Akamai's operations center can monitor attacks, but there is no definitive way of gauging how secure the network is.
Courtesy of Akamai
There's really no way to compare two computers running two different operating systems, Web browsers, or any other type of program and definitively say which one is more secure. That makes it hard for governments and businesses to decide how best to spend money on security--or even how much they should spend in the first place. It's difficult to know whether a security product is effective or just has good marketing.
Consider virus scanners. They automatically examine files for malicious software, but they can only detect malware that's already been identified. So a scanner can't say that a computer system has zero viruses--it can just say that a system doesn't have any of the viruses the scanner was designed to catch. But unknown pieces of malicious code have been responsible for many of the most devastating attacks to date, including the much-publicized attack on Google earlier this year.
It used to be that there were surefire ways to know your system had been hacked. Files would be deleted; attackers would alter your website or make your system crash and ask for ransom. Today, however, the goal is to steal information or take control of a computer without tipping off users. Because many attacks go unnoticed, there are no truly reliable statistics about how many computers are compromised, let alone statistics that can measure the full economic impact of these intrusions.
And yet people are trying. Research projects at the Idaho National Laboratory, the U.S. Department of Defense-sponsored Institute for Defense Analyses, and MIT Lincoln Laboratory are all attempts to develop ways of measuring security. If these projects can successfully create a set of standardized metrics, it will be easier for companies that create good products to reap a return on their investments in research and development, rather than competing on a level playing field with those who simply have a huge marketing budget and those who are selling snake oil. In the meantime, the attackers gain ground.
Yes i can set up a system that would tell you if its compromised. Its not rocket science.
The problem we have is computers attached to the internet today have no such measures in them.
A simple thing like cost (aka free market) is what has caused this dilemma.
Yes (goddammit)a short-sighted FREE-MARKET has caused cyber crime....its as simple as that, lol.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
National Instruments has gathered customer information and data regarding some of the cost differences between building a custom solution versus using NI off-the-shelf tools. Using this data, we built the Graphical System Design ‘Build vs. Buy’ Calculator. The calculator can help show the financial differences between building a custom solution versus buying an off-the-shelf system. This paper discusses the benefits and drawbacks of both a traditional custom design approach and off-the-shelf embedded tools.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Mapou
356 Comments
Misguided Research
Since attackers exploit flaws in networked software, one can never truly measure how secure an application is unless one has a way to determine its reliability. And if one could truly measure software reliability, one would have solved both the reliability and the security problems.
So obviously, any research into how to measure software security or reliability is misguided. The problem will be solved only when we find a way to construct bug-free software. Like it or lump it, there is no escaping this reality. Anything else is fantasy and I, for one, don't want to see my tax money being spent on futile research efforts.
There is a way to build 100% guaranteed bug-free applications but the computer industry and the computer science research community will never find it because they have already convinced themselves and those with the purse strings that it is impossible. However, banks, government agencies or anybody who uses e-commerce should be wary of the security research industry because it is not in their interest that a solution is found.
The reason that software is unreliable is because the boomer geeks have shot computing in the foot in the last century. They forced everyone in the business to worship the Turing Machine as God's gift to humanity. We are all paying the consequence as I write. The truth is that the Turing computing model is the problem, not the solution. Why? Because the TCM has absolutely nothing to say about time, the most important and fundamental aspect of any behaving system, which is what a computer program is.
Reply
mattgroom
286 Comments
Re: Misguided Research
Firstly I cannot stress enough how delighted i am to read something from a decent reporter. I do so hope you get a promotion quick because youre one of the best reporters on this subject so far.
Moving on, I have offered to give ms bug-free correct software we shall see if they want it, after all they produce most of the software in the industry.
If they dont want it then the reason is this.
1. They like buggy software as it allows them to sell new software.
2. Keeps software companies in a positive light
as it appears as if they are doing things...
Also bug-free software does not mean it cannot be circumvented. It means it runs without error by the way. About 99.99999% to infinity think otherwise.
Secondly these companies (MIT etc) are a bunch of retards because the most they can do is retrofit metrics to previous attacks, which as the writer documents is not adequate enough.
They'll be great at showing you the automated attacks created 10 years ago+ that are run by script kiddies. Oh whoopy do.
It is quite another thing for them to actually analyse the current cybercrimes.
In no way will there metric work against short-term cybercrime which is where most occurs. The window for action against this type of crime is sometimes minutes or hours. A metric is a FAIL straight away. No point telling us it happened bud....Oh there it happened again best turn your meter to 1 trillion and 2.
Reply