bashing your head against nation-state social engineering
Lodewijk andré de la porte
l at odewijk.nl
Sat Sep 27 09:49:25 PDT 2014
Know what you code, and what you run. Don't be fooled by words and shapes,
code does what code does, that is all.
We seriously need a way to detach code from mental models to expose hidden
features. Basically, all computer law is rubbish because everything you run
on your computer, exploits and all, is something you run by choice. But
there's no way you could validate the sheer bulk of code. If you want to
really solve security flaws it'll involve somehow validating the
possibilities of the code run.
It's a discipline that touches on visualization, automated testing and
simplification. Simplification meaning, reducing possible states and
"execution paths". And just making code easier to comprehend.
The problem is that there's either no market for "truly secure" computing,
or there's just nobody filling the gap. Banks with their Cobol are laughed
at, mostly, and accused of lacking innovation. They do lack innovation in
the technical field. And Cobol is definitely not an ideal language. But
"truly secure" is worth a lot to them. L4 validated is a step in the right
direction, but catches a lot of wind saying it's still imperfect and
I'm utterly bored by code review. Maybe it'd be better if there were some
nicer tools to help out. I'm really sure someone has great recommendations
regarding this. (That don't even require Cobol :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 1754 bytes
Desc: not available
More information about the cypherpunks