Similar remarks apply to the Stuxnet point- in that context, they wanted to destroy a specific secure system and weren’t going for any sort of largescale global control. They weren’t people interested in being able to take all the world’s satellite communications in their own control whenever they wanted, nor were they interested in carefully timed nuclear meltdowns...
Exploits only work for some systems. If you are dealing with different systems you will need different exploits. How do you reckon that such attacks won’t be visible and traceable? Packets do have to come from somewhere.
And don’t forget that out systems become ever more secure and our toolbox to detect) unauthorized use of information systems is becoming more advanced.
As a computer security guy, I disagree substantially. Yes, newer versions of popular operating systems and server programs are usually more secure than older versions; it’s easier to hack into Windows 95 than Windows 7. But this is happening within a larger ecosystem that’s becoming less secure: More important control systems are being connected to the Internet, more old, unsecured/unsecurable systems are as well, and these sets have a huge overlap. There are more programmers writing more programs for more platforms than ever before, making the same old security mistakes; embedded systems are taking a larger role in our economy and daily lives. And attacks just keep getting better.
If you’re thinking there are generalizable defenses against sneaky stuff with code, check out what mere humans come up with in the underhanded C competition. Those tricks are hard to detect for dedicated experts who know there’s something evil within a few lines of C code. Alterations that sophisticated would never be caught in the wild—hell, it took years to figure out that the most popular crypto program running on one of the more secure OS’s was basically worthless.
Sure we are, we just don’t care very much. The method of “Put the computer in a box and don’t let anyone open the box” (alternately, only let one person open the box) was developed decades ago and is quite secure.
Exploits only work for some systems. If you are dealing with different systems you will need different exploits. How do you reckon that such attacks won’t be visible and traceable? Packets do have to come from somewhere.
And don’t forget that out systems become ever more secure and our toolbox to detect) unauthorized use of information systems is becoming more advanced.
As a computer security guy, I disagree substantially. Yes, newer versions of popular operating systems and server programs are usually more secure than older versions; it’s easier to hack into Windows 95 than Windows 7. But this is happening within a larger ecosystem that’s becoming less secure: More important control systems are being connected to the Internet, more old, unsecured/unsecurable systems are as well, and these sets have a huge overlap. There are more programmers writing more programs for more platforms than ever before, making the same old security mistakes; embedded systems are taking a larger role in our economy and daily lives. And attacks just keep getting better.
If you’re thinking there are generalizable defenses against sneaky stuff with code, check out what mere humans come up with in the underhanded C competition. Those tricks are hard to detect for dedicated experts who know there’s something evil within a few lines of C code. Alterations that sophisticated would never be caught in the wild—hell, it took years to figure out that the most popular crypto program running on one of the more secure OS’s was basically worthless.
Humans are not good at securing computers.
Sure we are, we just don’t care very much. The method of “Put the computer in a box and don’t let anyone open the box” (alternately, only let one person open the box) was developed decades ago and is quite secure.
I would call that securing a turing machine. A computer, colloquially, has accessible inputs and outputs, and its value is subject to network effects.
Also, if you put the computer in a box developed decades ago, the box probably isn’t TEMPEST compliant.