I sort of feel that whoever made this site should have read an article somewhere entitled The Six Dumbest Ideas in Web Design.
Also, amusing quip 'if "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer by now.' although I guess the real case would be the less pithy if "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer 6 by now.'
also if Penetrate and Patch could be replaced by someone just writing a browser that was not hackable because it was not supposed to be hackable which browser is that?
I mean I understand that a system hardened by trial and error is not as enticing as a system made hard from the start, without holes, but I guess there is very few of these to be found and probably what is best is a system that has been tried to be made as hard as the programmers could from the beginning and then tested for holes after that.
I mean listing penetrate and patch as a dumb idea sounds like one of those jokes - The only thing stupider than using Penetrate and Patch to fix security holes is not using it at all. Probably I exaggerate there but (given the number of companies that don't even do that) I don't think I exaggerate by much.
On Edit: I mean I sure use the phrase I mean a lot. Sorry about that, have some long running conflicts at work that are boiling over right now. Probably shouldn't comment on articles, but I do it to take my mind off things.
Chrome was designed to be harder to exploit by having a content sandbox from day 1, so that even if you exploited a bug in chrome, you'd have to exploit another bug to get out of the sandbox. It also came with auto updates you couldn't disable so that you couldn't just hack people when they fell behind.
That was close to a decade ago.
This hasn't stopped nation states who are perfectly ok rolling out windows kernel exploits, but we dont really see chrome exploits in typical exploit kits, so that seems like a win for most users.
I hope Rust/Servo become our next leap forward. If they manage to make it productive enough that browser devs accept Rust we'll be in a really good place.
The author states that learning how to compromise a system is wasteful and stupid. On the level of learning to use a particular exploit that's hot this week, that's true. Learning how a class of exploits takes advantage of a class of security bugs is a good way to spot where those bugs are in your code and to evaluate how well you're avoiding them.
This point sounds like it wasn't thought out very well:
"In fact, if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems:"
Well, yes. If you're like your mum, dad or granparents and barely install new software at all it could work fine.
Not so much if you're a web developer that regularly installs new software to make your dev environment easier to use or you like playing computer games (even less those available through digital services/on sale/made by amateurs or fans).
Cause in cases like those, I can see any 'good apps' list rivalling the virus ones in the anti virus programs he mentions.
> Not so much if you're a web developer that regularly installs new software to make your dev environment easier to use
If you are a web developer you can run all untrustworthy tools in containers/virtual machines that doesn't have access to your system, it would be an implementation of these principle.
Not all developer tools can be run that way, but pretty much of them can.
Yeah, that's key. If the ideas were implemented, and then didn't work, we could say that "it's a dumb idea" (because it didn't work). Except, things are pretty much the same, or even worse if one considers his point on perception of hacking: "hacker culture" has become even "cooler", and strangely synonymous with "freedom".
That's because this synonymousity (is that a word?) was co-opted from a different definition of "hacker" (i.e. in the "Jargon File" sense of "someone who demonstrates creative ingenuity"); in that sense, having the freedom to tinker with things is strongly desirable to someone possessing the "hacker ethic".
'Tis one of the side-effects of the term "hacker" having multiple meanings, for better or (in my opinion) worse.
It's often a lot less resource intensive to enumerate and filter out the first hundred thousand kinds of badness you encounter on a daily basis leaving you with a smaller pool of stuff that requires more than a cursory check. There's no need do more than a simple analysis on plain text emails, without attachments where all senders/recipients are in the organization.
You actually need to do the whole penetrate and patch thing as a part of your entire security system. It can't be relied upon to tell you everything but not doing it at all is similarly dumb.
Also, amusing quip 'if "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer by now.' although I guess the real case would be the less pithy if "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer 6 by now.'
also if Penetrate and Patch could be replaced by someone just writing a browser that was not hackable because it was not supposed to be hackable which browser is that?
I mean I understand that a system hardened by trial and error is not as enticing as a system made hard from the start, without holes, but I guess there is very few of these to be found and probably what is best is a system that has been tried to be made as hard as the programmers could from the beginning and then tested for holes after that.
I mean listing penetrate and patch as a dumb idea sounds like one of those jokes - The only thing stupider than using Penetrate and Patch to fix security holes is not using it at all. Probably I exaggerate there but (given the number of companies that don't even do that) I don't think I exaggerate by much.
On Edit: I mean I sure use the phrase I mean a lot. Sorry about that, have some long running conflicts at work that are boiling over right now. Probably shouldn't comment on articles, but I do it to take my mind off things.