Is Cybersecurity an Unsolvable Problem? - Slashdot

Posted by EditorDavid

• ›

  It's solvable.

  • Re:No (Score:5, Informative)

    by decep ( 137319 ) on Sunday May 28, 2023 @02:39PM (#63557583)

    It really is not solvable. Security in IT is a journey, not a destination. There is never a point where you can declare yourself 100% secure.

    You can do all the right things, implement all the security controls possible, and you can still be hacked.

    A better way of stating the question would be "Can you eliminate all IT Security risk?"

    • Re:

      "H acking"is just human problem solving reported through a lens of derogatory social prejudice.

      • Re:

        The definition of hacking has changed from when it meant learning the guts of a system to allow you to manipulate it, to any criminal with a tool who shits on other people's privacy to get what they want

    • Re:

      Is it solvable? Of course. But first you have to define what solved means. If someone calls your CFO and portents to be from your bank demanding your password and your 2FA pin, that is not a failure of cyber security. That is not the IT departments fault. That is human behavior being bad.
      
      Real cybersecurity is having no vulnerabilities where the risks come in. Is your firewall secure? Does it have any zero-day vulnerabilities? Your software? The operating system(s) it runs on? The hardware (firmware) that

      • Re:

        Real security is no root, no default passwords, no 'digital wallet' to store all your passwords in...

        people simply will not support those things because it makes their lives more difficult

      • your comment proves it's NOT solvable

        "Does it have any zero-day vulnerabilities?"
        This is what you simply can't know. At best, you can be sure there are no KNOWN vulnerabilities in your systems - which doesn't suffice to declare your cybersecurity problem as solved.

    • Re:

      That's a bit like keep preventing your car window from being smashed just to see what you might have it.

      In Omaha Nebraska, if you go to North east section, it is common there for people to leave their door car doors unlocked, so that when people inevitably go through your car for loose change you don't have a broken window on top of it.

      Those who lock their car doors in Northeast Omaha, have to pay for window replacements more often.

      If you leave the door unlocked and make sure to leave nothing of valu

    • Re:

      How is that a different question

      • Re:

        do you shred your trash, do you deflux old hard drives, do you encrypt every hard drive, do you put every employee through regular security training, do you have monitors and cross checks to make sure people are following their training, is your office constructed like a faraday cage, etc...

        It goes on and on, looking more and more like 'defense in depth' [fortinet.com] at first and ending up like a dystopian nightmare

    • Re: No

      You can't solve it, but you can limit the impact by minimizing the exposure of your systems and isolate them in cells that prevents them from infecting each other.

    • Re:

      I remember some definition of a security level that could be reached by a WIndows box, if it was in a locked room, with no keyboard, mouse or monitor. Around this time, Windows security was a fucking mess, Deep Crack was assembled from ASICS to crack Windows encryption in hours, and even the more robust Unix boxes could be breached by anybody with physical access to the machine.

      One of my programming teachers had worked at Honeywell in the early days of digital computing, and made the joke that there once wa

  • Re:

    It's like any war, a cat and mouse back-and-forth game.

    • Re:

      But the vast majority of software companies only have security as an afterthought, if at all.
      
      How many times at a software company have you been offered a training in best security practices for the language you're programming in? If companies cared about security even a little bit, major types of hacking would be gone.

  • Re:

    it was a rhetorical question, they're just trying to sell a book here.

    and the book is maybe even interesting, but the framing of the promotional interview and the very question are just asinine, or simply designed to attract attention and of course animated monologues from expert opiners around. it's actually commendable that yours is so short and concise;-)

  • Re:

    Spam still exists and it's effectively a similar behavior: get through whatever tech has been put in place to stop spam. Both are like the bodies response to a new virus: the attacking entity keeps on trying until it finds the next way through. Once it does, it exploits it until an immunity is found, then the cycle repeats. There's always new code and there's also new ways through it.

• As someone working in this field for the last couple decades, all I got to say is job security baby!

  • 1 hidden comment

  • Re:

    This is what I have seen peeking into cybersecurity groups when reviewing insanely insecure development features in libraries that never should have been introduced or enabled by default. From what I saw they were fine with that and it is up to each individual user of that library to disable the insanely insecure, rarely used features. Job security.

• People are the problem. Make it convenient, and people will hand over their first born.

  • Re:

    If we get to the point where spear-phishing is the only attack vector, then we've won.
• maybe stop putting the same lifelong label "Felon" on hackers as you put on murders and child molesters so these people can actually get employed in relevant fields?

  • Re: lol

    How so? Any security company can hire such people if they want to, but most companies have a policy of not wanting to hire those. And there are enough security companies that actually do hire those ex hackers. But they should be labeled felons just like any other criminal, as they have been criminals. NOT putting the felon label on them would be wrong.

  • Re:

    You think ostracizing them as felons is a cause of further criminal behavior?

    How did they become hackers in the first place? Convicted murderers were murderers before they were convicted. All felons were, at one time, criminals before they were convicted.

    This BS is unfortunate. Felons are punished in several different ways, incarceration, fines, and loss or diminishment of civil rights, and yes, ostracization. Many do not consider the consequences of their actions, but many hackers in particular do, and go

• How about we "tools down" on new stuff for a few years and just harden what's out there?

  If we just keep building fresh, new attack vectors, then, yes.

• "Cybersecurity is not a primarily technological problem that requires a primarily engineering solution," Shapiro writes. "It is a human problem that requires an understanding of human behavior." That's his mantra throughout the book: "Hacking is about humans." And it portends, for Shapiro, "the death of 'solutionism.'"

  It requires both -- understanding why and how humans hack, AND using that info to inform your engineering and tech solutions. There will always be hackers and the need for cybersecurity, not s

  • Re:

    There are two competing forces at work causing a gap. The first one is security engineers designing security want privacy also, and therefore do not trust the service to hold biometric data or something that can positively identify you. They also will not trust a third party to handle the authentication. The other force is people fail to understand where you should be giving your credentials to and where you shouldn't. Also remembering the credentials. Things are secure to a cybersecurity expert who careful

  • Re:

    Indeed. It is only about making it hard enough for attackers that the residual risk is low enough and most attackers starve and hence go out of business. That is entirely possible. And, of course IT security is just as much a technological problem as it is a people problem. Like all engineering really. The brakes in your car have to be both technologically reliable and effective (for example, brakes in ordinary cars are _always_ designed to be stronger than the motor, no matter what, and for obvious reasons

• It's only "unsolvable" if you let the perfect be the enemy of the good.

  • Bingo, unsolvable != unmitigateable

    Bingo. With security, as with so many other things in life, a partial solution can be "good enough."

    You can mitigate computer security risks by doing the things we are already doing, like (imperfect) access control systems. You can mitigate the damage done when the bad guy gets through your security systems by having things like good backups and a way to restore them in an acceptable period of time at an acceptable cost. You can mitigate some business risks - like "what happens when your supplier gets ha

• There is value in automating human tasks. A human figures out what to do then you automate that thing to make humans more effective. Even if it is only a game of whack a mole.

  This is a little dated but the concept is not... the most commonly exploited vulnerabilities are not the most current vulnerabilities.
  https://www.cisa.gov/news-even... [cisa.gov]

  If you automate vulnerability detection and prevention then you've given yourself a security boost even if you have not 'solved' the potential for future problems.

• It seems like if you really wanted maximum security, you'd be designing systems for that first and foremost and ground up, hardware and software. The first such systems that you could reasonably prove were secure would by necessity be very simple, and programming them would probably be an agony for the foreseeable future, but is anyone in industry actually prepared to even try to use such systems to get work done? We all used to get work done on single-digit-MHz computers back in the day — indeed, one

  • Re:

    You can't get secure code by tacking it on as an afterthought.

  • Re:

    Really not needed. Just take a simple hardened Linux distribution and you are already deep in the area where attacks become way too expensive for most attackers. People that can still afford to do it in that case can also afford to break into your systems physically and then it becomes a different problem.

    We do not need "maximum security". "Reasonable security" is already quite enough. But what MS crap, "APPs", incompetently configured Linux servers and cloud systems, etc. give us is "pathetic security" at

  • Re:

    Hack into a CA DMV terminal session - yeah, it requires some network access.

    Designing systems for security means redesigning network protocols and security features, taking the current OSI model, from layer 2 up. The Internet poses a somewhat more complex problem, baking security into a new Internet would require, I think protections against address manipulation and forgeries.

    All this would indeed require redesigning from scratch. And I, for one, would be cautious about adopting these new, 'secure', systems

• If man can make it then man can break it. It's simple really.

  • Re:

    That is one of these easy answers that are plausible, convincing, easy to understand and wrong.

• It is unsolvable as long as humans need to be able to interact with it. Yeah you can make it super secure, but then it won't be usable anymore as it isn't feasible if a human has to do so many things first before it can use the system. And the biggest security problem IS the human. Using biometrics can also be broken.

  • Re:

    If phishing is the only way hackers can get into the system, then we've won.

  • Re:

    No, it is not. The problem today is a market failure where software and systems are cheaply designed, cheaply made and customers do not know that doing it better is entirely possible. For example, attacks by Email are only a thing because of the abysmal stupidity of Microsoft and others. Of course email attachments should never be easy to open automatically or with a single click. Of course, frigging documents should not be executable code with system access and should not be able to attack you. But no, the

  • Re:

    "It is unsolvable as long as humans need to be able to interact with it"...also as long as humans are involved in the creation of IT systems.

    IMHO, nothing can be truly secure if humans mess with it in any way...

• Every time a new mechanical, or even partially mechanical, lock comes out, one craftsman or another finds a way to build the mechanical key -- or to bypass the key mech (see, e.g. "bump key" for standard tumbler door locks).

  Software's even worse, because it's damn hard just to make software do what you want it to do, let alone NOT do everything else in the universe. Ultimately it comes down to a cost-benefit ratio. We don't bother with DoD-class crypto phones for everyday use for that reason. We don't install bank-vault quality timelocks on our home doors for that reason.
  At some point, the best you can do is air-gap the systems that need total security, vet the crap out of all users, and hope & pray spies don't get in. So far, not a single government in the world has managed to keep spies from getting jobs/assignments it top-levels of gov't management.

  • Re:

    That was my view also, which is why I figured that Bitcoin's algorithm would be hacked within a year or two after it become profitable to do so, at which point the value of Bitcoins would promptly fall to near-zero as counterfeiters took over and people lost faith in the reliability of the blockchain algorithm.

    And yet, here we are, 14 years later, and Bitcoins are still valued at about $27k apiece; it seems this particular lock has remained largely unpicked, despite an enormous financial incentive to do so

• I've never had a good experience with our cybersecurity groups. Everything they want to do is "implemented" by other groups. The operational fallout is handled by groups that aren't them, and the cybersecurity groups are terrible at communicating and collaboration. Every experience I have makes me wish the whole sector didn't exist. Give the resources to the local subject matter experts to figure out things out themselves and provide REALISTIC guidelines.

  • Re:

    IT security has its large share of incompetents and semi-competents, just like software making and IT operations. It is really quite pathetic overall. One thing that helps is making sure an IT Security person actually has some real-world engineering experience: Writing code, configuring and operating systems, application of cryptography, etc. There are far too many IT Security people have no real-world engineering skills and hence can only stand in the way of others but cannot help to secure things.

• we all know AI will fix the problem, and cure the common code too.

• There are a few things that are generally done really badly today and that make for the mess we have:
  1. Use of insecure software and Operating Systems that are not up to the state-of-the art (MS Windows and MS Office and many many "Apps" are main offenders here)
  2. Incompetent configuration and maintenance (open cloud containers, lack of timely updates, etc.), usually due to incompetent and/or inexperienced personnel
  3. Software development that ignores security or by people that do not understand security. Basically "cheaper than possible" developers.
  4. Lack of use of known secure mechanisms (2FA, still active old protocols, etc.)
  5. Sabotage by "surveillance fascists", i.e. people that cannot stand citizens having secure communication mechanisms. These can be found in basically all governments.
  6. Bad applied CS/IT/SW-Engineering education. You can still get a degree in these fields without a single mandatory lecture on software security, for example.
  7. Applied CS/IT/SW-Engineering are still not engineering disciplines with general standards and liability for violating the state-of-the-art.
  8. A few other things.

  The thing is, secure software, secure system operation, etc. are understood and entirely possible. Not 100% secure, but that is not required. Making things for attackers very expensive and with a high risk of successful attack detection is quite enough. But the industry does not have the maturity to use what is known. Instead everything IT and software is done cheaply, typically far too cheaply, and there is no competent risk assessment. That there is no meaningful liability system, unlike established engineering disciplines, contributes to the problem.

• Humans are fickle beasts that will commit crimes regardless of the level of security.

• A completely perfectly secure system on the wrong hands would be pretty terrible.