[M4v3R]

These attacks are getting more and more creative. I begin to think that there is no such thing as perfect security in a world that constantly demands new features.

[tptacek]

Don't think about security that way; that kind of logic is misleading. Security is measured in dollars, in the sense of cost imposed on attackers.

You're right that there's a constant tension between features and security.

[comrade_ogilvy]

Right. To be more precise, security is a set of costs on web developers, web viewers, and attackers. There is no obviously correct way to balance all three, once you start seeing feasible removed/missing features that would be genuinely useful tallied as costs.

[danielweber]

Google "Users want and demand a rich computing experience." Back in the 90's a Microsoft person made that claim on comp.risks. It kind of became a joke to call every new attack a "rich computing experience."

[talmand]

There is no such thing as perfect security.

[Qantourisc]

Sure there is. An application/computer doesn't has to be insecure to work. It's just very hard to make no mistakes in complex machines and software.

[Dylan16807]

You can always turn the device off.

It really is a matter of features and how they're implemented.

Good luck picking a byte that can exploit a 7400.

[talmand]

If we're only talking about exploiting a device across a network, sure turn it off or disconnect it from the network. But there's more to security than that.

One can always take the device and turn it on for oneself.

If one can't exploit the device, one can resort to rubber-hose cryptanalysis.

[Dylan16807]

We are only talking about exploiting a device across a network.

[TeMPOraL]

Then bridge the gap by infecting pendrives. That's how e.g. Stuxnet worked.

[Dylan16807]

I don't understand what you're replying to. Physical access is a great way to bypass network security, but it has nothing to do with websites.