Kurt Godel, a logician, mathematician and philosopher of mathematics had many interesting things to say. For the purposes of this discussion I am going to restrict myself to one particular theorem of his. This theorem is his second incompleteness theorem which states:

No consistent system can be used to prove its own consistency.

It is important to note that the theorem truly and properly applies only to the field of mathematics. I am, however, going to abuse this notion because I think within it is a held a truth much larger than originally intended. Like Heisenberg's uncertainty principle (and alot of quantum physics) there are, to me, profound philosophic insights. Loosely and sanely applied I think they may have use outside of their original fields.

There has been alot of talk lately about vulnerabilities and security. To me the central point made is that problems still exist which have existed for a very long time. The evolution of human capability and thought should have long ago eliminated these problems.

I am not sure that is the case, nor am I certain that it is possible or even desireable.

If we look at the human body we can see an entity that is very imperfect. But this remarkable imperfection is capable of the greatest acts and accomplishments. We damage ourselves all the time, yet we heal. Despite the impurities we consume or the cuts and scrapes we receive we heal, often becoming stronger and wiser. Organic life is the ultimate fault tolerant system. We are the greatest RAID system ever implemented.

How much effort must we divert to try and make things perfect? At some point we will be putting in far more effort than is worth the results we achieve. We will become too focused on fixing problems before they happen, reducing the resources available to remediating the situation. I would say we are approaching that point now. Would it not be better to accept the inherent imperfection of the universe and instead strive to make our environment and our tools fault tolerant? As long as humans create machines the machines will be imperfect - and so will their products. Our software will be imperfect. As history bears out countless times, our security will be imperfect. This is all as it should be. In fact, I suspect this is the only way it can be.

I am not saying that we should abandon attempts to be secure. What I am saying is that we will never be secure - there is no way for us to prove that we are. You are most vulnerable when you think you are most secure. Just because you have a product, a system, or a methodology and it appears to provide accurate results consistent with your perception of a secure state does not mean that state is useful. Or accurate. To paraphrase the second incompleteness theorem, your secure systems cannot prove their own security. And in much the same vein, I am not sure that a system of accuracy can prove that it itself is accurate. The problem may very well prove intractable.

We cannot eliminate our true weaknesses, only manage them. Much like vulnerabilities.