Is Cybersecurity an Unsolvable Problem?

Ars Technica profiles Scott Shapiro, the co-author of a new book, Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks.

Shapiro points out that computer science "is only a century old, and hacking, or cybersecurity, is maybe a few decades old. It's a very young field, and part of the problem is that people haven't thought it through from first principles." Telling in-depth the story of five major breaches, Shapiro ultimately concludes that "the very principles that make hacking possible are the ones that make general computing possible.

"So you can't get rid of one without the other because you cannot patch metacode." Shapiro also brings some penetrating insight into why the Internet remains so insecure decades after its invention, as well as how and why hackers do what they do. And his conclusion about what can be done about it might prove a bit controversial: there is no permanent solution to the cybersecurity problem. "Cybersecurity is not a primarily technological problem that requires a primarily engineering solution," Shapiro writes. "It is a human problem that requires an understanding of human behavior." That's his mantra throughout the book: "Hacking is about humans." And it portends, for Shapiro, "the death of 'solutionism.'"
An excerpt from their interview: Ars Technica: The scientific community in various disciplines has struggled with this in the past. There's an attitude of, "We're just doing the research. It's just a tool. It's morally neutral." Hacking might be a prime example of a subject that you cannot teach outside the broader context of morality.

Scott Shapiro: I couldn't agree more. I'm a philosopher, so my day job is teaching that. But it's a problem throughout all of STEM: this idea that tools are morally neutral and you're just making them and it's up to the end user to use it in the right way. That is a reasonable attitude to have if you live in a culture that is doing the work of explaining why these tools ought to be used in one way rather than another. But when we have a culture that doesn't do that, then it becomes a very morally problematic activity.

Job Security

[chill]

As someone working in this field for the last couple decades, all I got to say is job security baby!

Re:

[gweihir]

Well, yes. But having been active in this are for something like 35 years now, I have to say my disappointment with the industry is very, very deep. Most/all of the today relevant security problems were known back then and there _are_ solutions. Instead, most software stuff is still made "cheaper than possible" and sucks with regards to security. There also seems to be a trend to make actually using software less and less efficient (MS, I am looking at you) for a pretty bad showing overall.

convienience vs paying attention

[Big Hairy Gorilla]

People are the problem. Make it convenient, and people will hand over their first born.

Re:

[phantomfive]

If we get to the point where spear-phishing is the only attack vector, then we've won.

Re:

[gweihir]

People are part of the problem. Tech is the other half of the problem. Current tech is cheaply made and generally insecure. It makes it far too easy for users to make security-critical mistakes. At the same time, users are incompetent and too easy to fool. Any real solution must fix both aspects or it will fail.

Re:

[Big Hairy Gorilla]

Ok, true. There is no doubt that security is an afterthought with developers. I've been a developer.

We've had respectable password security for 1000 years, but most people still use 12345.

And that same person finds it too mentally taxing to enter a more random password, and resists any attempt to train them to cut and paste a long password (from an encrypted text file). Users ARE idiots, who will not do more than the barest of minimums.

I'm not convinced developers are the REAL problem.

Re:convienience vs paying attention

[gweihir]

I'm not convinced developers are the REAL problem.

My reasoning goes as follows: A tool for general use must be safe to use for a non-expert. That does not mean it cannot be misused. That means it must be reasonably obvious to a non-expert how to use it right and using it wrong must be significantly harder than using it right or come with some obvious high cost if the occasional failure is acceptable. That is basic safety-engineering. (I had a mandatory section on safety-engineering in my CS studies 35 years back. I only later learned that this is apparently _not_ standard.)

For example, a hammer or knife or kitchen stove is dangerous. But the failure modes are obvious to non-experts and obviously unpleasant. Sure there will be the occasional smashed or cut finger and the occasional kitchen fire. But you need to really work at it and ignore very concrete and directly personally threatening danger-signs obvious to the average person. Compare that to software: Given the right circumstances, you can still often blow up your company with a single click on a reassuringly calm blue pop-up. You can still use remote access without 2FA or on the same device that the 2nd factor is on making it useless. And so on. Non-experts cannot behave safely when it is so easy to behave unsafe.

Now, where the blame is when a developer has no clue about IT security, safety engineering or user behavior is a point that can be debated. You can say it is the fault of the person because this is an unfinished immature discipline and everybody needs to learn more than required to be competent. You can say it is the fault of the people hiring somebody like that. You can say it is the education system, but then most developers actually do not have a real engineering education at all. And you can say it is a lack of regulation where people with a lack of skill are allowed to do things that require those skills.

Whatever you prefer here regarding blame, in the end the one building the insecure mechanism is the one that has failed. And that means developers are at the root of the problem and they are where this problem needs to be fixed. If an electrician wires up you house so it catches fire, that electrician needs to be fixed, regardless of how he became incompetent.

Re: convienience vs paying attention

[LindleyF]

That's amazing, I've got the same combination on my luggage!

Maybe?

[Petersko]

How about we "tools down" on new stuff for a few years and just harden what's out there?

If we just keep building fresh, new attack vectors, then, yes.

Nothing to see here

[Morpeth]

"Cybersecurity is not a primarily technological problem that requires a primarily engineering solution," Shapiro writes. "It is a human problem that requires an understanding of human behavior." That's his mantra throughout the book: "Hacking is about humans." And it portends, for Shapiro, "the death of 'solutionism.'"

It requires both -- understanding why and how humans hack, AND using that info to inform your engineering and tech solutions. There will always be hackers and the need for cybersecurity, not sure why they article claims he has "some penetrating insight", it's patently obvious.

It's the same as saying theft or murder are an unsolvable problem, duh. There will sadly always be theft and murder, but it doesn't mean you don't keep upping your game to combat/address/mitigate it.

Re:

[saloomy]

There are two competing forces at work causing a gap. The first one is security engineers designing security want privacy also, and therefore do not trust the service to hold biometric data or something that can positively identify you. They also will not trust a third party to handle the authentication. The other force is people fail to understand where you should be giving your credentials to and where you shouldn't. Also remembering the credentials. Things are secure to a cybersecurity expert who careful

Re:Nothing to see here

[gweihir]

Indeed. It is only about making it hard enough for attackers that the residual risk is low enough and most attackers starve and hence go out of business. That is entirely possible. And, of course IT security is just as much a technological problem as it is a people problem. Like all engineering really. The brakes in your car have to be both technologically reliable and effective (for example, brakes in ordinary cars are _always_ designed to be stronger than the motor, no matter what, and for obvious reasons) and designed so that a human can use them reasonably well. Omit either aspect and they become dangerous.

Hacking is both about tech and humans. Anybody denying that is simply incompetent. Focusing on the human angle to the detriment of the tech aspects is in no way better than focussing on the tech angle to the detriment of the human aspects. Of course, keeping two aspects equally in view is more difficult. But it is the only thing that works.

Not unsolveable, unless...

[93 Escort Wagon]

It's only "unsolvable" if you let the perfect be the enemy of the good.

Bingo, unsolvable != unmitigateable

[davidwr]

It's only "unsolvable" if you let the perfect be the enemy of the good.

Bingo. With security, as with so many other things in life, a partial solution can be "good enough."

You can mitigate computer security risks by doing the things we are already doing, like (imperfect) access control systems. You can mitigate the damage done when the bad guy gets through your security systems by having things like good backups and a way to restore them in an acceptable period of time at an acceptable cost. You can mitigate some business risks - like "what happens when your supplier gets ha

automating human tasks

[awwshit]

There is value in automating human tasks. A human figures out what to do then you automate that thing to make humans more effective. Even if it is only a game of whack a mole.

This is a little dated but the concept is not... the most commonly exploited vulnerabilities are not the most current vulnerabilities.
https://www.cisa.gov/news-even... [cisa.gov]

If you automate vulnerability detection and prevention then you've given yourself a security boost even if you have not 'solved' the potential for future problems.

Have we tried solutionism?

[drinkypoo]

It seems like if you really wanted maximum security, you'd be designing systems for that first and foremost and ground up, hardware and software. The first such systems that you could reasonably prove were secure would by necessity be very simple, and programming them would probably be an agony for the foreseeable future, but is anyone in industry actually prepared to even try to use such systems to get work done? We all used to get work done on single-digit-MHz computers back in the day — indeed, one such system might serve many users. Last time I looked at one of their screens, the CA DMV was still using a primitive AF mainframe app via 3270 emulator :)

Re:

[phantomfive]

You can't get secure code by tacking it on as an afterthought.

Re:

[gweihir]

Really not needed. Just take a simple hardened Linux distribution and you are already deep in the area where attacks become way too expensive for most attackers. People that can still afford to do it in that case can also afford to break into your systems physically and then it becomes a different problem.

We do not need "maximum security". "Reasonable security" is already quite enough. But what MS crap, "APPs", incompetently configured Linux servers and cloud systems, etc. give us is "pathetic security" at

Re:

[rickb928]

Hack into a CA DMV terminal session - yeah, it requires some network access.

Designing systems for security means redesigning network protocols and security features, taking the current OSI model, from layer 2 up. The Internet poses a somewhat more complex problem, baking security into a new Internet would require, I think protections against address manipulation and forgeries.

All this would indeed require redesigning from scratch. And I, for one, would be cautious about adopting these new, 'secure', systems

Re:

[Pinky's Brain]

It doesn't sell.

Companies want to hear that you can make BYOD secure. Just put more lipstick on the pig and get the mascara ready for the next time.

Yes.

[zenlessyank]

If man can make it then man can break it. It's simple really.

Re:

[gweihir]

That is one of these easy answers that are plausible, convincing, easy to understand and wrong.

Re:

[zenlessyank]

Prove it. Make something unbreakable. I dare you.

Re:

[gweihir]

So that is what you get from this? If somebody can break it, then "man can break it"? Well, true, but completely irrelevant nonsense.

Of course the systems administrator of a system can break it. Of course that is completely irrelevant to the discussion at hand. Circumstances do matter.

Re:

[zenlessyank]

Solvable means a resolution. Cyber security is a never ending problem. It has no final solution. That is my point. That is the wording in the headline. Unsolvable. The answer is Yes. Period.

Unsolvable

[SuperDre]

It is unsolvable as long as humans need to be able to interact with it. Yeah you can make it super secure, but then it won't be usable anymore as it isn't feasible if a human has to do so many things first before it can use the system. And the biggest security problem IS the human. Using biometrics can also be broken.

Re:

[phantomfive]

If phishing is the only way hackers can get into the system, then we've won.

Re: Unsolvable

[SuperDre]

No we haven't won. As it's the most commonly used way to hack into secure systems. So it's unsolvable because you cannot solve that problem, as humans need to be able to interact with the system, and as long as humans need to do that, it's insecure.

Re:

[phantomfive]

As it's the most commonly used way to hack into secure systems.

It's not.

Re:Unsolvable

[gweihir]

No, it is not. The problem today is a market failure where software and systems are cheaply designed, cheaply made and customers do not know that doing it better is entirely possible. For example, attacks by Email are only a thing because of the abysmal stupidity of Microsoft and others. Of course email attachments should never be easy to open automatically or with a single click. Of course, frigging documents should not be executable code with system access and should not be able to attack you. But no, they had to turn email readers into frigging web-browsers and make everything "easy".

What you find when you actually look is that the problem is not only solvable, it is basically solved. It is just commercial mainstream crap that cannot get there. Note that 100% security is in no way needed. It is quite enough to make attacks unprofitable and come with a high risk of detection. At the moment, attacks are _very_ profitable (ransomware) because security standards of mainstream systems are abysmally bad compared to what they could be.

Re: Unsolvable

[SuperDre]

You say 'ofcourse', I say, the software becomes unusable if I have to go through too many hoops, especially, in this example, if you recieve a lot of mails and expect it to have attachments you need to open. That's the problem with security, it can and must never prohibit the user in being able to use the software on a regular base. For instance, having to put in your credentials every single time you need to access certain data/service, no problem if you only have to access the data/service a few times a

Re:

[gweihir]

You did not understand what I wrote. The problem arises from the combination of insecure document formats with insecure email practices. Both in this case from the same perpetrator, so they cannot claim innocence. For example, do you really need text document or spreadsheet that was attached to an email to be able to write your file system or call other programs? If you do, then there will never be any security for you. But the fact of the matter is that this is only really needed as an absolute exception a

Re: Unsolvable

[SuperDre]

I agree, textdocuments don't, but excel documents certainly can be needing writing to disc or reading from memory.

Re:

[jsonn]

Microsoft's file formats are fundamentally misdesigned by the lack of sand-boxing in the default configuration. Note: I'm not saying that macros should be off by default, but that the default should not allow macros access to anything outside the document unless explicitly allow by the user/administrator. Such access should in a well defined system also be done using defined resources and controlled by proper proof-of-origin. But Microsoft has failed time and time again to make any steps in that direction a

Re:

[Petr Blazek]

"It is unsolvable as long as humans need to be able to interact with it" ...also as long as humans are involved in the creation of IT systems.

IMHO, nothing can be truly secure if humans mess with it in any way...

Same as it ever was

[cellocgw]

Every time a new mechanical, or even partially mechanical, lock comes out, one craftsman or another finds a way to build the mechanical key -- or to bypass the key mech (see, e.g. "bump key" for standard tumbler door locks).

Software's even worse, because it's damn hard just to make software do what you want it to do, let alone NOT do everything else in the universe. Ultimately it comes down to a cost-benefit ratio. We don't bother with DoD-class crypto phones for everyday use for that reason. We don't install bank-vault quality timelocks on our home doors for that reason.
At some point, the best you can do is air-gap the systems that need total security, vet the crap out of all users, and hope & pray spies don't get in. So far, not a single government in the world has managed to keep spies from getting jobs/assignments it top-levels of gov't management.

Re:

[Jeremi]

Every time a new mechanical, or even partially mechanical, lock comes out, one craftsman or another finds a way to build the mechanical key -- or to bypass the key mech

That was my view also, which is why I figured that Bitcoin's algorithm would be hacked within a year or two after it become profitable to do so, at which point the value of Bitcoins would promptly fall to near-zero as counterfeiters took over and people lost faith in the reliability of the blockchain algorithm.

And yet, here we are, 14 years later, and Bitcoins are still valued at about $27k apiece; it seems this particular lock has remained largely unpicked, despite an enormous financial incentive to do so

Re:

[jsonn]

Military grade encryption is entirely overrated. There is little evidence that the NSA has significantly smarter cryptoanalysists compared to the (public) security researchers. The main problem is that people are bad at designing secure protocols and even worse at correctly implementing them. Most of the actual security breaches are a direct result of that. I can recommend everyone to look at the history of Kerberos for one of the better non-trivial algorithms, especially the infamous drama version: https:/ [mit.edu]

Don't have a cybersecurity group

[klipclop]

I've never had a good experience with our cybersecurity groups. Everything they want to do is "implemented" by other groups. The operational fallout is handled by groups that aren't them, and the cybersecurity groups are terrible at communicating and collaboration. Every experience I have makes me wish the whole sector didn't exist. Give the resources to the local subject matter experts to figure out things out themselves and provide REALISTIC guidelines.

Re:

[gweihir]

IT security has its large share of incompetents and semi-competents, just like software making and IT operations. It is really quite pathetic overall. One thing that helps is making sure an IT Security person actually has some real-world engineering experience: Writing code, configuring and operating systems, application of cryptography, etc. There are far too many IT Security people have no real-world engineering skills and hence can only stand in the way of others but cannot help to secure things.

AI will fix it

[jmccue]

we all know AI will fix the problem, and cure the common code too.

No. Solutions are just not cheap or easy...

[gweihir]

There are a few things that are generally done really badly today and that make for the mess we have:
1. Use of insecure software and Operating Systems that are not up to the state-of-the art (MS Windows and MS Office and many many "Apps" are main offenders here)
2. Incompetent configuration and maintenance (open cloud containers, lack of timely updates, etc.), usually due to incompetent and/or inexperienced personnel
3. Software development that ignores security or by people that do not understand security. Basically "cheaper than possible" developers.
4. Lack of use of known secure mechanisms (2FA, still active old protocols, etc.)
5. Sabotage by "surveillance fascists", i.e. people that cannot stand citizens having secure communication mechanisms. These can be found in basically all governments.
6. Bad applied CS/IT/SW-Engineering education. You can still get a degree in these fields without a single mandatory lecture on software security, for example.
7. Applied CS/IT/SW-Engineering are still not engineering disciplines with general standards and liability for violating the state-of-the-art.
8. A few other things.

The thing is, secure software, secure system operation, etc. are understood and entirely possible. Not 100% secure, but that is not required. Making things for attackers very expensive and with a high risk of successful attack detection is quite enough. But the industry does not have the maturity to use what is known. Instead everything IT and software is done cheaply, typically far too cheaply, and there is no competent risk assessment. That there is no meaningful liability system, unlike established engineering disciplines, contributes to the problem.
 

Crime is not easily stopped

[Goatbot]

Humans are fickle beasts that will commit crimes regardless of the level of security.

Hopefully it's not

[Z80a]

A completely perfectly secure system on the wrong hands would be pretty terrible.

It was solved in the 1970s

[ka9dgx]

Of course cybersecurity can be solved... the solution was worked out in the 1970s, and there are commercially available secure systems. The Operating Systems most of us use daily, on the other hand, do not support multi-level security, nor the Bell-LaPadula model.

If we did use such systems, the user interface would be almost identical, but our applications would only be able to open the files we fed them, and not everything, by default. The world would be a much more secure place, but that would have made the NSA's job a lot harder, so such systems aren't talked about much.

Can you make a building no one can break into?

[MikeDataLink]

Can you make it 100% impossible to physically break into a building? Nope. Someone is always smarter, has a bigger team of crooks, more money, etc. Can you make a prison no one can escape from? They keep saying they can and then people figure out a way.

Apply the same to your cybersecurity.

No kind of security problem has been "solved"

[Tony Isaac]

Your home, your car, your store, your bank, your office, prisons, military installations, you name it. Every "secure" place of any kind can be broken into, if an attacker is determined enough. Just because cybersecurity is security "on a computer" doesn't make it a different category of problem. Security will always have to be designed, monitored, and enforced by a varying set of mechanisms. It will always be an arms race.

Have we solved theft yet?

[chas.williams]

Theft has been around for thousands and thousands of years. Why haven't we solved that problem yet? The idea that time spent studying the problem or that restricting tools can prevent a particular crime is somewhat specious.

This is solvable... airgap stuff

[ctilsie242]

First, airgapping is not a 100% thing, as Stuxnet has showed, but it will at least force physical intervention to attack a target.

We need to be asking why devices need to be on the Internet in the first place. If we need monitoring, that is doable in a read-only way (for example, using light pipes to pass the LED readout from an air gapped appliance's display to a Raspberry Pi). Data diodes are not new. I've made those out of serial cables and cutting the Rx line, ensuring that data could only go one way. Of course, this wasn't a fast way of sending data, but it worked well enough.

We need to go back to least privilege, defense in depth, and maybe even demanding makers of IoT devices provide manifest files for their devices, so firewalls can be configured to only let those specific sites out (although most IoT makers would just do wildcards... but it is a start.)

From least privilege and defense in depth, we need a UL-like organization that works like Europe's Sold Secure, with gold/silver/bronze/etc. ratings. For example, a "silver" appliance would have had black box testing done. A "gold" appliance would have had the source code scanned and it built, compared with the shipping executables. A "platinum" appliance would have even more testing. Maybe even a tier requiring a deterministic state language used like Ada or SPARK which ensures that all stated with the software are provable.

Security costs money, and the problem is the "security has no ROI" issue. We are in a free-fall economic downturn with no bottom in sight, so companies don't really care about security, even if it means flirting with bankruptcy. They just are looking to stay afloat. So, companies need to consider other models or even donate to have open source solutions that have been tested and vetted be something that can be adopted, if no commercial provider is trustworthy enough (since top notch security doesn't mean good profits because the time it takes to do it right isn't profitable... thus this needs to be done by organizations and governments.)

It might be wise to look at different physical networks with a networking protocol designed from the ground up to be secure, be it hardware doing signed and encrypted frames to having key IDs instead of MACs used, with allow lists, to creating virtual tunnels as part of a machine to machine handshake, so UDP-like data transfers with sliding windows is possible and fast, yet authenticated and encrypted. Then, have packets have a network ID, so routers don't ever throw a packet meant for one network onto another.

Leave TCP/IP for the Internet, work on a network protocol for B2B applications that can either be used with a web of trust like PGP, a root hierarchy like TLS, or both.

Does CyberSecurity HAVE solvable problems?

[dweller_below]

It is easy to show that CyberSecurity is insolvable. There are multiple, easy proofs. They include:

• Proof 1: We can't know all attacks. We can't defend against unknown attacks.
• Proof 2: Even if we could know all attacks, we can't afford to defend against all attacks.
• Proof 3: Even if we could afford to defend against all attacks, if risky CyberSecurity behavior is more profitable, then we won't eliminate failure.

A more useful question is, how can we make things better? After a couple decades of doing the things they currently call CyberSecurity, I have found several much more interesting questions. They include:

1. 0) Can we more accurately measure effective CyberSecurity success? Currently we are measuring the failures. Shouldn't we measure the successes?
2. 1) Can we do a better job of measuring the complete costs (to ourselves and society) of failure?
3. 2) Can we do meaningful epidemiology of CyberSecurity? Can we more accurately determine what helps, and how much it helps?
4. 3) Can we be more accurate and complete in distributing responsibility for failure and improvement?
5. 4) Can we create and sustain meaningful positive incentives that favor CyberSecurity over insecurity?

I have found that when I improve these areas, I improve security.

It is as solvable as physical security

[GuB-42]

Physical security has been an unsolved since humanity existed. Cybersecurity is likely to be the same.

That's because it is an arms race, and also the fact the you don't just have to keep the bad guys out, you also have to let the good guys in. Conflicting requirements and conflicting goals depending on which side you are on.

To paraphrase ...

[PPH]

... Scott Adams:

The pursuit of security has no finish line ...
so technically, it's more like a death march.

First: believe we can do better

[laughingskeptic]

Why are code segments writable after load? We could bake segment fixups into the CPU segment load process and use bitmasks rather than the hack of inserting interrupts into the code for debugging. Immutable code segments alone would greatly improve computer security, but the use of this "mutable code feature" is baked into way too many processes in our current architectures. I come from the era when you created a new kernel by hand-patching the existing running kernel and saving the modified kernel to a n

Tradeoffs

[Tony Isaac]

Like all engineering disciplines, every "solution" is actually a set of tradeoffs. We optimize for the features that are important to us. Tradeoffs include things like speed, cost, quality, durability, ease of use, complexity, configurability, and so on.

Security too requires tradeoffs. You can build your security like Fort Knox, but that would be enormously expensive, and very few could pay the price. And a tradeoff for such strict security is that it severely limits usability by those who are *authorized*

Not just cybersecurity

[Gimric]

If the LockingPIckingLawyer has taught me anything, its that physical security is an unsolvable problem, and that's been around a lot longer.

Like buying a car

[Canberra1]

People can buy cars and drive them into the ground, never checking or changing fluid or lubricants. When people by computers, they do the same thing: drive it into the ground after loading it with weights. The typical business computer - the boss rants and screams : security mechanics are a bigger ripoff than divorce lawyers. Reasonably secure computers have people paid to perform preventatives.

Obligatory XKCD

[jalvarez13]

https://xkcd.com/538/

I'm surprised no one posted this before...

Chromebook?

[reanjr]

Isn't it essentially already solved? I mean Chromebooks are essentially malware free. Is it really malware if you have to install it yourself?

Re:No

[decep]

It really is not solvable. Security in IT is a journey, not a destination. There is never a point where you can declare yourself 100% secure.

You can do all the right things, implement all the security controls possible, and you can still be hacked.

A better way of stating the question would be "Can you eliminate all IT Security risk?"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[garyisabusyguy]

The definition of hacking has changed from when it meant learning the guts of a system to allow you to manipulate it, to any criminal with a tool who shits on other people's privacy to get what they want

Fundementally can't be solved.

[Anonymous Coward]

When Microsoft talks about "security" they aren't using the same definition of the word as you are. In Microsoft's mind, security means:

• The untrusted end-user is unable to run any software without owning an appropriate software license.
• The untrusted end-user is unable to pirate any content without owning an appropriate license to the content.
• If you're suspected of anything, the appropriate government authorities ([DoJ in the US](https://www.forbes.com/sites/kashmirhill/2012/07/26/this-is-what-is-actua

Re:No

[saloomy]

Is it solvable? Of course. But first you have to define what solved means. If someone calls your CFO and portents to be from your bank demanding your password and your 2FA pin, that is not a failure of cyber security. That is not the IT departments fault. That is human behavior being bad.

Real cybersecurity is having no vulnerabilities where the risks come in. Is your firewall secure? Does it have any zero-day vulnerabilities? Your software? The operating system(s) it runs on? The hardware (firmware) that run that? All the way down. It can be secure, but you cant be sure that it is since at some point you can not reasonably audit the code. The whole game of password managers and 2-factor and all the rest of it is just a matter of figuring out how to get humans to know when they should be entering their passwords, and when they shouldn't.

Re:

[garyisabusyguy]

Real security is no root, no default passwords, no 'digital wallet' to store all your passwords in...

people simply will not support those things because it makes their lives more difficult

Re: No

[djp2204]

Cybersecurity has to made simple to be successful. If your policy requires provides passwords to be so complex people have to write them down you are not secure.

Re:

[brantondaveperson]

Good luck never hiring anybody.

Re:

[saloomy]

This. Also, 26 character passwords, randomized, unmanaged. For every service you use? All unique and never reused? How often do you rotate them? I am guessing... never.

Either you are a savant, or you are full of shit. Your system? Bullshit. Some places require a funny character, some places don't support them. The mixed variations between systems means your 26-character password standard via that command will not always work.

This isn't as simple as that.

Re: No

[djp2204]

Arguing that the users are at fault due to the developers design decisions? Bad bad move

Re:No

[narcc]

Computers exist for our convenience. Security should be easy for users. Complicated authentication leads to insecure practices. Force users to change their complicated password too frequently? They'll write it down and tape it to the front-bezel. Require 2FA? They'll avoid logging out.

Password are fine. The only big problem is reuse. Reuse happens because people tend to forget passwords that they don't enter frequently and, if they're following good security practice, it's hard to memorize a lot of different passwords.

Password managers solve this problem well for a lot of people. Anything that improves security and makes things easier for users is a good thing. 2FA is often promoted as a "solution", but it's not great. It is incredibly inconvenient for the user, tends to lock out far more legitimate users than bad actors, hardly slows down the bad guys, and can even make a phishing attack appear more legitimate. If that weren't enough it also tends to encourage password reuse. It's a terrible solution.

Objections to password managers are in trusting a third party in general and the risk of having all of your credentials stolen at once. There are simple and obvious ways to improve password managers, but I have an easy, non-technical, alternative that solves all of these problems and offers many of the same benefits:

The method I recommend to users is to use a simple base password (sufficient to pass most absurd password requirements) that can be modified in some standard way for each service they use. Something like prepending the first two letters of and appending the number of characters in the domain name. The rules should be their own. Anything that's easy for the user to remember that is going to be result in something different for every site they use is going to be fine. It doesn't need to be complicated, and probably shouldn't. This solves the reuse problem and makes it trivial for the user to memorize a very large number of passwords.

Sure, if someone determined has enough of your passwords, they might be able to figure out your system. Of course, if someone has gathered enough of your passwords to work that out, and has the will to do so, you've got bigger problems.

your comment proves it's NOT solvable

[Petr Blazek]

"Does it have any zero-day vulnerabilities?"
This is what you simply can't know. At best, you can be sure there are no KNOWN vulnerabilities in your systems - which doesn't suffice to declare your cybersecurity problem as solved.

Re:

[Some nick or other]

You can in theory get a whole lot closer to "no vulnerabilities" by using formal verification; IIRC seL4 contains proofs that various security invariants will hold (as long as certain prerequisites are true of the hardware). A shame it's so hard to do for large projects.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[phantomfive]

A better way of stating the question would be "Can you eliminate all IT Security risk?"

How is that a different question

Re:

[garyisabusyguy]

do you shred your trash, do you deflux old hard drives, do you encrypt every hard drive, do you put every employee through regular security training, do you have monitors and cross checks to make sure people are following their training, is your office constructed like a faraday cage, etc...

It goes on and on, looking more and more like 'defense in depth' [fortinet.com] at first and ending up like a dystopian nightmare

Re: No

[Z00L00K]

You can't solve it, but you can limit the impact by minimizing the exposure of your systems and isolate them in cells that prevents them from infecting each other.

Re:

[garyisabusyguy]

I remember some definition of a security level that could be reached by a WIndows box, if it was in a locked room, with no keyboard, mouse or monitor. Around this time, Windows security was a fucking mess, Deep Crack was assembled from ASICS to crack Windows encryption in hours, and even the more robust Unix boxes could be breached by anybody with physical access to the machine.

One of my programming teachers had worked at Honeywell in the early days of digital computing, and made the joke that there once wa

Re: No

[djp2204]

Absent involvement of a nation state, most cyber security vulnerabilities seem to be either memory management issues that are solvable with good engineering practice or human factors that are solvable with training.

Re:

[garyisabusyguy]

Sometimes I wonder, take fingerd for instance [cvedetails.com]

It is the default distribution of most *nix and perl, yet it has a known vulnerability that can allow permission escalation remotely

In the olden days, an industrious student used it to determine if there was a cold soda in the machine [ibm.com] and that cool story it put into common distributions, and that commonality has become a problem for, well the rest of us

If that was a social engineering hack, then it was admirable, but why the fuck has it not been patched?

Re:

[kmoser]

Human factors are never completely solvable. Regardless of how well you train them, you'll never completely prevent all users from clicking suspicious links, or from occasionally going rogue and accessing your systems from the inside.

Re:

[gweihir]

Anybody requiring "100% security" does not even understand the basics of security and risk management. All you have to do is make breaking in too expensive.

And yes, IT security is not only solvable, it is solved. Just not with the cheap insecure crap that gets used everywhere.

Re:

[garyisabusyguy]

One of the most useful descriptions of security that I have run into is the "time to breach" applied to doors on secure facilities

If a door takes an hour to breach (think "wow that i s a big door" from original Tron), then you are in a secure facility and the goon squad is within 10 minutes from that door with an appropriate alert and training

The sickening thing about current computer security is that most of it is a fig leaf that only gives the end user a false sense of security while not even providing a

Re: No

[Z00L00K]

If you have a centrally managed corporation with admin passwords reaching every machine in that corporation you shouldn't be surprised if every machine gets attacked.

I'm currently experiencing that situation.

Re:

[Oryan Quest]

There’s a ton of low hanging fruit and as soon as it’s all picked corporate behaviors prop up a new crop. I don’t know if it’s solvable but we’re doing double what we used to do about it. Badly; and it still amounts to barely trying at all.

I can’t put my finger on it and I haven’t read the book but I have developed a nose for it over the decades and the author smells like part of the problem.

Re:

[usedtobestine]

That's because the user used Metacode, a Xerox printer language, to mean something else.

Re:

[garyisabusyguy]

interestingly enough, Postscript is a programming language and widely used on networked printers that have notoriously poor security

Re: No

[simlox]

If you have a mathematical proof of correctness of your program for all possible input values it cannot be hacked. That would end the journey.

Re:

[znrt]

it was a rhetorical question, they're just trying to sell a book here.

and the book is maybe even interesting, but the framing of the promotional interview and the very question are just asinine, or simply designed to attract attention and of course animated monologues from expert opiners around. it's actually commendable that yours is so short and concise ;-)

Re:

[dbialac]

Spam still exists and it's effectively a similar behavior: get through whatever tech has been put in place to stop spam. Both are like the bodies response to a new virus: the attacking entity keeps on trying until it finds the next way through. Once it does, it exploits it until an immunity is found, then the cycle repeats. There's always new code and there's also new ways through it.

Re:

[thegarbz]

Everything is solvable. For example the heat death of the universe will solve cybersecurity. Heck maybe we'll even nuke ourselves out of the information age and that'll solve it too.

But as for solvable now, no sorry simply saying it's solvable doesn't make it so, it just shows that you really haven't thought through the complexities about what you're saying.

But you got the first post though, I suspect that was the goal rather than spurring an actual discussion right?

Re:

[Tony Isaac]

Have we "solved" *any* kind of security? Your house, your car, the bank, fortresses, prisons--all of them can be broken into (or out of) with enough determination and effort. Why would computer security be any different?

Re:

[narcc]

Have we "solved" *any* kind of security?

Yes.

Re:

[Tony Isaac]

Whatever. Name it. You won't, because you can't. No such thing exists.

Re:

[narcc]

You should at least try doing a search before you double-down on a silly claim. It could save you some embarrassment...

Name it. You won't, because you can't.

"It"? As if there was only one thing! I'll name two things, because I can. 1) We have provably unbreakable encryption and have for a very long time. 2) We've solved SQL injection.

No such thing exists.

False.

Re:

[iMadeGhostzilla]

Exactly, security is a people problem, not a mathematics problem.

Re:

[phantomfive]

But the vast majority of software companies only have security as an afterthought, if at all.

How many times at a software company have you been offered a training in best security practices for the language you're programming in? If companies cared about security even a little bit, major types of hacking would be gone.

Re:

[gweihir]

Indeed. Hiring coders, sysadmins, etc. with actual security skills, making respective education mandatory in the IT education models, etc. and systems getting hacked would ba a rare and mostly irrelevant thing because it would not pay. Instead we have thriving criminal enterprises specializing in it.

It is _known_ how to do this right. There are just too many IT people that do not know it. And there are too many PHBs that do not want to pay for it.

Re:

[narcc]

It's not that developers don't know, it's that they don't care. Well, some don't know. Maybe too many. Then there's the set that, for some reason, thinks that blindly including hundreds of third-party libraries, automatically updated during the build process, improves security... Who hires these people anyway?

Is cybersecurity an unsolvable problem? It doesn't matter. Even if we had a perfect solution, no one would bother. SQL injection is still a major thing, and it's trivial to prevent.

Re:

[gweihir]

Incompetence or apathy. Hmm. Hard to say what is worse in people that create technological artefacts.

Re: lol

[SuperDre]

How so? Any security company can hire such people if they want to, but most companies have a policy of not wanting to hire those. And there are enough security companies that actually do hire those ex hackers. But they should be labeled felons just like any other criminal, as they have been criminals. NOT putting the felon label on them would be wrong.

Re:

[rickb928]

You think ostracizing them as felons is a cause of further criminal behavior?

How did they become hackers in the first place? Convicted murderers were murderers before they were convicted. All felons were, at one time, criminals before they were convicted.

This BS is unfortunate. Felons are punished in several different ways, incarceration, fines, and loss or diminishment of civil rights, and yes, ostracization. Many do not consider the consequences of their actions, but many hackers in particular do, and go