Why are there no secure computers?

Secure, Inexpensive, Usable .... Pick Two !

For a computer to be useful, it has to be reasonably affordable, conveniently accessible to the user, run a variety of software, and have access to data required to perform the desired tasks.

The three vulnerable areas of Input, Output, and Storage existed in very controlled environments in the early days. Input required access to a connected terminal, or keypunch and card reader. Output required access to a connected terminal, and/or hard copy printer. And storage consisted mostly of a tape library, and later a disk pack library, that required an authorized request for a human to physically attach the volume required.

Now with our modern systems, and open architecture, the very usability and access that makes computers a common resource also make them vulnerable. Internet connected systems are sharing a worldwide network with milllions upon millions of other, unknown, unverified computers and users. Email with attachments and embedded html/flash/shockwave content can transfer code (including malware) in the blink of an eye. Terabyte sized local hard drives are now an available commodity for under $100, and each and every computer now has the potential to store sensitive and valuable information.

You can layer security method upon security method to today's systems, 2 or 3 factor authentication, firewalls, antivirus, antispyware, antispam, whitelist, blacklist, encryption, redundancy, etc ... but you will always end up with a compromise. These methods add cost and complexity, reduced reliabililty, and still cannot provide a 100% guaranteed security model.

That would be the "personal appliance." Or we could go back to the mainframe model.

I like Andrew's response, very professional.

I like simplicity; humans aren't secure so nothing we can make will be secure.

We don't remember passwords or tell another what the password is when necessitated. We can't keep secrets, we can't keep confidences. We loose tokens, keys, ciphers etc. We're an in-perfect species (never tell my wife I said that) and as such can't adhere to what would seem to be a perfect secure world.

Richard, a secure virtual desktop would be more feasible, certainly, but the issue still remains that without end-to-end control, the door is still open to compromise vectors.

Barry makes a very good point about how IBM positioned their platform back in the day, but I doubt that vendors would take as much implied risk upon themselves today (even from just a marketing perspective), and they don't control the deployment and installation as much as IBM did at that time.

Now, one way to get close to this, is for the Dells, HPs, IBMs, etc of the world to provide a secure virtual desktop in conjunction with some service provider who would then deploy it in an approved configuration. This would be an OEM product only, and it would be that service provider that would make the claims of "secure computing" for that complete system.

As bandwidth increases and cloud becomes more entrenched on the consumer side of the house (and as more telcos get into this type of market), this becomes a distinct possibility.

Brilliant input from true experts, thank you. OK, then, rather than a secure computer, how about, as Maureen suggests, a secure virtual desktop? Now the actual device is simply an interface that allows the download of all apps just in run time. The back end security, while probably not running on MVS or z/OS can be maintained by a service provider. Take the end user out of the equation as much as possible.

A "secure computer" depends on how you measure "secure". Here are some ideal-world possibilities:

1) Meets all organizational and regulatory security policy requirements.

This quite feasible. However, since security policies vary among organizations, it is unlikely that you will find a computer that suits all buyers.

2) Resists all plausible security threats.

This is also feasible, as you can ennumerate all security threats with a significant probability, and you can determine what is the right level of significance. However, since the determination of significance varies among organizations, it is unlikely that you will find a computer that suits all buyers.

3) Resists all known security threats.

This is also feasible, as the list of known security threats is finite. However, since the number of known threats always increases, any such computer will be insecure once it is built or updated to meet the latest list of known threats.

4) Resists all possible security threats.

This is not feasible, as the list of all possible threats is not known.

In the real world, security is determined via ongoing risk analysis, risk management, and assurance activities. It is not a one-and-done thing. It includes technical, physical, and administrative controls that, working together, meet an organization's security policies and objectives. The technical aspects of a computer, alone, are insufficient.

The only truly secure computer is one that never existed. Everything else is a compromise.

As said above: humans are imperfect, therefore everything we create is imperfect. One human can invent something, another can break it.

First off, there is not a large consumer market for a secure computer. People walk into Sams Club and Costco to buy an inexpensive computer and won’t pay an extra dollar for added security.

Security is about restrictions. Users don’t want to be restricted by functionality.

That is why we will not have a ‘secure computer’ in the short term.

It does not make economic sense at the consumer level.

I would assume the reason there are no secured personal computers is a result of there being no consumer market for them.

Would you buy a higher priced box that had better security, but was not secured? That higher priced unsecured box is a tough sale. So far, most vendors don't think there is much of a consumer market for such units.

While security is a big deal, discrete consumer device security is a small contributor to the issues. The person using the device is much more of a issue than the security of the device.

As you suggested, it is possible to better secure the hardware, OS and applications of a personal computer. I would even think someone could figure out how to secure the busses inside the box (they run in the clear today (makes disk encryption a nice to have but not a failsafe security solution).

I would guess the vendors think few people would buy a better secured yet unsecured device and even fewer would pay a premium for it. In fact, I would guess that most consumers think any device is secure enough and a high percentage would not even turn on disk encryption, if it was an option to check off on their new box.

Can an untrusted and unsecured box be converted into a trusted device?

Trusted devices (TDs)and even Personal Trusted Devices (PTD) are being made. We for example distribute custom built terminals, PCs, handhelds and electronic devices. We sell them to security departments for protecting critical business data, automated actions and protecting relatively secret information. The TDs and PTDs allows the host to establish a trusted communications link to the device, confirm the user of the device and execute policy controls on the data in the device or communicated by the device.

I doubt if a consumer would buy such a TD or PTD. The extra security adds complexity that has little or no value to the source of data. Moreover, the PTDs are not yet trusted enough for making certain types of secure exchanges. Lastly, when the secrets are on WikiLeaks, device security evolution is a secondary security issue.

Carrying you question a little further into the future would also seem to be a way to understand the problem. Should smart phones and wireless terminals be more secure than mag strips on a card and physical card swipe terminals? Are bluetooth equipped devics secure enough versus near field communication devices?

The hardware and OS security upgrades you mentioned are being done for non-consumer boxes. I don't think they will become part of the commercial consumer electronics market.

Application layer security and policy execution point suites seems to be today's security focus. This is quasi-independent of the user device improvement efforts.

Howard Gunn

I think that the most secure anything does not exist simply because it provides the hackers an irresistibile challenge to hack it. SAfes are broken, houses are robbed inspite of all levels of security. Also if one believes that something is totally secure then one is laxed in protecting the outside environment which hosts it. This brings the weaknss which is easy to break.

Seema Srivastava

It is impossible to design and market a”secure”system because Internet security is a highly dynamic and evolving science, as the past 15 years have shown, and as it will be in the future.

Even with advances, at the desk-top level, in application-level firewall technology, integrated malware/virus detection products, security suites that offer all–in–one solutions, or even advanced products that could include process monitoring and/or various attack pattern analysis and mitigation strategies, security will always be an adaptive science.

The concept of an intuitive and adaptive security tool that is capable of detecting, stopping, and logging every new variant of security threat, in my opinion, is beyond the realm of what is practical, and at the moment unrealistic to achieve. The best solution is to provide basic security tools with real-time updates.

Tim Andrews
Freelance Writer at Suite101.com

Perhaps the simplest of reasons, besides the economics involved with trying to make a truly secure computer that _stays_ secure, is the same one that applies to cryptography. As soon as a really secure encryption scheme is devised, two teams start to work. The first team is the cracker team that starts trying to figure out how to crack the encrytpion scheme. The second one is the team that is trying to create a more secure encryption scheme. The theory is that the second team will complete its task before the first team does. ;-)

In the case of a "secure" computer, the hackers of the world will join the first team, except they will be playing for keeps and not just to test the security of the system. Since the hackers tend to out number those who would improve on the security scheme and the hackers only need _one_ success to prove the security is vulnerable, they often make the news. Also, since the "Good Guys" who are trying to make the computers more and more secure have to rely on end users who often have no concept of secutiry other than using their pet's name for a password, even should the Good Guys develop a more secure system, they have no means of ensuring that it is implemented.

One of my early Computer Science professors (way back in 1969) said that the only truly secure computer would be one completely enclosed in a steel and concrete container that had absolutely no openings; however, that computer would have no means of obtaining power (the power cord would require an opening in the container) and, even if it were battery powered, there would be no means of interacting with it because any input/output devices would require a breach of the secure container. In other words, a truly secure computer would be useless.

I agree with Daniel.... the problem here is that people use the term secure or security but in reality they have no idea as to how to achieve it.

The weakest link in any intelligent system is the end user. Education and re-education are imperative as are random checking processes to ensure that the money you put in to the education of the end user is well spent.

There are secure computers. They are stand alone. They are not networked. They do not have Wifi capabilities. They have no internet access. They cannot be used to send or receive emails. They are not connected to any printer. Michael C. Dennis

The legendary Novell box that was accidentally bricked in during a remodel and was not running tcp/ip and did not connect to the Internet. Your typical mainframe is similar: limited access to the management console, a rare obscure operating system, a cpu not compatible with x86 byte code, most software are back end processes with less connection to the Internet. Many mainframes had used multiple nested security levels internally but now its kernel/user.

The US Military notes there is no secure computer with physical access to it.

The only way to build a truly secure computer system is to dissect every component down to the microcode and fully manage the integrated system of hardware and software components. As soon as you allow an application you do not have control over access to your system's resources you are vulnerable to attack. For most users of technology, this is not a viable option. Instead, users take the risks associated with using seemingly feature-rich solutions with low up-front costs.

There are no secure computers, just insecure users. Put another way "secure" has no fixed meaning; a computer either is functioning as its implementers/owners intended - or not. With respect to data, controls are effective at preserving confidentiality, integrity and availability - or not.

"Security" is a state of mind. With respect to the above, we are "secure" to the degree that we have confidence in the effectiveness of the controls environment in preserving the "CIA" of our information.

To postulate the "secure computer" is to imagine an abstract and fanciful thing, that has never, and will never, have a real-world correlate; since security is a state of mind, we are guilty of anthropomorphizing the computer in trying to attribute such a quality to it. It makes more sense to talk about whether data is 'secure' i.e., its CIA qualities are protected from unauthorized parties.

Please note that this view, while correct, is not widely held. Your Mileage May Vary ;-)

I like Andrew's answer.

I agree with Daniel,

The only secure computer is the one human beings cannot have access to.

Nic

Hi Richard,

there is no problem with secure computers, there is a problem with unsecured users/people.

Behind every security issue you can find a person not a computer.

Regards, Daniel