[Discuss] Port Scanning

[bogstad at pobox.com (Bill Bogstad)]

On Sun, Aug 4, 2024 at 11:22?AM Rich Pieri <richard.pieri at gmail.com> wrote:
>
> On Sat, 3 Aug 2024 22:05:49 -0400
> Bill Bogstad <bogstad at pobox.com> wrote:
>
> > I think it is basically because the industry has convinced itself
> > that bugs are inevitable and there is no way to mitigate those bugs
> > becoming security problems.   Back in the 90s, I found security
> > fascinating; but when I realized that nobody had any interest in
> > actually doing anything more than dealing with this week's problem, I
> > decided that wasn't a career path I wanted to follow.
>
> It's not that nobody has that interest. It's that perfect security is
> impossible either in the physical world or the digital realm: the
> attacker always has the advantage over the defender. We do what we can
> think of to prevent compromise but we understand that the attackers can
> try all of the things we *didn't* think of or the tiniest of mistakes
> we make. So we also do what we can to detect, contain and mitigate
> compromise. It's very much whack-a-mole, solving the endless string of
> this week's problem.

Did I say that I wanted perfection?  In text that you removed, I
asserted that there are known techniques that would stop whole classes
of programming bugs from becoming security bugs.   I didn't make it
completely clear, but they could be implemented in compilers so little
or no programmer time would be required.   They would slow down
programs by something like 5-10%.   Does anybody do this?, not as far
as I know.  Our priorities seem to be organized into something like
this:   time to market, features, performance, pretty UIs, price (i.e.
development cost), .......... , security.  We would have a whole lot
fewer moles to whack if we changed our tools.   I would argue that we
would probably improve debugging (development) costs as well because
bugs would be found and fixed a lot more easily.   To be fair, it
seems like the techniques to do this have not really gotten into
commercial development systems even as an option.   So maybe I should
blame the people who write compilers rather than the software industry
as a whole.   At least we both agree that we are in a whack-a-mole
situation.   I just think things could easily be a lot better than
they are.


-- 
Bill Bogstad
bogstad at pobox.com