Security and efficiency

Reading Leviticus today.  Chapter 19.  “9 When you reap the harvest of your land, do not reap to the very edges of your field or gather the gleanings of your harvest. 10 Do not go over your vineyard a second time or pick up the grapes that have fallen.”

A rather interesting instruction.  Why are we not to be as efficient as possible?  Yes, in that immediate passage there is a reason given: charity.  “Leave them for the poor and the foreigner.”  But there are other, similar injunctions against efficiency, and even technology.  (Have a search for passages about cisterns, etc.)

Our society, of course, makes a god (and idol?) of efficiency.  We see whole businesses built on being just that much more efficient than somebody else.  That seems to be the whole idea behind outsourcing, for example.  But another example is Enron.  Businesspeople seem to think they can shave the margins just a little bit more, and make fortunes in the process.  There are lots of examples in the financial world, most of them bad.  Stock markets, and crashes.  Derivative instruments, and bank failures.

Now, we like efficiency in the technical realm.  In fact, we assume (as an unexamined article of faith, if you will) that we are making everybody more efficient.  (This is why Microsoft is currently trying to promote the use of Windows 7 on smartphones with a series of ads showing people being frustrated and sometimes fatally distracted by their smartphones.)  (No, I don’t understand it, either.)  I could, I suppose, go on with a series of examples of how social networking is making people waste much more time than ever before.

But that’s not my point.  The point I’m working towards is that we, in technology, are actually very wasteful.  We get newer and more powerful machines, and then put more bloated and inefficient programs on them.  (On a laptop, I once found that, simply by switching from the newest level of graphical user interface to an older, less colourful, but still perfectly usable interface, I could double the battery life.)

Going deeper than than, nobody does code optimization anymore (other than turning on the optimization switch on the compiler).  We are running larger, and slower, programs.  Partly because we are running larger programs, and nobody wants to spend the time doing optimization on that volume of code.

But optimization can be a very bad thing, too.  Larry Wall, who has quite a gift for the apt observation, notes that “[o]ptimizations always bust things, because all optimizations are, in the long haul, a form of cheating, and cheaters eventually get caught.”  You want a second opinion?  How about William A. Wulf: “More computing sins are committed in the name of efficiency than for any other single reason–including blind stupidity.”

Going back to the example of code optimization, if you do it, your source code no longer truly represents the executable code.  And, whatever you did to shave ten cycles off the operation, or a hundred bytes off the file size, it’s going to be more complex for someone to figure out (and very possibly leaves a hole that someone can exploit).

In the malware field, back in the simple old days when we only had to worry about boot sector infectors and file infectors, most file infectors would attach themselves to the beginning or end of the infected program.  So, if you were a virus scanner vendor, and you wanted to win the speed race, you would only check the beginning and the end: top and tail scanning.  Trouble is, while most file infectors attacked there, that wasn’t the only place viruses could get in.  So, optimizing for speed, you sacrificed protection and accuracy.

Are we doing the same things in other areas of security?  Yes, we always have to do our cost/benefit analysis, and try to make sure that we are giving the best protection for the resources available.  But are we, for example, pursuing certain “metrics,” and forgetting some aspects of the larger picture?

Share
  • water-water

    man… why mixing the main topic of this blog with such a troublesome area as religion? well.. guess that’s just another difference between europe and the us. never mind. some nice thoughts anyway, thanks for posting.

  • http://SystemI.ca Anton J Aylward

    I’ve been reading Goldblatt recently – “Theory of Constraints”. Its interesting that an engineer and scientist has managed to show up the MBA/statistics types.

    Goldbaltt is saying that real improvements (as in 400%) come about by identifying the process-blockers in the structure of the operation and removing them. The example he gives in his books are of the class “Duh! Well isn’t that obvious?” maybe to an engineer, but not the Business types.

    Goldbaltt doesn’t present this as “optimisation” and certainly not as shaving small points of efficiency. Thinking about it, he doesn’t present it as ‘structural change’ either.

    In my consulting work I often try to highlight to my clients the gap between what they are trying to ACHIEVE and what they are actually DOING. Often times the “doing” has become so rococo that the real objectives have become subsumed to the details.

    I’d also recommend “The Cult of Efficiency” by J G Stein (ISBN: 0-88784-668-8) which illustrates ow, among other things, “efficiency” is oten used as a political and manipulative agenda.