more credible. You have to be objective. Try out whatever crappy technology that they're proposing.
2) Develop alternatives: if their crappy technology is good enough, stop; but if not, try out alternatives before suggesting.
3) Statistics; develop some pretty graphs. E.g., Zed's team built a demo server, showing slow performance. Without those, he would've had no evidence to contradict the sysadmin who was saying his tweaks had helped. Be prepared for intensely technical arguments, too.
4) Admit technical deficiencies.
~29:30: If none of this works, and they won't take it, build it anyway and then sell it to them or their competitors. The client can be your first customer. Good way to start a company.
~30:00: our doc management system is very simple, 4400 lines of Ruby plus some Samba modifications, and better than anything else out there.
Drools -- JBOSS rules engine -- "blows ass" -- just use Ruby instead.
~31:30: Figure out Roles first, with a Role Resolver -- draws on LDAP etc. -- 30 lines of Ruby -- now, ~200 lines of Ruby, covers all bizarre corner cases, easy to add new rules, easy to fix existing rules.
~33:30: And they still wanted the crappy older thing. At this point, it's all the social problem. What mattered was the old product had the same name. "Document Store 2000" vs. "Document Store New Gen" -- completely different, but easier to get through manager's manager's procurement process -- "that's the stupidity you deal with in the real world".
35:15: How do we win? We kept hammering. They sent out their best guy. I had him implement the toughest rule, the one requiring 200,000 ACL entries. Then had him explain to his managers why it wouldn't work. Had nothing to do with tech.
36:15: This stuff will kill you. How do you keep your soul through all of this? [Poll audience for years of education] -- "It don't matter" -- you're a factory worker.
37:30: "Business leaders don't really like you, because they need you, and they don't understand anything you do. ... And the sales people know this; they know if they go to your boss, and give them steak and strippers...."
~38:40: Fight your hardest not to be a corporate coder: your life as a geek or a coder should be all about exploring some new domain that ...
Also - its not just big enterprisey things - rails is so common in the enterprise these days due to the "steak and strippers...." work done by companies like thoughtworks. There is always wheeling and dealing, even with grassroots things - things are never as white and as pure as they seem (well almost all things).
I don't see this ever changing, unless somehow all these types of corporations simultaneously cease to exist, and something else more merit based takes their place.
Sure - but how did apple really get strong enough to survive this long? at least in this country it was steak and stripper sales to the education department to get them in all schools.
Or by stimulating the neural cortex with sound to prime you to purchase. This is the idea behind pumping music into shops. Just another technique in the toolset to make you buy, "Why We Buy: the science of shopping" ~ http://www.abc.net.au/catalyst/stories/s1907307.htm
A part of it is because we're different. But a part of it must be bad as well. We're all only human, after all.
Hopefully this summary does justice to the remainder (but IMO it's worth watching):
40:00 Essentially he says you're not defined by your job. Your outside projects represent your self-expression and the corporation doesn't get a piece of that.
42:00: Most companies treat programmers like factory workers. In that case, act like one: do a professional job and punch out at the end of the day.
43:30: "If the company makes money off the sweat off your back, you get a chunk. If you don't get a chunk then you give them what they absolutely ask for, keep it to a minimum, be friendly, be very professional, do your stuff, make sure it's well-written, but don't go out of your way to give them your latest, greatest research or your idea or whatever."
44:00: Work on weird and cool stuff at home to stay sharp. If all you do is corporate coding, all you'll ever be is a drone.
45:00: When you're coding at home, "you're making poetry people can play with." But you don't want to do this for a company that doesn't care. "Who wants to make another document management system, time tracker or accounting system? There is money in that, but unless you're making the money too, it's not really fair."
47:30: Don't fear change. At home, take chances and learn new stuff. But at work, just give them what they want because they'll make changes whether you like them or not. It's just a job.
50:00: If you're concerned about being outed, consider creating an online identity (like "_why").
51:30: Don't do Blub at home; do something completely different, break the rules and code for fun. At work, don't think too much, don't be different and just get it done.
52:40: Outside work, make sure you're not someone's "resource" to be "utilized." Run with like-minded folks.
54:00: Embrace your geekiness, get out there and do it now.
55:00+: Questions and answers. This was good too, but somebody else will have to take over the transcription. ;)
Blub work on a startup at night could be another path away from employment that isn't really addressed in the presentation (though it's very difficult to pull off, IMO).
edit: Also, unrelated to this, another question/answer pair starts around 66:00 which I think is a pretty good idea.
I guess the actually title of his talk is less interesting to most (but its good for people to realise ACLs and such are just not practical anymore - its a worthy talk subject !). I think I discovered that about ACLs a while ago, but assumed it was a specific problem with whatever I worked on, not that its a general issue with the ACL approach.
Is the source available?
http://vimeo.com/2723800
If you are still having trouble try:
USE: cusec2008 start-presentation
and then hit enter. No, not the most user friendly of processes. But I suppose it's the price you pay for being the indiest of indie.
Modern security and access controls need functionality like capabilities.
ACLs as they're implemented on most operating systems are wicked limited; tracking attributes and access to anything beyond simple boolean HAVE_ID or !HAVE_ID or HAVE_THIS+HAVE_THAT logic gets really ugly with an ACL. And the classic ACLs are not at all dynamic, as is pointed out in the presentation. You can't easily tie the access control processing directly into the LDAP directory for employment status or into the system time for time-based rules, for instance.
Having access to conditional statements and such to manage access control is infinitely more flexible. This is the "Turing Complete" part of the presentation.
This processing all reminded me of what you can do with D inside the DTrace environment, too. But I digress.
Watch the presentation. It's worth your time.
For example, does Ruby on Rails offer some framework for dealing with this? Or is it a 'just do it' kind of thing? Maybe it's not as complicated as I'm imagining it could be, and that's the point. But some example code would be good to look at.
I'll look into this further but thought I'd solicit here first.
One hint: Write the code in a functional style, i.e., Haskell style. Pass in the full context to the permission function. For instance, if you have a time-sensitive function, don't have the time-sensitive function call the system clock; have it extract the time from the context your provided. If you call the system clock, you'll never be able to write the tests you're going to need to write. Similarly for many things, like direct LDAP access or whatnot. The internal permission code needs to be a pure function. Fortunately, that doesn't make it any harder to write, even in an OO-based language.
If you want to get really slick because your context has multiple expensive operations like direct LDAP access (although this is a bad idea if you're going to be calling this frequently), you can even create two context implementations, one for testing that simply returns provided values and one that lazily goes out and gets LDAP data or whatever if you need it. Best of all worlds that way.
Test harnesses for this -- hm.
That's not to say that ACLs are the last word -- they were defined and analyzed in depth in the 60s and 70s, and work in security theory marches on. Models such as information flow analysis, object capabilities, etc., allow for much richer policy definition while still making stronger guarantees about the security of the finished system.
While I actually like most of what Zed has to say in this talk, I think he's doing a grave disservice to the security theory community by dismissing out of hand everything they've done in the last 40 years.
Something doesn't have to be provable to work, the same applies to type systems. Lot's of things that aren't provable and would be forbidden by a static type system will happily chug along just fine in a dynamic system that does what you tell it.
When it's law vs theory, law wins. Unlike theory, the law doesn't have to make sense but you sure as hell better be able to show that you attempted to comply with it.
Seriously, the idea that a complex system can be built by non programmers is somewhat of a pipe dream, it always ends up being more complex than some simple code a programmer can understand.
(Also, non-programmers != idiots)
That the new system doesn't have a point and click UI isn't a trade off, it's just a consequence. He wasn't trading a complex system for a simpler system, he was replacing a complex system that could no longer work with a simpler one that could.
And while not being a programmer doesn't mean you're an idiot, not being able to learn some simple scripting to modify rules does make you an idiot. If your job requires you to modify the rules, and you can't learn to do it, you're dumb. All intelligent people are capable of learning some simple scripting.
If he sticks to his rant-personality, he will sooner or later become on of the stars of the internet.