If I can get your computer to do anything you didn’t expect it to do, that is a breach of your security.
An example, suitably old and out of date enough not to matter.
Once upon a time I was able to get access to a computer over a network. I couldn’t get permission to do much, but I could get a very limited permission to send email to a few selected addresses. One of the addresses was the SYSOP. I could send him a file that included a letter in regular text, which many non-savvy sysops would open up with a program that displayed text, and also could execute commands.
But my text contained a macro instruction to set up a user account granting all permissions. I could never initiate such an account, since I lack the permission in the first place. But this email handling program is being run by the SYSOP himself, and it has all permissions. Now, I can log on as the hidden user, and I have access to everything.
Now, your computer is my computer. If I want, I can lock you out.
Every change in the software complex represents a new set of interactions that can be studied for mistakes, or false assumptions. The most common false assumption made by system programmers is that the system operator will know something about system level software. That assumption is inevitably wrong somewhere. People become system operators through ownership of resources, not understanding of the system.
Once I am in your network as an apparently legitimate system user, your computer, and probably a lot of other computers on your network will work for me, and if I know more about security, and systems software than the actual administrator, I will probably be able to get through any sort of encryption you use, eventually.
It’s not hard to keep a large system safe. It is hard to make a large number of people take real security measures every time, all the time. I have one stupid PC, with one single possible connection method to the outside. I have told the other people who I am suppose to supervise what I expect of them.
Just today, I found our password written on a sticky note, on the monitor. I changed the password. Now everyone will have to come and ask me for it, and hear the password lecture again. I also deleted the pirated game someone downloaded and installed without checking with me.
It’s the people, not the machine, or even the software.
Tris
“It was a woman drove me to drink and I didn’t even have the decency to thank her.” ~ W.C. Fields ~