| > Do you really believe that? That seems extremely implausible based on just simple observations like all governments using COTS OS for military/intelligence work or standard OS:es being used for critical infrastructure like power/water/finance/transportation. I do, but have a slightly different take: even though COTS software is pretty much unilaterally full of bugs that will be exploitable and could be found, it is still possible to compose layers of security that compliment each other in such a way that a compromise in any one layer wouldn't mean game over. Done very carefully, I think you can make a stack vastly more secure than the sum of its parts. Moreover, it's very possible to make exploiting the software both more annoying and easier to detect, which would dissuade attempting to use exploits. > If your statement was even remotely true then why is this not used in conflicts to devastating effect? I think the costs, risks and incentives need to line up properly to actually see things play out. Even though software exploits in COTS software is relatively cheap by government money standards, they do still take time and money. Not to mention the actual software exploit part may not even be the most expensive or complicated part of an operation, especially if you desperately need to evade detection for a long time, and especially if your adversary is going to have sufficient auditing to know something is wrong early. Stuxnet is old, but surely one of the most fascinating uses of malware in geopolitics. But wow, the amount of work involved and knowledge needed to make something like that happen makes the exploit part feel rather small. Formally verified software seems to have a lot of promise, then, to make deep exploits even more convoluted, expensive and rare. Surely there will still be bugs, but it leaves a lot less room for error, and very well could shift the calculus on security threats a bit. |