Most processors that do speculative execution are vulnerable to Spectre-style exploitation, and this can’t be fully mitigated with firmware updates, only with hardware redesigns.
If you pay any attention to cybersecurity news, you learn that basically everything is vulnerable in some way, and that a fair amount of the vulnerabilities are part of larger systems beyond your control that we’re stuck with for various legacy and dependency reasons. The vulnerabilities are never going away. Every new addition to computer network technology brings new vulnerabilities with it. This is inevitable. It is a consequence of developing open systems like IP, where any idiot can buy a box of some type with a network interface and plug it into the big’ol rat’s nest and get a connection. Open means exposed.
I think it’s possible that no Turing machine can actually ever be completely secure, because by definition there is always a way to put the machine in any state, including the state where all the doors are unlocked.
So, why bother with security?
Because you want to close as many of those doors as often as possible. Because knowing that there is always an opening somewhere, your goal is to reduce the odds that it will be found and used by someone else.
Risk assessment is how you move forward. Risk assessment is how you limit the scope, so that you put your best effort where it’s most effective. Know the field, know the threats, know what network(s) you’re connected to and how and where. Know where your important data is. Protect the pieces of your digital life that present the greatest risk. Diversify and segregate systems, data storage and connections based on risk.
You know that a lock can be picked by someone with the right tools and skills. You probably still lock your front door when you leave.
It’s not about 100% prevention, it’s about limiting your risk, and taking risks where they’re worthwhile and avoiding them where they’re not.
DRAM is still susceptible to RowHammer because it’s a physics problem.
There are many methods of fingerprinting a system connected to the internet, it’s very difficult to prevent it.
Most processors that do speculative execution are vulnerable to Spectre-style exploitation, and this can’t be fully mitigated with firmware updates, only with hardware redesigns.
If you pay any attention to cybersecurity news, you learn that basically everything is vulnerable in some way, and that a fair amount of the vulnerabilities are part of larger systems beyond your control that we’re stuck with for various legacy and dependency reasons. The vulnerabilities are never going away. Every new addition to computer network technology brings new vulnerabilities with it. This is inevitable. It is a consequence of developing open systems like IP, where any idiot can buy a box of some type with a network interface and plug it into the big’ol rat’s nest and get a connection. Open means exposed.
I think it’s possible that no Turing machine can actually ever be completely secure, because by definition there is always a way to put the machine in any state, including the state where all the doors are unlocked.
So, why bother with security?
Because you want to close as many of those doors as often as possible. Because knowing that there is always an opening somewhere, your goal is to reduce the odds that it will be found and used by someone else.
Risk assessment is how you move forward. Risk assessment is how you limit the scope, so that you put your best effort where it’s most effective. Know the field, know the threats, know what network(s) you’re connected to and how and where. Know where your important data is. Protect the pieces of your digital life that present the greatest risk. Diversify and segregate systems, data storage and connections based on risk.
You know that a lock can be picked by someone with the right tools and skills. You probably still lock your front door when you leave.
It’s not about 100% prevention, it’s about limiting your risk, and taking risks where they’re worthwhile and avoiding them where they’re not.
Very well-written and informed response, thank you.