Machines can be perfect, humans cannot. The primary security weakness has always been the human factor.
Take file permissions for example... Extreme granularity makes advanced configurations possible, but also allows for harder to see conflicts. Although the permissions exist to allow "total" security... The human factor makes this all but impossible.
Getting slightly philosophical, but machines are designed by humans (imperfect beings). And I think that means any thing we make is going to be imperfect. Its simple set theory... We can't create/make/use anything outside our own capabilities...Quote:
Machines can be perfect, humans cannot. The primary security weakness has always been the human factor.
So I completely agree that its the human factor, but I disagree about the 'perfect' machines...
I dunno about the perfect machine...Quote:
Originally posted here by d0pp
Machines can be perfect, humans cannot. The primary security weakness has always been the human factor.
A perfect machine would have to do the laundry, clean the house, always be pleasant (see I just ruled out women), be amazing in bed and fulfill your every desire... I've only see perfect machines once.... and it was in The Stepford Wives...
Peace,
HT
Hence to take control of security out of the user's hands and only allow them to operate in sealed compartments.Quote:
There is no patch for human stupidity.
There is no such thing as subjectivity... everything is object. "Subjective" is merely a word devised to makes us feel better about a lack of understanding.Quote:
Perspective is not objective. If it's not objective, it's nearly impossible to measure.
These chips are mapped as they are developed... it's not like Intel just randomly dumps a design on a chip and then says "Now let's figure it out!"Quote:
Being able to map all freakin states is theoretically possible, but it's not gonne make stuff more secure.
Security is not a matter of chip design... chips are only capable of binary logic. the insecurities come from the flow between the user and the hardware. This is controlled by the security model at an abstract level and the operating system code and a more practical level.
Well yeah, KSOS spent it's entire development cycle against the Boyer-Moore theorum provers... until it came up clean. The 16 of 34 was the first run (after traditional methods came up clean) and KSOS was the first OS to utilize such an approach, which is what made the effort significant.Quote:
There's the math to prove it for ya.
oh rcgreen... unless your day job deals with secure operating systems... don't quit it.Quote:
The only way a computer can be formally and verifiably "secure" is by limiting the number and type of machine instructions so that no unexpected or unanticipated code can execute.
Allow me to simplify something for you.
Compartment A contains secret information.
Compartment B allows any application to run.
A has full rights over B. B has no rights over A.
All of A's processes gain A's rights. All of B's processes gain B's rights.
Can a malicious application in B compromise secret data?
Do users in A suffer any undue restraints?
Meastr0 unwittingly indentified the flaw in seeing each thing as a thing unto itself. The whole of the universe is a system... ignorance masked as myopia does no one any favors.Quote:
Yes I have young Will but apparently the detail that escaped your attention did not escape another young agent by the name of Meastr0.
Thank god for least privilege.Quote:
The primary security weakness has always been the human factor.
Again myopia strikes...Quote:
Getting slightly philosophical, but machines are designed by humans (imperfect beings). And I think that means any thing we make is going to be imperfect. Its simple set theory... We can't create/make/use anything outside our own capabilities...
computer's are closed systems and every closed system can be broken as it were. Can be quantified to their atomic components. This quantification is not bounded to supersets... subsets never are. A fine example is spelling... language was created by humans, the written word is a subset of language and "The quick brown fox jumped over the lazy dog." is a subset the written word... Human's may or may not be perfect, language sure the hell isn't perfect, the written word is hardly perfect, yet I spelled that example perfectly.
I'm gonna give that an amen... but then you get a little creepy, so I'll leave it there. ;)Quote:
A perfect machine would have to do the laundry, clean the house
cheers,
catch
Do any users in A have romantic relationships with users in B?Quote:
Compartment A contains secret information.
Compartment B allows any application to run.
A has full rights over B. B has no rights over A.
All of A's processes gain A's rights. All of B's processes gain B's rights.
Can a malicious application in B compromise secret data?
Do users in A suffer any undue restraints?
Who created the compartments, and does he still work
for the company?
Who is allowed to examine the source code that implements
this OS? The buck stops somewhere. Someone has authority
over the system. Is it the designer? The present owner?
Does it go on autopilot? There is a key into every system.
He who owns the key also has the power to corrupt it.
:cool:
Romanic relationships are irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?Quote:
Do any users in A have romantic relationships with users in B?
The creator and their employment status is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?Quote:
Who created the compartments, and does he still work for the company?
Code auditing is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?Quote:
Who is allowed to examine the source code that implements this OS?
Where the buck stops is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?Quote:
The buck stops somewhere.
System authority is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?Quote:
Someone has authority over the system. Is it the designer? The present owner?
Keys and autopilot are irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?Quote:
Does it go on autopilot? There is a key into every system.
This is a completely different issue, and is why least privilege was created... so no single entity has complete control over the system or these mythical keys.Quote:
He who owns the key also has the power to corrupt it.
cheers,
catch
Now, I know you couldn't have meant that. What would your wife say?Quote:
Romanic relationships are irrelevant
Think outside your pathetically small institutional mindset for a change.
If the designer puts a back door in, who will catch it?
If the (legitimate) owner of a business wants a feature changed,
but the change would break security, are you going to say
"no, sorry, you don't have the proper permissions"
You, and all the fancy hardware, software, along with the
unreadable PDF documentation will be in the dumpster
for insulting the dude who pays your salary.
Grow up, you over-educated immature little junior-high school twit.
:cool:
Stick to the subject at hand for a change... following every tangent under the sun as a means of confusing the issue so people won't see how wrong you are gets very annoying after awhile.Quote:
Think outside your pathetically small institutional mindset for a change.
Auditors.Quote:
If the designer puts a back door in, who will catch it?
Yes, yes i would say that. In many instances breaking security means breaking compliance, which could lead to large fines or jail. Damn right I'd refuse.Quote:
If the (legitimate) owner of a business wants a feature changed, but the change would break security, are you going to say "no, sorry, you don't have the proper permissions"
How does dumpster diving, no mater how successful lead to malicious applications in B compromising secret data or users in A suffer any undue restraints?Quote:
You, and all the fancy hardware, software, along with the unreadable PDF documentation will be in the dumpster for insulting the dude who pays your salary.
No sign of maturity like insults.Quote:
Grow up, you over-educated immature little junior-high school twit.
cheers,
catch
Practice makes perfect.Quote:
No sign of maturity like insults.
Now! Now!
A modicum of decorum if you please Gentlemen?
Catch old chap, do you really want me to send your g/f a cricket bat for Christmas? :D
She has suggested a trade for a 35' saltie crewed by Sydney black funnelwebs?
:D
You may show this to her, I promise that she will not send me your body parts individually :eek: