[langsec-discuss] Will we ever "solve" security, or prove that we can't?
bascule at gmail.com
Thu Jan 19 03:27:43 UTC 2017
On Wed, Jan 18, 2017 at 2:12 PM, Taylor Hornby <taylor at defuse.ca> wrote:
> Less ambitiously, we can ask if complexity theory has anything to say
> about simpler aspects of life. One of them is the attacker-defender arms
> race in computer security. [...] Most of us are optimistic for
> "silver bullet" discoveries that make doing computer security a LOT
> easier [...] I'm curious if part (1) of my thesis really is accurate.
I doubt it, and I say this as a more-than-decade-long fan of "perfect
defense". I don't think perfect defense is possible. I think the reality is
there's a lot of low-hanging fruit that can be addressed by better methods,
but to put it in Ghost in the Shell terms attack surface is "vast and
infinite", and attacks only get better.
I don't see the cat and mouse game going away any time soon, but perhaps
we'll get better at achieving "punctuated equilibrium" where defenders are
able to reach some sort of brief reprieve in certain classes of attacks and
provide extremely strong defenses as a sort of local maximum. That is,
until some paradigm-changing attack comes crashing down, and forces
everyone to rethink their entire approach to security.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the langsec-discuss