WingNews logo WingNews
top | item 43972246

(no title)

ngneer | 9 months ago

I agree with the sentiment and analysis that most humans prefer short term gains over long term ones. One correction to your example, though. Dynamic bounds checking does not solve security. And we do not know of a way to solve security. So, the gains are not as crisp as you are making them seem.

discuss

order

bluGill|9 months ago

Bounds checking solves one tiny subset of security. There are hundreds of other subsets that we know how to solve. However these days the majority of the bad attacks are social and no technology is likely to solve them - as more than 10,000 years of history of the same attack has shown. Technology makes the attacks worse because they now scale, but social attacks have been happening for longer than recorded history (well there is every reason to believe that - there is unlikely to evidence going back that far).

titzer|9 months ago

> However these days the majority of the bad attacks are social

You're going to have to cite a source for that.

Bounds checking is one mechanism that addresses memory safety vulnerabilities. According to MSFT and CISA[1], nearly 70% of CVEs are due to memory safety problems.

You're saying that we shouldn't solve one (very large) part of the (very large) problem because there are other parts of the problem that the solution wouldn't address?

[1] https://www.cisa.gov/news-events/news/urgent-need-memory-saf...

HappMacDonald|9 months ago

You don't have to "solve" security in order to improve security hygiene by a factor of X, and thus risk of negative consequences by that same factor of X.

ngneer|9 months ago

I am not suggesting we refuse to close one window because another window is open. That would be silly. Of course we should close the window. Just pointing out that the "950X" example figure cited fails to account for the full cost (or overestimates the benefit).

fsflover|9 months ago

> And we do not know of a way to solve security.

Security through compartmentalization approach actually works. Compare the number of CVEs of your favorite OS with those for Qubes OS: https://www.qubes-os.org/security/qsb/

ngneer|9 months ago

Playing devil's advocate, compare their popularity. You may have fallen prey to the base rate fallacy.