Re: impossibility of computer security?

From: Wei Dai (weidai@weidai.com)
Date: Mon Sep 16 2002 - 23:43:42 MDT


On Tue, Sep 17, 2002 at 12:02:50AM -0400, Harvey Newstrom wrote:
> I think about it a lot. You can't prove a negative. It's hard to
> take software and prove that somebody can't think up some new
> technique to thwart it. Most direct attacks are easily blocked and
> provable. It is the innovative new ways that humans keep thinking up
> that make an end-run around the best of designs.

I wouldn't feel so bad if these attacks were innovative, or subtle, or
indirect, but they're not. They're just plain old buffer overflows. But
what really gets me is that they're in *security* software.

> This is a wonderful question that I spend a lot of time thinking
> about. The future of technology and transhumanism depends on the
> answer to this question. Like most complicated questions, it probably
> will be an ongoing process forever. I doubt any magic technology will
> settle this once and for all. Not even NanoSanta, Singularity-Santa,
> or any other Santas.

I agree, computer security is certainly going to be a never-ending process
and we're only at the very beginning of it. But already it's apparent that
we are extremely bad at it. The factors you mentioned are both true.
There are always going to be innovative new attacks that can't be
predicted ahead of time, and we can't keep up with securing all of the new
features that people demand. But neither of them apply in these cases.
There must be something else more fundamental, if we can't even keep the
simplest holes out of our security software.



This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:17:06 MST