Hacker News new | ask | show | jobs
by jshawl 2015 days ago
To be fair you have the burden of proof by asserting "computers connected to the internet can not be secured."
2 comments
nobody9999 2015 days ago
>To be fair you have the burden of proof by asserting "computers connected to the internet can not be secured."

How so?

In fact, competent InfoSec folks will tell you that you should assume that "if you connect a device to the Internet, eventually it will be compromised."

That's not to say a device will be compromised, but making such an assumption, given the history of Internet connected devices is an eminently reasonable one.

I've yet to see any formal proof that computers connected to the Internet can be secured.

If you have, please link a reference. I'd love to see it.

link
kfrzcode 2015 days ago
Extraordinary claims require extraordinary evidence.

But even ordinary claims require ordinary evidence.

The burden of proof is on the claimant, not the defendant. I believe that's the point parent was addressing.

link
nobody9999 2015 days ago
>The burden of proof is on the claimant, not the defendant. I believe that's the point parent was addressing.

Absolutely. I was pointing out that in this specific case (whether or not devices connected to the internet can be secured), the converse is also true.

link
rapjr9 2015 days ago
It's an open problem in science to prove security of a network connected computer. It's well known.
link
alanbernstein 2015 days ago
Really? What's that problem called? As you stated it, it seems too vague to be considered "open" or "closed".
link
rapjr9 2015 days ago
Provable Security:

https://en.wikipedia.org/wiki/Provable_security

If you read that article you'll see that current approaches don't even attempt some kinds of proofs such as proof of security against side channel attacks. It goes by other names as well such as proof of code correctness:

https://www.schneier.com/blog/archives/2009/10/proving_a_com...

A major problem with current attempts at proofs is you can at best create a proof based on a system specification and what you want it to be secure against, which basically means you have to already know all possible attacks including zero day attacks. So far the field has resulted in nothing practically useful as far as I know. Homomorphic encryption might be close to being practical for a limited set of problems and could be provably secure for a limited set of attacks, though I don't know if anyone has attempted such a proof yet.

link
alanbernstein 2014 days ago
Thanks. That sounds about as fruitful as I would have guessed.
link