--- Vladimir Nesov <[EMAIL PROTECTED]> wrote: > On Fri, Apr 11, 2008 at 10:50 PM, Matt Mahoney <[EMAIL PROTECTED]> wrote: > > > > If the problem is so simple, why don't you just solve it? > > http://www.securitystats.com/ > > http://en.wikipedia.org/wiki/Storm_botnet > > > > There is a trend toward using (narrow) AI for security. It seems to be > one of > > its biggest applications. Unfortunately, the knowledge needed to secure > > computers is almost exactly the same kind of knowledge needed to attack > them. > > > > Matt, this issue was already raised a couple of times. It's a > technical problem that can be solved perfectly, but isn't in practice, > because it's too costly. Formal verification, specifically aided by > languages with rich type systems that can express proofs of > correctness for complex properties, can give you perfectly safe > systems. It's just very difficult to specify all the details.
Actually it cannot be solved even theoretically. A formal specification of a program is itself a program. It is undecidable whether two programs are equivalent. (It is equivalent to the halting problem). Converting natural language to a formal specification is AI-hard, or perhaps harder, because people can't get it right either. If we could write software without bugs, we would solve a big part of the security problem. > These AIs for network security that you are talking about are a > cost-effective hack that happens to work sometimes. It's not a > low-budget vision of future super-hacks. Not at present because we don't have AI. We rely on humans to find vulnerabilities in software. We would like for machines to do this automatically. Unfortunately such machines would also be useful to hackers. Such double-edged tools already exist. For example, tools like SATAN, NESSES, and NMAP can quickly test a system by probing it to look for thousands of known or published vulnerabilities. Attackers use the same tools to break into systems. www.virustotal.com allows you to upload a file and scan it with 32 different virus detectors. This is a useful tool for virus writers who want to make sure their programs evade detection. I suggest it will be very difficult to develop any security tool that you could keep out of the hands of the bad guys. -- Matt Mahoney, [EMAIL PROTECTED] ------------------------------------------- singularity Archives: http://www.listbox.com/member/archive/11983/=now RSS Feed: http://www.listbox.com/member/archive/rss/11983/ Modify Your Subscription: http://www.listbox.com/member/?member_id=4007604&id_secret=98631122-712fa4 Powered by Listbox: http://www.listbox.com
