From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Canal+ crash
Date: Sun, 21 Jul 2024 11:19:30 +0200 [thread overview]
Message-ID: <v7ijr1$12fk$1@dont-email.me> (raw)
In-Reply-To: <lg3th4F90ggU1@mid.individual.net>
On 2024-07-21 10:00, Niklas Holsti wrote:
> On 2024-07-21 10:22, Dmitry A. Kazakov wrote:
>> On 2024-07-21 03:04, Lawrence D'Oliveiro wrote:
>>> On Sat, 20 Jul 2024 11:08:47 +0200, Dmitry A. Kazakov wrote:
>>>
>>>> On 2024-07-20 09:43, Lawrence D'Oliveiro wrote:
>>>>
>>>>> On Sat, 20 Jul 2024 09:23:11 +0200, Dmitry A. Kazakov wrote:
>>>>>
>>>>>> It is about the fundamental principle that security cannot be
>>>>>> added on
>>>>>> top of an insecure system.
>>>>>
>>>>> Actually, it can. Notice how the Internet itself is horribly insecure,
>>>>> yet we are capable of running secure applications and protocols on top
>>>>> of it.
>>>>
>>>> Why on earth do we need security updates?
>>>
>>> Because computer systems are complex, and new bugs keep being discovered
>>> all the time.
>>
>> This does not make sense. You can create a very complex system out of
>> screwdrivers and still each screwdriver would require no update.
>>
>> Systems consist of computers and computers of software modules. There
>> is nothing inherently complex about making a module safe and bug free.
>> Security interactions are primitive and 100% functional. There is no
>> difficult issues with non-functional stuff like real-time problems.
>
> Well, several recent attacks use variations in execution timing as a
> side-channel to exfiltrate secrets such as crypto keys. The crypto code
> can be functionally perfect and bug-free, but it may still be open to
> attack by such methods.
It is always a tradeoff between the value of the information and costs
of breaking the protection. I doubt that timing attack are much more
feasible in that respect than brute force.
> But certainly, most attacks on SW have used functional bugs such as
> buffer overflows.
Exactly. Non-functional attacks are hypothetical at best. They rely on
internal knowledge which is another problem. An insider work is the most
common case of all breaches. So, maybe, it is better to update the
staff? (:-))
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2024-07-21 9:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-19 21:41 Canal+ crash Nicolas Paul Colin de Glocester
2024-07-20 7:23 ` Dmitry A. Kazakov
2024-07-20 7:43 ` Lawrence D'Oliveiro
2024-07-20 9:08 ` Dmitry A. Kazakov
2024-07-21 1:04 ` Lawrence D'Oliveiro
2024-07-21 7:22 ` Dmitry A. Kazakov
2024-07-21 8:00 ` Niklas Holsti
2024-07-21 9:10 ` J-P. Rosen
2024-07-21 9:34 ` Dmitry A. Kazakov
2024-07-21 11:11 ` Nicolas Paul Colin de Glocester
2024-07-21 21:53 ` Lawrence D'Oliveiro
2024-07-22 6:36 ` J-P. Rosen
2024-07-23 1:48 ` Lawrence D'Oliveiro
2024-07-21 9:19 ` Dmitry A. Kazakov [this message]
2024-07-21 11:31 ` Niklas Holsti
2024-07-21 16:49 ` Dmitry A. Kazakov
2024-07-21 21:55 ` Lawrence D'Oliveiro
2024-07-21 21:52 ` Lawrence D'Oliveiro
2024-07-22 7:16 ` Dmitry A. Kazakov
2024-07-23 1:49 ` Lawrence D'Oliveiro
2024-07-23 7:06 ` Dmitry A. Kazakov
2024-07-23 8:36 ` Lawrence D'Oliveiro
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox