"[T]his is something government should be devoted to fixing long term"
one step ahead..
"Hopefully he won't end up like Ignaz Semmelweis, who ... ended up a crazed alcoholic."
Kaminsky is one step ahead of Semmelweis. If you've ever seen one of his talks you'll know he already *is* a crazed alcoholic :)
Re: one step ahead..
I drink too much... Responsibility for IT systems is the monkey on my shoulder. Reliance on third parties is the proverbial last straw.
Re: one step ahead..
"High functioning" That's what I keep telling myself. I'm "High functioning".
So far as I can tell, not having grunted over the code in each browser, the first two concepts are already being implemented in baby steps. I wouldn't mind seeing Kaminsky's ideas directly done. Tangentially, Rustlang really is trying to generate a safer, multitaksing, multiple sandbox browser. Preventing potentially infectable code out there in the wild in the first place is a really nice idea.
Kaminsky is one step ahead of Semmelweis. If you've ever seen one of his talks you'll know he already *is* a crazed alcoholic :) FWIW, I really diagnosed as that. I really need to see one or more of his talks if he actually thinks this way.
Icon: 'cause I really, really need a pint. Well, several.
Don't Want To End Up
"shunned .... and ended up a crazed alcoholic."
On the other hand, I could use the company.
Long story short
Or at least as I read it: reinventing QubesOS and mixing Markov chains with MetaSploit
does it even matter?
At this point the biggest threat are the OS vendors (like MS). Sandboxing more trusted apps won't help when the big bro is overseeing the content of containers. I'd rather deal with Internet germs than bugged house.
"people are actually losing confidence in the internet."
it's been a snake pit for years now. anything attached to the internet is sacrificial.
Sterilize the internet? YEAH!
Let's start with all those damned anonymous cowards! Postin' everywhere an' clutterin' up th' place! Like fekkin' cockroaches! Kill all the anonymous cowards!
Oh wait... Fuck!
(Sounds of being strangled.)
Re: Sterilize the internet? YEAH!
I would've said that a tax on such people is sufficient, but on second thoughts I suppose anonymous cowardice is more serious than merely standing in water.
Kaminsky used to be cool
Now unfortunately he seems to just drool some buzzwords around. It's sad to see a person go like this.
Virtualisation might bring some limited security benefit, however a virtual system with no pourous boundaries is useless as you need to get data in and out. Additionally problems like "Rowhammer" and cache timing attacks to virtual systems can render those benefits moot.
So while virtualisation can bring benefits, it's not a "slap on and you are done" solution. The far better solution, in my opinion, is to reduce complexity.
Re: Kaminsky used to be cool
Finally a comment on the ideas and not on the guy who made them.
Have an upvote from me.
... Plus :
- Vms can start in milliseconds, it will nonetheless trash CPU caches every time impairing any well written code (the kind that actually care about how a computer work).
- These "sandboxes" are nothing new or desirable, FreeBSD uses since the 70's jailed processes, the benefit being that it don't need a way out of the sandBox to fully execute and leave nonetheless the "real" system that contain the jail completely safe.
- "things are actually getting compromised" : yes and by-design. For some well known reasons, already available efficient security measures do not get the industry traction it (we) need.
Side note on IronFrame it looks like a good technology to push web control farther, not necessarily for the user benefit.
But who am I to know.
"We are terrible at teaching people how to make things secure. We're not paying enough attention to what they need."
This is total cobblers - we're very good at teaching people how to make things secure. The trouble is that the people who take the decision to ship code are actively resistant to such advice, seeing it merely as "negativity". This will not change until the penalty for overseeing such a project is personally appreciable to those decision-takers...
Actually not really
" we're very good at teaching people how to make things secure."
We now have universities which have turned their Informatics courses into "Learn how to program in C#/Java/C++ or whatever language if fashionable today"-courses. Nobody teaches the basics any more which are vital for writing safe code. Instead C++-style OOP is being taught as if it was an essential feature, even though most programmers will never get near a project actually making use of the additional functionality they get from the added complexity.
Nobody teaches the most important element of security any more: Keeping it simple.