
Computer security is broken, but things are starting to improve - RachelF
http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security
======
EthanHeilman
Software defense techniques are getting more sophisticated and capable but
software is getting far more complex compromising many of these defensive
techniques. For instance JITs provide vital performance increases but require
memory pages which are marked as execute and write which degrades the
effectiveness of many memory corruption protections.

What we have achieved is that if you are willing to keep things simple and
give up much of the modern world (e.g. JITs) you can build far more secure
software than what was possible in the past. What we have done is extend the
realm of the possible in both the direction of security and vulnerability
(e.g. before TrustZone it wasn't possible to leverage TrustZone to exploit a
kernel).

~~~
oconnor663
Is it fair to say that JITs are usually restricted to memory-safe languages,
which don't rely so much on machine-level defenses? I guess you're losing
something if you load a C library into your Java program, because exploits in
the C library can do more damage now. But at the same time, having the
majority of your code in Java is probably a win for security?

~~~
EthanHeilman
The idea is to leverage heap spraying[0] in the pages to write shell code
which can then be triggered from another vulnerability in the program. This
shell code could live in some string in a chunk of javascript. Thus, this
technique does not need to violate the memory safety of the JITTed code. This
can be partially mitigated using constant blinding[1] but it isn't perfect.

[0]:
[https://en.wikipedia.org/wiki/Heap_spraying](https://en.wikipedia.org/wiki/Heap_spraying)
[1]: [https://www.internetsociety.org/doc/dachshund-digging-and-
se...](https://www.internetsociety.org/doc/dachshund-digging-and-securing-non-
blinded-constants-jit-code)

------
1ba9115454
To get a feel for the current state of computer security I recommend spending
a few days looking at the articles on
[https://www.reddit.com/r/netsec/](https://www.reddit.com/r/netsec/)

Here you'll find the latest in information security.

For example, here are just the top entries at the emoment.

 _How I found a command injection vulnerability in my TV set while in bed (and
how I exploited it using nc)_

 _PS4 4.0x WebKit Exploit Writeup (github.com)_

 _How to find 56 potential vulnerabilities in FreeBSD code in one evening_

 _Detecting and recovering from brute-forced RDP attacks (xednaps.com)_

 _CVE-2017-2416 Remote code execution triggered by malformed GIF in ImageIO
framework (blog.flanker017.me)_

It's a fascinating field and the number of exploits appearing everyday is
truley scary.

~~~
tyingq
That does sort of invalidate the "things are starting to get better" part of
the title.

It must be difficult to get better because new software comes out all the
time, and old software stays around. So the attack surface grows. IoT really
pushes that model hard. I know the firmware in my TV hasn't changed since I
bought it, but the newer model of the same TV has different firmware.

~~~
cvwright
I'd argue that these are lagging indicators. The code that's deployed and
being exploited now was written years ago, using languages and tools developed
decades ago.

If you read to the end of the article, it discusses recent DARPA projects that
are addressing the tools and languages component. And most of this stuff is
still in heavy development. Even assuming that we get it sorted out soon, it
will still be years and years before most deployed software is built on these
improved foundations.

So yes, things are _starting_ to get better. But it will take a long time
before we see the results.

~~~
tyingq
Perhaps. Those tools, though, don't fix issues like default admin passwords,
admin interfaces that listen on 0.0.0.0, and so forth.

It's a fairly big jump for me to see the low end vendors adopting high end
techniques when they don't even use ancient best practice.

------
Mendenhall
When everything on the net is siphoned up by governments there is no such
thing as computer security.

My how things have not changed since 1999.

[http://news.bbc.co.uk/2/hi/503224.stm](http://news.bbc.co.uk/2/hi/503224.stm)

------
Timothycquinn
Until we build in security mitigation into the kernel and standard libraries
of our operating systems, we will always have failure modes where minor errors
in code can result in critical vulnerabilities and privilege escalation. I
love what OpenBSD is doing with pledges[0] and hope to see this gain traction
in other operating systems. Here is a good overview of Pledge[1] by Theo de
Raadt. Unfortunately for Linux ecosystem, the Kernel does not include any
standard libs for developers, so this type of security mitigation will take a
long time to arrive. But for Unix based operating systems we should expect
this much sooner.

[0]: [http://man.openbsd.org/pledge](http://man.openbsd.org/pledge), [1]
[https://www.youtube.com/watch?v=F_7S1eqKsFk](https://www.youtube.com/watch?v=F_7S1eqKsFk)

------
devoply
Considering the state of commercial operating systems in terms of respecting
the rights of users and their privacy, both of which are security issues, our
computer security is for the most part compromised and will be for the
foreseeable future.

------
najajomo
Do you figure computer security has been deliberately broken by the various
security services to protect us from the terrorists or to more easily spy on
their own citizens.

------
0xCMP
In a way this is true. These days more and more sites are SSL thanks to Let's
Encrypt.

~~~
pixl97
SSL is only one type of security, and not a large one at that. It mostly only
protects data that is in flight between SSL libraries on each end of the
connection. Of course those SSL terminators become the target of attacks, and
as of so far a big one comes out every once in a while. OpenSSL, for example,
is generally considered a large piece of crap.

That said I do agree that pushes, especially from Google, have made HTTPS much
more secure lately.

------
bshimmin
I found a certain irony in the title of this piece given that when I first
opened the article, I was greeted with, "You've reached your article limit.
Register to read up to three articles each week or subscribe now for just
€20", and then I switched to incognito mode and defeated their security.

(I'm actually an Economist subscriber, I just wasn't logged in.)

~~~
FabHK
I tend to disable JavaScript when reading on economist.com, just less
annoying.

~~~
__roland__
It's strange that their website is so bad (lots and lots of ads, basically
unusable without an ad-blocker) while their apps (in particular, Espresso) are
a joy to use.

