"[T]his is something government should be devoted to fixing long term"
I wish.
Dan Kaminsky, the savior of DNS and chief scientist for White Ops, has used the opening keynote of Black Hat 2016 to outline three technologies he has been working on that could make working online a lot safer – if they are adopted. First, and most importantly, Kaminsky has been developing a micro-sandboxing system that spins …
So far as I can tell, not having grunted over the code in each browser, the first two concepts are already being implemented in baby steps. I wouldn't mind seeing Kaminsky's ideas directly done. Tangentially, Rustlang really is trying to generate a safer, multitaksing, multiple sandbox browser. Preventing potentially infectable code out there in the wild in the first place is a really nice idea.
Kaminsky is one step ahead of Semmelweis. If you've ever seen one of his talks you'll know he already *is* a crazed alcoholic :) FWIW, I really diagnosed as that. I really need to see one or more of his talks if he actually thinks this way.
Icon: 'cause I really, really need a pint. Well, several.
Now unfortunately he seems to just drool some buzzwords around. It's sad to see a person go like this.
Virtualisation might bring some limited security benefit, however a virtual system with no pourous boundaries is useless as you need to get data in and out. Additionally problems like "Rowhammer" and cache timing attacks to virtual systems can render those benefits moot.
So while virtualisation can bring benefits, it's not a "slap on and you are done" solution. The far better solution, in my opinion, is to reduce complexity.
Finally a comment on the ideas and not on the guy who made them.
Have an upvote from me.
... Plus :
- Vms can start in milliseconds, it will nonetheless trash CPU caches every time impairing any well written code (the kind that actually care about how a computer work).
- These "sandboxes" are nothing new or desirable, FreeBSD uses since the 70's jailed processes, the benefit being that it don't need a way out of the sandBox to fully execute and leave nonetheless the "real" system that contain the jail completely safe.
- "things are actually getting compromised" : yes and by-design. For some well known reasons, already available efficient security measures do not get the industry traction it (we) need.
Side note on IronFrame it looks like a good technology to push web control farther, not necessarily for the user benefit.
But who am I to know.
"We are terrible at teaching people how to make things secure. We're not paying enough attention to what they need."
This is total cobblers - we're very good at teaching people how to make things secure. The trouble is that the people who take the decision to ship code are actively resistant to such advice, seeing it merely as "negativity". This will not change until the penalty for overseeing such a project is personally appreciable to those decision-takers...
Vic.
" we're very good at teaching people how to make things secure."
We now have universities which have turned their Informatics courses into "Learn how to program in C#/Java/C++ or whatever language if fashionable today"-courses. Nobody teaches the basics any more which are vital for writing safe code. Instead C++-style OOP is being taught as if it was an essential feature, even though most programmers will never get near a project actually making use of the additional functionality they get from the added complexity.
Nobody teaches the most important element of security any more: Keeping it simple.