Computer Security Is Impossible

Moved stuff to IwannaLearnComputerSecurity

Should be renamed CompleteSecurityIsImpossible. Otherwise it is not a useful title because most companies now have internal Computer Security function. These companies obviously do not feel that their work in SecurityManagement is futile. -- dl

The Physical Access argument

If an attacker has free physical access to a computer system's hardware, and can disassemble, modify, etc. the system at will, then no security except StrongEncryption? or a ScorchedEarthPolicy mechanism can prevent the data from being extracted by the attackers.

If obfuscation is not possible then nothing can prevent someone who has free physical access to a computer system to extract every iota information about what it is computing.

Obfuscation is the default condition. It takes considerable effort and instrumentation to make information readily available.

"Security" isn't a binary condition; it's better measured by the amount of resources an adversary needs to breach it. Not all systems or resources (computer or otherwise) need the same level of security.

The door to the restrooms in my house have courtesy locks; anyone can "break" the lock with a screwdriver in the correct slot. However, the restroom is "secure" against the "threat" of folks walking in accidentally. It isn't secure against someone trying to break into the bathroom.
The exterior doors to my house are more secure; they all have locks which require keys to unlock. However, neither my doors nor my windows are fortified against breakage; a burglar with a pipe wrench could find numerous ways to enter.
Fort Knox, where the US government keeps a bunch of gold, is pretty secure.

Likewise with computer systems. This Wiki is hardly secure at all (it uses SoftSecurity). However, there is little to be taken or damaged here. All info is public already, we have no secrets. While deleting pages isn't hard; they can be restored from backup in short order. The main threat is to our collective enjoyment of Wiki.

The first step in any security audit is "how much security do you need"?

Sorry but this has absolutely nothing to do with computer security, or security at all. It has to do with insecurity which is a completely different subject.

An interesting set of definitions for "security" and "insecurity". The security community doesn't appear to use these terms in this precise fashion, but I digress.
That's because most of them are shyster insecurity people instead of cryptographers and security engineers.

Given a set of requirements, whether a design is secure is a binary condition. It either fulfills its requirements or it doesn't. Given that there are a set of standard requirements for computer systems which it is legitimate to expect all systems everywhere to uphold, this makes computer security a binary condition.

What do you think those requirements should be? One I'd suggest nowadays is this one (because it concerns harm brought on others besides the owner of the computer system in question)
- It should not be possible for intruders to commandeer a machine and use it for DistributedDenialOfService attacks or other attacks against a third party.
- It should not be possible for an application to do anything which an intelligent user hasn't explicitly and deliberately allowed them to do.
  - What about a stupid user? And how should the computer know the difference?
    - Hey, I like this train of thought...the world needs such an algorithm! :-)
- It must be possible to share information and content in any of the infinitely many perfectly legitimate manners.
- In particular, it's illegitimate for one person to give info or services to another person then that second person being unable to transfer these to a third party. This is the only non-obvious term here.
  - Why not? Trust isn't (and shouldn't be) transitive. I may trust you, and you may trust your brother-in-law. That doesn't mean that I trust your brother-in-law; who I certainly don't know (and may distrust for various reasons). If you are speaking more specifically of various DRM schemes, I have more sympathy for your position (in particular, content providers shouldn't be able to curtail legitimate fair use via DRM schemes). Much of this debate is in the public policy arena and not the technology arena, anyway.
  - Trust is transitive in reality. Making trust intransitive is theoretically impossible, so it's illegitimate to demand that a security system provide such a property. Anyone who claims they can provide such a property is a shyster and a liar.
    - [I know what you're talking about, but this would be a good place to point people to the discussion of the problem with intransitivity. It's been know to surprise people, you know.]
    - This is--in many ways--a social problem. Even if the computer security model is completely intransitive (I can delegate capabilities to Bob, but he cannot redelegate them to sue), external delegation is hard to avoid. Bob may have given Sue his password; thus any capability Bob holds Sue holds to. One could try to avoid that problem with more sophisticated authentication schemes, based on possession of physical tokens, biometrics, etc, but Bob could still get Sue on the phone and ask "what files would you like?"
    - Obviously I'm not making myself clear. It's not a "social" problem at all and it has nothing to do with people. It's simply impossible to prevent one object / process / artificial intelligence from transferring its rights to anything it wants to. There's a well-known result that trust is transitive because you can never stop something from acting as a proxy to a third party. You can't detect it either, unless the third party acts in ways distinctly unlike the trusted user. Passwords are in no way special, they're simply human-readable capabilities.
    - This is correct. The social problem is not separable, it is an inherent part of it.--dm
    - An observation which is true for security analysis in general. Of course, a good chunk of the solution to the SecurityProblem? is social as well. Requiring users to change passwords frequently serves as a crude form of CapabilityRevokation?--anyone that I've loaned my password to no longer has it once I change it, unless I give 'em the new one. Many companies have strict policies against giving out passwords, including making it a firing offense. The law provides penalties for those who break and enter into computer systems. Et cetera.--sj
  - DRM is a completely separate question that has nothing to do with transitivity. DRM is predicated on protecting content from an untrusted user to whom you must give complete access to the content. This is obviously a self-contradiction. DRM is idiotic and ludicrous.
    - [That's because the people pushing DRM are idiots (RIAA, Disney, etc).]
    - They're not idiots; they're greedy bastards. While management of said organizations may look and act stupid in public, they've got numerous intelligent computer scientists (and more than a few congresspersons) working for them. While file trading will never be eliminated; they have--in the space of a few short years--managed to drive it well underground. They've gotten the DMCA passed. And--the amazing thing is--this is depite the fact that DRM has little to do with piracy prevention. Professional pirates simply copy disks at the physical layer, DRM schemes included. DRM seems mostly intended to limit the rights of legitimate consumers, so that the cash register will ring more often. Imagine if Ford told you that you could only put gass from Texaco in your shiny new Mustang... At any rate, this has little to do with security as such.
      - Worse: Every legitimate user now is paying extra money for and more more sophisticated machines (with more computing power) that are required for these ineffective DRM schemes to work. It would probably be much better use for these computing cycles to e.g. go into better de/compression algorithms. -- hp
Even if we accept that there is a "minimal" set of requirements which all systems ought to uphold, there are many applications which demand a greater set of requirements; due to more severe consequences of the system being compromised.

CategorySecurity