From mboxrd@z Thu Jan  1 00:00:00 1970
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Niklas Holsti <niklas.holsti@tidorum.invalid>
Newsgroups: fr.comp.lang.ada,comp.lang.ada
Subject: Re: Canal+ crash
Date: Sun, 21 Jul 2024 11:00:36 +0300
Organization: Tidorum Ltd
Message-ID: <lg3th4F90ggU1@mid.individual.net>
References: <e14f8a7c-3306-000d-6d3c-a16839488af9@Strand_in_London.Gov.UK>
 <v7fokv$3ehcr$1@dont-email.me> <v7fpql$3en28$1@dont-email.me>
 <v7fuqu$3fihj$1@dont-email.me> <v7hmrc$3p5q7$8@dont-email.me>
 <v7icut$654$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net sU8nArQL7/4crQX6GNkNDwaPpYcNEuxBzVuu8P9CUReLAnetII
Cancel-Lock: sha1:mjJvR8Kp4KLl4jwbTOEOT5KoYB4= sha256:EMDKcIYF8qEGhMZabpRqcfbGAqRg3iuYRPeIExBwg6Y=
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <v7icut$654$1@dont-email.me>
Xref: news.eternal-september.org fr.comp.lang.ada:2289 comp.lang.ada:66233
List-Id: <comp.lang.ada>

On 2024-07-21 10:22, Dmitry A. Kazakov wrote:
> On 2024-07-21 03:04, Lawrence D'Oliveiro wrote:
>> On Sat, 20 Jul 2024 11:08:47 +0200, Dmitry A. Kazakov wrote:
>>
>>> On 2024-07-20 09:43, Lawrence D'Oliveiro wrote:
>>>
>>>> On Sat, 20 Jul 2024 09:23:11 +0200, Dmitry A. Kazakov wrote:
>>>>
>>>>> It is about the fundamental principle that security cannot be added on
>>>>> top of an insecure system.
>>>>
>>>> Actually, it can. Notice how the Internet itself is horribly insecure,
>>>> yet we are capable of running secure applications and protocols on top
>>>> of it.
>>>
>>> Why on earth do we need security updates?
>>
>> Because computer systems are complex, and new bugs keep being discovered
>> all the time.
> 
> This does not make sense. You can create a very complex system out of 
> screwdrivers and still each screwdriver would require no update.
> 
> Systems consist of computers and computers of software modules. There is 
> nothing inherently complex about making a module safe and bug free. 
> Security interactions are primitive and 100% functional. There is no 
> difficult issues with non-functional stuff like real-time problems.


Well, several recent attacks use variations in execution timing as a 
side-channel to exfiltrate secrets such as crypto keys. The crypto code 
can be functionally perfect and bug-free, but it may still be open to 
attack by such methods.

But certainly, most attacks on SW have used functional bugs such as 
buffer overflows.