No matter how tight the security is, someone always finds a loop-hole to breach into systems. It's always a malware attack demanding ransom. Are the security systems that weak?
>Are the security systems that weak?<p>YES, by design.<p>Unix is modeled on trusting the user, and thus trusts anything the user runs. There is no mechanism for a Unix user to specify (easily) to run X with files Y and Z. Everything is a variation of this security model, Linux, Windows, MacOS<p>There are systems that trust nothing except the kernel. There are kernels that are mathematically proven to meet their specifications. There are operating systems being built on top of these "microkernels". With these systems, you'll be able to run <i>anything</i> with files Y and Z, and be reliably certain that no other files or resources will be affected. This model is called capability based security.<p>Smartphones have a very crude (almost unusable) version of this when you tell an "app" that it can access your phone, or contacts, etc. This is <i>not</i> what a fine grained capability system is like, and in fact is the worst possible example. {Sometimes I suspect the NSA put this into use to discourage threads that might lead to actually secure computing for the masses}<p>The closest we came to a reasonably secure computer for the masses was an IBM PC/XT with dual floppy drives running MS-DOS. The hardware enforced write protects on diskettes, so it was possible to have the same crude, but useable capability system in terms of access to diskette worth of data, read or read/write at your discretion.<p>It saddens me greatly to think that 1984 might have been the high water mark of secure general purpose computing, but so far it is.
Data diodes are connections between networks that allow passing of data in a single direction. There is no physical return channel for flow of data in the opposite direction. Usually, they come with a pair of servers that have a specialized protocol that allows continuously streaming data across the link so that users can have what appears to be a normal FTP/WEB/File server fed with information from the other side, with all the normal protocols.<p>Data diodes can be made for $200 or less. Commercial grade products are much more expensive.<p>Appropriate users would include allowing monitoring (but not control) of industrial processes.<p>The Office of Personnel Management should, in my opinion, have had a data diode allowing forms INBOUND only to their servers, which would have prevented a major breech.<p><a href="https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach" rel="nofollow">https://en.wikipedia.org/wiki/Office_of_Personnel_Management...</a>