Submitted by Traditional AV vendors continue to lag behind online criminals when it comes to detecting and protecting against new and quickly evolving threats on the Internet, according to a report by Cyveillance. Testing shows that even the most popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases only to 61.7% after 30 days. Even after 30 days, many AV vendors cannot detect known attacks.
Why is there no permanent solution to the computer security crisis? The reason is that the security crisis is really identical to the software reliability crisis. Why is there no permanent solution to the software reliability crisis? Well, it’s because the boomer geeks have shot computing in the foot in the last century with their Turing machine cult and their algorithmic, Charles Babbage approach to computing.
There is a way to design and program a computer that will solve the problem once and for all but don’t ask computer scientists about it because they don’t have a clue. In fact, they created the crisis. The solution will require a reinvention of the computer as we know it. And we know this isn’t going to happen any time soon, at least, not while the boomer geeks who gave us this mess are still calling the shots in industry and academia. Yes, the same boomer generation who rode the crest of the computer revolution in the last half of the 20th century are the biggest impediment to progress in computing in this century. Their antiquated Babbage/Turing mentality is irrelevant to the realities of this century.
How to Construct 100% Bug-Free Software:
http://rebelscience.blogspot.com/2010/03/how-to-construct-100-bug-f…
How to Solve the Parallel Programming Crisis:
http://rebelscience.blogspot.com/2008/07/how-to-solve-parallel-prog…
Wow, it’s been quite some time since you last spammed the comment section. Nice to see you back!
If you don’t like my stuff, don’t read it. After all, nobody is twisting your arm, right?
You’re missing the point. The stuff you write in your blog posts is interesting. The way you promote said ideas leaves a lot to be desired.
The chap is right. There is a big difference between computing devices, platforms and languages which are designed to do one thing and one thing only with well defined inputs/outputs … and the general purpose, over-capable, low-disciple platforms we have now.
Has anybody rebutted his claim before? Should I try stabbing at it?
I mean, if anything, machine input take time to process, the meantime of which nothing is defined for the system. Hence, if any input appears halfway through the process, its handling is not understood by anybody. Thus, a system of parts as he had described is unimplementable, because the people who had tried it had failed. ALL of them. Including the people who tried Waterfall model like in Engineering, where complexity is so easy to chain up and still be manageable.
Lisp is the only system with the kind of black box abstraction pure enough to possibly implement any form of reliable computing, but it fails to be fast enough for real-time computing needs, so reliability itself may actually be irreconcilable with flexibility, both of which are really required for his COSA to even make a single step. Of course, I have no proof of that claim either.
I’d rather he deliver his promise than his speech. Talk is cheap.
Since I haven’t seen anyone who actually understands your idea try to point out why it’s a bad idea, I’ll give it a try:
Because software is complicated, and there is no way to simplify a system that complex (at least enough to really make a difference in overall industry reliability).
This is true. Quite often the software with security problems is the software that is buggy in general (e.g. Flash).
This is where I don’t think you understand. Your so called “non-algorithmic” software model really is algorithmic. It is also Turing-complete, and therefore, it is exactly the same as any other Turing machine. (You can emulate your design on a normal computer, and vice versa). So your model is really just the equivalent of another programming language.
It seems that you make two claims with your software model: it will make parallel programming easier, and it will increase software reliability.
The first point I believe may be true. Few programming languages have a good way to deal with parallel programming. The problem is sharing state. If you share too much state, it’s very hard to write a correct program, and you need lots of locking. If you share too little state, it becomes very hard to express a lot of algorithms. Right now, I’d say that functional programming (especially Haskell) is the best way to do this, but the main problem is that there is no really practical functional language (it needs to be fast and strict like OCaml, have a nice syntax and type system like Haskell, and allow precise control over how state creeps into the program like Disciple, but without Disciple’s crazy complex effect system). Your software model sounds like it could help in certain applications, but I doubt it would work as a general solution to the problem.
However, I highly doubt that your model would make software much more reliable. Bugs are always going to arise in any complex system. Most of it, again, comes from sharing state. The solution, again, is to share as little state as possible between different parts of the program. If you have ever tried Haskell, you will know what I mean. In Haskell, it’s very easy to write correct code. If your code compiles, it’s usually correct. I once spent four months writing a complex program in C++. It was so buggy and messed up, that I decided to rewrite it. I wrote a new version in Haskell in a few days, and I never found any bugs in it (although it was much slower). Of course, it is still possible to have bugs in any language. In your model, it looks like it would be really hard to keep track of how all the different components would interface together, and how to get the signal timing correct.
Lastly, if you are the same person who writes all those blog posts about crazy science, I highly question your mental health. That person rejects Newton’s first law and infinity simply because he doesn’t like them, and fails to realize that the universe doesn’t have to make sense and doesn’t act in a certain way just because you want it to. He constantly rejects any criticism or questions with the response that “you’re just a stupid academic and will never understand”, when I think he is really just not smart enough to understand the academics, and thus ignores everything they say, even when they are quite obviously correct.
Edited 2010-08-06 14:09 UTC
If you’re going to attack me personally, at least have so cojones and identify yourself. Everybody knows who I am. My name is Louis Savain. Are you the typical gutless and dishonest anonymous coward who kisses the collective ass of academia or do you have enough gonads to sign your real name to your stupid crap? Identify yourself, because I would hate to tear you a new orifice without knowing who you are.
Not sure why you feel threading is evil. Misusing it is evil perhaps. Not spec-ing out your software properly BEFORE you even CONSIDER developing is evil, perhaps.
Not sure how your idea would actually be preferable to current implementations. And as someone on your own blog mentioned, why don’t YOU try to implement your ideas. Find a hardware engineer who is willing to work with you and TRY your ideas — if they work amazingly well then you will have made your point[s].
…but it sure looks like the most efficient weapon against malware is applying best practices in your daily work.
Surely the most effective weapon against malware is to not use in your daily work the one system that the malware runs on.
Use another system and none of the extant malware will be able to touch it. A simple, perfectly effective and potentially very low cost solution.
Until your beloved platform also becomes a malware target…
Will only happen if the malware itself is re-written. Even then the re-written malware will have to find a way onto the platform, which might be difficult to do if the users of said platform already have a well-established secure app store (or repository, if you will) from which they can get a vast choice of guaranteed-malware-free quality software.
Sounds like “too hard”. In all probability, the next platform that is likely to be targeted by malware authors is mobile phones:
http://blogs.computerworld.com/16661/mobile_malware_you_will_be_bil…
For now however, XP remains too easy and too lucrative, so it hasn’t happened yet.
You mean like the PDF security holes that allow iPhones to be easily jailbreaked?
Now that is security.
Thanks you for the post.
Hi guys, Im a newbie. Nice to join this forum.
__________________
http://moviesonlinefree.biz
Edited 2010-08-09 01:53 UTC
Unless you are essentially forced to use said system as your employer uses fairly specialised software that has no alternatives on other platforms.
I would love to be free of Windows at work, but between a specialised piece of software and the fact that switching to an alternative would confuse half the staff, it’s never going to happen.
Comes from sloppy hardware specifications, and 99.99% from humans, who would gladly allow weird stuff running on their computer because, well they are curious for one part, and that they usually don’t understand the implications.
And buyers are buying good enough software because, they don’t have the budget for it, and that would be overkill for their use, trouble is that good enough is certainly not “best”.
Most of the secure and reliable language to develop with are known to be hard to develop, because they give so many security restriction, and, well, language that are known to be easy are often used to write buggy software because, well it has allowed non-developer to write programs that shouldn’t be marketed (but unfortunately are), and this is worst if those easy language are extendable.
We are to late now to stop the process, the rise of browser based application and therefore javascript would make it easier for non developer to pretend themselves as ones.
And now for the stupid analogy:
People don’t usually try to build their own car ( ok partly because it’s expensive ), and usually they trust brands and car maker depend on test and norms to build their product (there is obviously some flaw in their test, because they are to old for new technology). But say one guy would come and sell you his own brand of car , even if that was cheap, you would carefully weight the risk of buying a cheap product.
Software company and developer need to be liable for there product, that would force them to request more exact about what the client ask.
Just a few weeks ago i was amazed how a bunch of construction workers were demolishing a concrete room they built just a few days before because they forgot to make a door.
A few days latter they were hammering the wall facing the street because it had no windows.
Stupid people are easy to find, software development just gives them a much larger audience.
Emphasis mine for grammar and spelling mistakes.
I agree with your general sentiment, but this sentence has an assumption shown to be inadequate.
You are arguing, essentially, for litigation to be applied to software. It assumes that litigation would force software development to undertake more care.
If litigation were the magical ingredient to solve the problems of incompetency (and sometimes it is downright unscrupulousness there), then China’s milk supply would have been okay. Their western headquarters, who were notified of their unscrupulous acts, would have had applied the brakes. Apparently, litigation was not producing the magical leap it is implicitly meant to have made. (Sorry, I cannot seem to make the tense correct. My grammar is lousy.)
Law is never the magical solution. We only know that life without rule of law is a million times worse, hence we defend it. Just like how we defend democracy despite its obvious flaws. Think “necessary evil”, not panacea.