Who is more knowledgeable when it comes to computer security?

[d0pp]

Machines can be perfect, humans cannot. The primary security weakness has always been the human factor.

Take file permissions for example... Extreme granularity makes advanced configurations possible, but also allows for harder to see conflicts. Although the permissions exist to allow "total" security... The human factor makes this all but impossible.

[alleyCat]

Machines can be perfect, humans cannot. The primary security weakness has always been the human factor.

Getting slightly philosophical, but machines are designed by humans (imperfect beings). And I think that means any thing we make is going to be imperfect. Its simple set theory... We can't create/make/use anything outside our own capabilities...

So I completely agree that its the human factor, but I disagree about the 'perfect' machines...

[HTRegz]

Originally posted here by d0pp
Machines can be perfect, humans cannot. The primary security weakness has always been the human factor.

I dunno about the perfect machine...

A perfect machine would have to do the laundry, clean the house, always be pleasant (see I just ruled out women), be amazing in bed and fulfill your every desire... I've only see perfect machines once.... and it was in The Stepford Wives...

Peace,
HT

[catch]

There is no patch for human stupidity.

Hence to take control of security out of the user's hands and only allow them to operate in sealed compartments.

Perspective is not objective. If it's not objective, it's nearly impossible to measure.

There is no such thing as subjectivity... everything is object. "Subjective" is merely a word devised to makes us feel better about a lack of understanding.

Being able to map all freakin states is theoretically possible, but it's not gonne make stuff more secure.

These chips are mapped as they are developed... it's not like Intel just randomly dumps a design on a chip and then says "Now let's figure it out!"
Security is not a matter of chip design... chips are only capable of binary logic. the insecurities come from the flow between the user and the hardware. This is controlled by the security model at an abstract level and the operating system code and a more practical level.

There's the math to prove it for ya.

Well yeah, KSOS spent it's entire development cycle against the Boyer-Moore theorum provers... until it came up clean. The 16 of 34 was the first run (after traditional methods came up clean) and KSOS was the first OS to utilize such an approach, which is what made the effort significant.

The only way a computer can be formally and verifiably "secure" is by limiting the number and type of machine instructions so that no unexpected or unanticipated code can execute.

oh rcgreen... unless your day job deals with secure operating systems... don't quit it.
Allow me to simplify something for you.

Compartment A contains secret information.
Compartment B allows any application to run.
A has full rights over B. B has no rights over A.
All of A's processes gain A's rights. All of B's processes gain B's rights.

Can a malicious application in B compromise secret data?
Do users in A suffer any undue restraints?

Yes I have young Will but apparently the detail that escaped your attention did not escape another young agent by the name of Meastr0.

Meastr0 unwittingly indentified the flaw in seeing each thing as a thing unto itself. The whole of the universe is a system... ignorance masked as myopia does no one any favors.

The primary security weakness has always been the human factor.

Thank god for least privilege.

Getting slightly philosophical, but machines are designed by humans (imperfect beings). And I think that means any thing we make is going to be imperfect. Its simple set theory... We can't create/make/use anything outside our own capabilities...

Again myopia strikes...
computer's are closed systems and every closed system can be broken as it were. Can be quantified to their atomic components. This quantification is not bounded to supersets... subsets never are. A fine example is spelling... language was created by humans, the written word is a subset of language and "The quick brown fox jumped over the lazy dog." is a subset the written word... Human's may or may not be perfect, language sure the hell isn't perfect, the written word is hardly perfect, yet I spelled that example perfectly.

A perfect machine would have to do the laundry, clean the house

I'm gonna give that an amen... but then you get a little creepy, so I'll leave it there.

cheers,

catch

[rcgreen]

Compartment A contains secret information.
Compartment B allows any application to run.
A has full rights over B. B has no rights over A.
All of A's processes gain A's rights. All of B's processes gain B's rights.

Can a malicious application in B compromise secret data?
Do users in A suffer any undue restraints?

Do any users in A have romantic relationships with users in B?
Who created the compartments, and does he still work
for the company?

Who is allowed to examine the source code that implements
this OS? The buck stops somewhere. Someone has authority
over the system. Is it the designer? The present owner?
Does it go on autopilot? There is a key into every system.
He who owns the key also has the power to corrupt it.

[catch]

Do any users in A have romantic relationships with users in B?

Romanic relationships are irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?

Who created the compartments, and does he still work for the company?

The creator and their employment status is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?

Who is allowed to examine the source code that implements this OS?

Code auditing is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?

The buck stops somewhere.

Where the buck stops is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?

Someone has authority over the system. Is it the designer? The present owner?

System authority is irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?

Does it go on autopilot? There is a key into every system.

Keys and autopilot are irrelevant, can a malicious application in B compromise secret data? Do users in A suffer any undue restraints?

He who owns the key also has the power to corrupt it.

This is a completely different issue, and is why least privilege was created... so no single entity has complete control over the system or these mythical keys.

cheers,

catch

[rcgreen]

Romanic relationships are irrelevant

Now, I know you couldn't have meant that. What would your wife say?
Think outside your pathetically small institutional mindset for a change.

If the designer puts a back door in, who will catch it?
If the (legitimate) owner of a business wants a feature changed,
but the change would break security, are you going to say
"no, sorry, you don't have the proper permissions"

You, and all the fancy hardware, software, along with the
unreadable PDF documentation will be in the dumpster
for insulting the dude who pays your salary.

Grow up, you over-educated immature little junior-high school twit.

[catch]

Think outside your pathetically small institutional mindset for a change.

Stick to the subject at hand for a change... following every tangent under the sun as a means of confusing the issue so people won't see how wrong you are gets very annoying after awhile.

If the designer puts a back door in, who will catch it?

Auditors.

If the (legitimate) owner of a business wants a feature changed, but the change would break security, are you going to say "no, sorry, you don't have the proper permissions"

Yes, yes i would say that. In many instances breaking security means breaking compliance, which could lead to large fines or jail. Damn right I'd refuse.

You, and all the fancy hardware, software, along with the unreadable PDF documentation will be in the dumpster for insulting the dude who pays your salary.

How does dumpster diving, no mater how successful lead to malicious applications in B compromising secret data or users in A suffer any undue restraints?

Grow up, you over-educated immature little junior-high school twit.

No sign of maturity like insults.

cheers,

catch

[rcgreen]

No sign of maturity like insults.

Practice makes perfect.

[nihil]

Now! Now!

A modicum of decorum if you please Gentlemen?


Catch old chap, do you really want me to send your g/f a cricket bat for Christmas?

She has suggested a trade for a 35' saltie crewed by Sydney black funnelwebs?



You may show this to her, I promise that she will not send me your body parts individually