Monday, 15 June 2009

Blackboxes are vulnerable!

To an extent all software is a blackbox. As a consequence, the quote listed as the title is commonly made, but problematic. It may be true (Popper will attest to the inability to determine anything absolutely), but this adds no value.

The analysis of software is an NP infeasible problem. Turning and then Distraka demonstrated proofs that the state of a system can never be fully known. You are making presumptions as to the level of knowledge an open system holds and as to the level of testing.

Crystal box testing is a better option (I have published papers on this in the past), but the option is not always (nor truely) available. What is missing is the complexity/simplicity issue. These issues are mixed with the issues of security.

It is never possible (nor feasible) to absolutely know the state of an open system. You just have a lower cost of testing and rectification.

As for DoS. There is always a way to DoS a system. The issue here is how much evidence you create and why you do it. Hit any system with a sustained attack from 1,000,000 bots and it goes down. End of story.

This is not an argument about complexity impacting security.

What matters at the end is the best way to minimize long term costs.

No comments: