>Therefore, I assert that securing systems adequately for use on the
>Internet is indeed a SOLVED PROBLEM in computing.
A HUNDRED MILLION machines beg to differ.
You misunderstand. The problem of securing machines *IS* solved. It is
possible. It is regularly done with servers connected to the Internet.
There is no *COMPUTING* problem or technical problem.
The problem of the 100 million machines is a social or business problem.
We know how they can be secured, but the solution is not being
implemented.
--Michael Dillon
You misunderstand. The problem of securing machines *IS* solved. It is
possible. It is regularly done with servers connected to the Internet.
There is no *COMPUTING* problem or technical problem.
The problem of the 100 million machines is a social or business problem.
We know how they can be secured, but the solution is not being
implemented.
Eh? Sure, we can secure servers, but that's not where the trouble is.
It's the client systems with browsers and P2P software and people
mindlessly banging on keyboards running arbitrary executables. I'm
interested in hearing how they can be secured, since you seem to believe
this is a solved problem.
It is regularly done with servers connected to the Internet.
There is no *COMPUTING* problem or technical problem.
I beg to differ. Yes, it is possible for tech-savvy users to secure their machines pretty effectively. But the level of technical knowledge required to do so is completely out of line with, say, the level of automotive knowledge required to safely operate an automobile.
The problem of the 100 million machines is a social or business problem.
We know how they can be secured, but the solution is not being
implemented.
We know how -people with specialized knowledge- can secure them, not ordinary people - and I submit that we in fact do not know how to clean and validate compromised systems running modern general-purpose operating systems, that the only sane option is re-installation of OS and applications from scratch.
There have been very real strides in increasing the default security posture of general-purpose operating systems and applications in recent years, but there is still a large gap in terms of what a consumer ought to be able to reasonably expect in terms of security and resiliency from his operating systems/applications, and what he actually gets. This gap has been narrowed, but is still quite wide, and will be for the foreseeable future (witness the current renaissance in the area of browser/HTML/XSS/Javascript vulnerabilities as an example of how the miscreants can change their focus as needs must).
Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing.
A HUNDRED MILLION machines beg to differ.
* michael.dillon@bt.com [Fri 16 Feb 2007, 18:27 CET]:
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet.
Given that even NASA has issues writing correct programs I would call it far from "solved" for any reasonable definition of the word, even in hyper-correct environments such as programming spacecraft where time and budget constraints are secondary to safety (security).
Or did you forget to mention that your secured machine is powered off?
There is no *COMPUTING* problem or technical problem.
Denying that there is a technical problem with a hundred million machines out there not under full control of its owners is delusional.
The problem of the 100 million machines is a social or business problem.
We know how they can be secured, but the solution is not being implemented.
Clearly the solution you have in your mind isn't obvious to us out here in the real world, nor simple, as we haven't figured it out yet.
-- Niels.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You misunderstand. The problem of securing machines *IS* solved. It is
possible. It is regularly done with servers connected to the Internet.
There is no *COMPUTING* problem or technical problem.
True *BUT* (and this is a really big but) it requires that you do something
*BEFORE* you connect it to the Internet.
The problem of the 100 million machines is a social or business problem.
We know how they can be secured, but the solution is not being
implemented.
Whilst the problem is social in terms of people not knowing/wanting to do the
securing before connecting, the technical solution is to make the software
secure by default. If you think anything else then you are delusional.
J
- --
COO
Entanet International
T: 0870 770 9580
In other words, we know how to secure them, and theoretically it is
possible to secure all of them.
In practice - not so much. As resources-wise and the
time-until-they-will-be-insecure-yet-again don't meet.
Gadi.
So, you're saying we can secure them so long as we put
them behind NAT AND humans don't use them?
-danny
I think a few messages back, I specifically phrased my comment about
getting them off my radar to cover this - I actually don't care if they
are or aren't in fact secure, as long as their insecurity, if any, isn't
visible to the outside world.