Re: Canal+ crash

[Niklas Holsti <niklas.holsti@tidorum.invalid>]

On 2024-07-21 10:22, Dmitry A. Kazakov wrote:
> On 2024-07-21 03:04, Lawrence D'Oliveiro wrote:
>> On Sat, 20 Jul 2024 11:08:47 +0200, Dmitry A. Kazakov wrote:
>>
>>> On 2024-07-20 09:43, Lawrence D'Oliveiro wrote:
>>>
>>>> On Sat, 20 Jul 2024 09:23:11 +0200, Dmitry A. Kazakov wrote:
>>>>
>>>>> It is about the fundamental principle that security cannot be added on
>>>>> top of an insecure system.
>>>>
>>>> Actually, it can. Notice how the Internet itself is horribly insecure,
>>>> yet we are capable of running secure applications and protocols on top
>>>> of it.
>>>
>>> Why on earth do we need security updates?
>>
>> Because computer systems are complex, and new bugs keep being discovered
>> all the time.
> 
> This does not make sense. You can create a very complex system out of 
> screwdrivers and still each screwdriver would require no update.
> 
> Systems consist of computers and computers of software modules. There is 
> nothing inherently complex about making a module safe and bug free. 
> Security interactions are primitive and 100% functional. There is no 
> difficult issues with non-functional stuff like real-time problems.


Well, several recent attacks use variations in execution timing as a 
side-channel to exfiltrate secrets such as crypto keys. The crypto code 
can be functionally perfect and bug-free, but it may still be open to 
attack by such methods.

But certainly, most attacks on SW have used functional bugs such as 
buffer overflows.