top | item 46606885

(no title)

umvi | 1 month ago

> Well designed security models don't sell computers/operating systems, apparently.

Well more like it's hard to design software that is both secure-by-default and non-onerous to the end users (including devs). Every time I've tried to deploy non-trivial software systems to highly secure setups it's been a tedious nightmare. Nothing can talk to each other by default. Sometimes the filesystem is immutable and executables can't run by default. Every hole through every layer must be meticulously punched, miss one layer and things don't work and you have to trace calls through the stack, across sockets and networks, etc. to see where the holdup is. And that's not even including all the certificate/CA baggage that comes with deploying TLS-based systems.

discuss

alphazard|1 month ago

> Every time I've tried to deploy non-trivial software systems to highly secure setups it's been a tedious nightmare.

I don't know exactly which "secure setups" you are talking about, but the false equivalency between security and complexity is mostly from security theater. If you start with insecure systems and then do extra things to make them secure, then that additional complexity interacts with the thing you are trying to do. That's how we got into the mess with SE Linux, and intercepting syscalls, and firewalls, and all these other additional things that add complexity in order to claw back as much security as possible. It doesn't have to be that way and it's just an issue of knowing how.

If you start with security (meaning isolation) then passing resource capabilities in and out of the isolation boundary is no more complex than configuring the application to use the resources in the first place.

tyre|1 month ago

Look at how people have responded to Rust. On the one hand, the learning curve for memory safety (with lifetimes and the borrow checker) can feel exhausting when moving from something like Ruby. But once you internalize the rules, you're generally cooking without it getting in your way and experiencing the benefits naturally.

Writing secure systems feels similar. If you're trying to back port something, as you said, it can be a pain in the ass. That includes an engineer's default behavior when building something new.

lucketone|1 month ago

Whats wrong with firewalls?

Or, how the alternative world looks where network security is more pleasant?

theshrike79|1 month ago

There's a reason why all security professionals I know use an iPhone.

To my knowledge there hasn't been a single case of an iOS application being able to read the data of another application - or OS files it wasn't explicitly given authorisation to do so.

It can be done, but for desktop it has never been a priority.

A bit like the earliest versions of Windows encountering The Internet for the first time. They were built with the assumption they'd be in a local network at best where clients could be trusted. Then The Internet happened and people plugged their computers directly into it.

captn3m0|1 month ago

Lots of sandbox escapes on iOS, but my favorite was https://blog.siguza.net/psychicpaper/

fsflover|1 month ago

> Well more like it's hard to design software that is both secure-by-default and non-onerous to the end users (including devs).

Doesn't Qubes OS count?