Is software hackable no matter how perfect it is written?
Let's say I will create simple OS, I will spend like 30 years
on encrypting every single variable, every code string and insert
quadrillions of hacking preventions.
Let's say, that there are absolutely no leakings in code, variables,
passwords. Is it still hackable?
Hackers mostly modify binary or hex code. So, I am not sure about that.
Go for both theorem and practicality
Actually, what crackers 'hack' is mostly other people's impatience, ignorance and willingness to go along with percieved 'experts' and 'authority figures'. It's called Social Engineering and it is the majority of how crackers circumvent both software and systems. Even software cracks such as program security exploits mostly depends on being able to identify and exploit the weaknesses of the programmers and users, rather than of the code itself.
So you actually mean, that if I will really protect data, cover all "security holes" and encrypt variables. No breaking in?
No, I mean that the real target of the crack is the part which is always vunlerable: the human being invloved in entering and using the data.
@edit. So you mean Keyloggers and Desktop screenshots? Like exploited Windows? Which take input keys from users and screenshot of sensitive data?
Or just calling the support, and asking a password :P
Yeah, but I mean only programmed code. Without keyloggers, bypass passwords, exploits etc. .
So on a system that requries encrypted signed binary, and will only run encrypted signed binarys is there anyway of either unencrypting the binarys or executing unsigned encrypted code.
With enough time and processing power you could brute force the encryption, although unless you get quite lucky or have the patience to wait years, that will probably not yield results.
You would then look at what executes the files, is it the OS, can you somehow modify it and remove the encryption check allowing you to run unsigned code, is it some custom hardware
can you write what that hardware does in FPGA skipping the encryption check and solder that bad boy in.
If it's a programmable chip on the board you could, reflash it.
Assuming you have the tools for the job you could easily read what's written to the memory and get the unencrypted binary from there, writing to the memory I suspect would be damn hard, but I guarantee not impossible, this may also allow you to write to binarys that are executing.
So in conclusion, If someone has access to the physical hardware, they will always, with enough time, knowlage and patience be able to get around any form of signed code requirement.
Although with out access to the physical hardware, I am convinced you can write a system that cannot be compromised.
Paul, your answer is just as I wanted it to be. But tell me, who in heavens doesn't have access to physical hardware?
Yeah, but I mean only programmed code.
That's your mistake right there, you cannot control or restrict the means by which attackers attack. It's like your asking if it is possible to build an unbreakable wall to keep intruders out, while in reality, intruders will get in either by a tunnel under the wall, climbing over the wall, getting through the door or window, trying to look through the wall, piggy-backing on people who are allowed to cross the wall, etc... the point is, the strength of the wall has no bearing on the overall security, as long as there are weaker loop-holes around it.
On the basis of program hacks themselves (e.g., software exploits, encryption-breaking, etc.), the security has become very solid overall, but that only means that attackers don't attack that line of defense as much as other weak-points. The biggest myth about hackers is this impression that all they do is exploit software loop-holes and get into computers or networks programmatically. For the most part, they don't, at least, for those who are interested in the gain ($), as opposed to the technical challenge.
In terms of hacking code, yes, anything is breakable, with enough time, skill and knowledge. For most stuff, the hardest part is reverse engineering it, but everything can be reverse engineered, and then, exploited. But at some point, the investment (time, money, resources) required to break the system that way is far too much that nobody will choose to break the system that way. This is why most cracking / hacking / whatever is done through social engineering these days, because the humans are the easiest way into pretty much any secure environment. Pretty much anywhere you find a human being involved, you will find a possible exploit (i.e., an exploit of the human being's weaknesses or naiveté).
Why make a complicated virus that will crawl the web and try to use some crazy exploit to extract credit card numbers if all you need is to set-up a fake e-store website and catch some naive customers. Why try to hack your way into a company network if you can just walk in the front door and spot a temporarily unoccupied and unlocked workstation from an employee on a coffee break. Or by posing as a VAC maintenance guy and get physical access to the server room. Or scan-and-clone the key-card that an employee has attached to his belt while out on a lunch break. Why crack a password if you can just call the tech support and have it re-initialized by some clever convincing. And so on it goes...
Good work there will pulling meanings out of context.
I was thinking in regard to a webservice, you could write a webservice that was unhackable with enough time and effort, although as mike point's out, it does not stop someone from writing a fake website and stealing your users passwords, or a rouge sys admin from modifying the service.
While not a technically a hack:
A great example of both a great scam to get money from people and also a service that you don't have access to the encryption keys would be the Cryptolocker virus.
The files on your system are encrypted, they keys do not exist on your computer, unless you give the friendly folks who have sent you the email 3 bitcoins, you are unable to unencrypt the files.
when there's a perfect program, there's a perfect hacker. deal with it!
sorry :D
Offtopic post, in the offtopic topic.
As others pointed out, software is always part of larger system which involves interfaces to other softwares, people, and in the end the mother nature.
In my opinion hacking is: Persuade a system to do something not normal, something out of ordinary, something not meant to do.
If we extend the meaning the system to every conceivable system in the world, then we can see that human activity sums up pretty much as hacking the world.
This activity is so extensive and so ancient, that sheer meaning of natural is a matter of opinion today. We perceive our artifical systems as fundamental. They change so rapidly that consensus is impossible.
We are master hackers. There is always a better hacker, then you.
@up This isn't offtopic thread and your post isn't offtopic.
To all: That would have meant, that deep in "ancient" history of computers. Mistake has been made to let people somehow access binary code; or at least read it. Is that true?
To all: That would have meant, that deep in "ancient" history of computers. Mistake has been made to let people somehow access binary code; or at least read it. Is that true?
Yes. By Neumann. See: http://en.wikipedia.org/wiki/Stored-program_computer
It is not a mistake. It is a decision that has consequences.
The recent security breach at Target stores that stole data from 110 million hapless customers was done with a malware program that copies and diverts data coming from the working program. It looks like someone forgot to encrypt the customer data stream, or it wasn't encrypted very well.
Also, the US has a pretty unsafe (lowtech and cheap) credit/debit card system that make it easy to compromise the cards.
The example at the Target stores shows that data security was criminally sloppy, allowing a 17 year old teenager from Russia to get in with a piece of homecoded malware and steal all the customer data.
Even if you have taken painstacking care to make sure your software is solid you have to consider the time frame of the evolution of technology. What seems to be impenetrable today may become suseptable to infiltration in a matter of a year or less depending on how quickly technology evolves and how much effort a hacker puts into an explotation of a system or a software. Also, as others have mentioned, social hacking is a very real threat and when hackers can't get in via their usual tactics they will turn to other ones.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.