On Saturday, Sep 27, 2003, at 15:48 US/Eastern, [EMAIL PROTECTED] wrote:
On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:
I continue to believe that few users would grant an email message
access to both the Internet and the Address Book when they are asked
those two questions, provided that the user had not been conditioned to
clicking "YES" in order to get any work done at all.
You have not met my users!
Indeed, but I'm here to learn :)
This is really rather naive. Users don't
understand pop dialogues, they raise their stress level, always clicking
"yes" makes the problem go away.
True. But don't you think that this may be in part because the popup dialogues are shown way too often in the course of normal use? And because they ask questions that cannot be understood by Real Users? Is it naive to assume that Real Users are intelligent but that an ill-designed security architecture has *conditioned* them to always click YES, as you say because that is the only way for them to get any work done at all?
I have to imagine starting with a clean slate, with unconditioned users.
Now imagine that the Alice, a Real User, can usually do a full day's worth of work (Excel, Word, Browsing, Email) without seeing a security popup asking some weird question. Imagine this is the status quo. In this scenario, a security popup is cause for concern. After all, normal use doesn't result in popups so this is a clear indication that something is wrong. Why would she click "YES"?
Now additionally imagine that security popups ask Alice an intelligible question. Not "FooBar is trying TCP to port 1223, that okay with you?" but rather something like "This website wants access to ALL YOUR PERSONAL FILES, that okay with you?" Or: "This email wants to access the Internet and your Address Book, that okay with you?"
Because I'm an optimist I believe that Alice will read the dialog and err on the side of caution. Maybe that isn't realistic. So we teach Alice to always click "NO". We can do so because unlike today, Alice's "NO" will not interfere with her ability to get work done.
Also security is not closed under composition, two individually secure
components can combine to produce an insecure system. I think that no
such secure *non-trivial* least privilege system exists for a
graphical general purpose computer either in theory, or in practice.
Are you familiar with the KeyKOS and EROS operating systems and/or
Stiegler's CapDesk, a secure desktop in Java? They are all based on the
Principle Of Least Privilege (trough capabilities) and they manage to
preserve security in the face of composition. Do you consider those
systems to be trivial, or broken? What is the reason these systems
cannot exist in theory or practice?
What fraction of "real" users will be able to use these systems? Will
users really understand the composition properties of security policies?
I agree that such composition must be intuitive or we cannot expect it to work. I think that CapDesk is a nice publicly available prototype of a workable capability desktop. It would be very interesting to see your assessment on whether a CapDesk approach would be workable for your users. And if it isn't, why not. I hope you can lend your experience.
Cheers, -J
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
