Makes me wonder if some "new idea" is needed...

[davej]

http://www.cbsnews.com/news/new-report-says-russia-hacked-white-house-computer-network/

 

I mean, if nothing we have can be trusted to maintain security -- then isn't a significant redesign needed?

[justsomeguy]

There have been discussions about a new internet with other priorities in mind. Security wasn't one of the goals of the original internet, it was just a way to transfer data. The vast majority of security issues are not with the transport layer, they are with the application layer, i.e. servers not responding correctly to malicious requests, or web applications that were not designed with security in mind.

[davej]

Yes, but it isn't just the 1980's internet protocols that are causing the security problems. It is bad design, after bad design, after bad design.

[justsomeguy]

Sure, but it's generally application design, not the protocols.

[davej]

Well, there does seem to be an endless amount of confusion regarding what the root of the problem is. Maybe there is no "root of the problem?"

 

However, I don't understand why some obvious things can't be done. For example when your pc boots up -- why doesn't it boot off of a read-only disk partition? The core of the OS could be read-only. The core code could then validate the hash signatures of everything else.

[justsomeguy]

Any OS gets updated, so that partition is going to need to be written to at some point. An attacker may be able to use the same mechanism. There are a lot of good technical solutions to various problems, but the issue is that many of the problems are not technical problems, they're human problems.

[davej]

Yes, it seems to boil down to everyone wanting security for free and with zero effort.

[justsomeguy]

The best security in the world can't protect against someone running a file that was emailed to them. There's always a human point of failure.