Security is largely a quality problem, and quality is something you do not something you buy; this is why. For some reason I've latched onto baseball as my analogy for this.<p>A high-performing team has quality metrics, not only for the players but for the team. A high-performing individual outperforms a low-performing individual (a tautalogy for sure, definitional even). What qualities would you say the high-performing individual exhibits?<p>If you give both players high-quality or low-quality gear, what happens?<p>Can a baseball player who does a quality job of hitting home runs make better baseballs? Oh yeah: can they make better baseballs within the constraints under which baseballs are made? Why do those constraints exist?<p>The high-performing team is going to practice. They will wear out or destroy equipment in the process. Teammembers could potentially suffer career-ending injuries, during practice. During practice.<p>But when the real thing comes along, the practice is the deciding factor for performance individually and as a team.
Of course cybersecurity can be solved... the solution was worked out in the 1970s, and there are commercially available secure systems. The Operating Systems most of us use daily, on the other hand, do not support multi-level security, nor the Bell-LaPadula model.<p>If we did use such systems, the user interface would be almost identical, but our applications would only be able to open the files we fed them, and not everything, by default. The world would be a much more secure place, but that would have made the NSA's job a lot harder, so such systems aren't talked about much.
Having done this for a long time, I agree even more at the practical level - holding perfect Turing security to the side.<p>My priorities now are:<p>- Don’t use computers if you don’t have to<p>- if you do, keep complexity at an extreme minimum<p>- also minimize who needs to access it<p>- minimize data collection where possible for strictly the task you need it for<p>- Keep data mostly at rest and with as few stops when it does have to move<p>- End-to-end is your friend<p>- Where possible make everything transparent<p>- State machines for all the things
Perpetual cat and mouse game. I would venture to guess we are in a 'hackers winning' cycle right now. In a couple years itll cycle back to us winning.<p>Imagine a hospital. There will ALWAYS be people looking to break in to find out some specific information. "What did the doctors do that resulted in the death of my loved one?"<p>This is APT you can never stop regardless of budget. they can build any 0day, go to any extent, build completely custom undetectable tools that will never be stoppable.