Dan Geer said: "The general-purpose computer must die or we must put everything under surveillance. Either option is ugly, but 'all of the above' would be lights-out for people like me, people like you, people like us. We're playing for keeps now." http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=436
I completely disagree with the way that people will likely interpret this quote. We do NOT need to throw away our general-purpose computers, nor do we need to submit to Orwellian total population surveillance (by governments or by corporations). What particularly worries me is that some large companies would benefit from approaches that eliminated competition in the name of security. "You have to standardize on product X, and lock things down so that no nasty alternative products are executed!". Yet that is a primary part of the problem. In our current world, many people believe they CANNOT pick a more secure product, because it's not compatible with what "everyone else is using". At least in some cases, people WILL pick a product because it has better security (see the rise of Firefox, and how it finally caused Microsoft to wake up and start fixing Internet Explorer)... but look how hard it has been for a freely-available program, implementing mostly-documented standards, to compete. If you interpret the definition of these terms of "general purpose" and "surveillance" differently, i.e., "limit applications to least privilege, and locally monitor their behavior", then I'd agree. But this is another way of saying "we need to implement least privilege and local monitoring", which are well-established security principles. And it's already happening, e.g.: * Development is already moving away from general-purpose tools. Most desktop and server software development should NOT be done in C or C++; they're too low-level and provide inadequate protection against mistakes. Instead, they should voluntarily use languages that aren't QUITE as general-purpose, because they automatically prevent many mistakes from turning into security problems (e.g., through automatic memory management). People are already moving towards such languages; we need to back in more assurance into them, but the opportunity is there. * Deployment is already moving away from general-purpose privileges. SELinux lets people define very fine-grained privileges, so that a program does NOT have arbitrary rights. OLPC goes even further; its security model is remarkable and worth learning from. * Observing behavior (and making decisions based on them) is ALREADY what some systems and network systems do. But the difference is who is in final control. In the end, the users of computers should be in final control, not their makers, or we have given up essential liberty. We can develop systems which provide suites of more specialized privileges to particular functions, without giving up essential liberty. We have a long way to go in actually DOING this, but the opportunity is there. I do not think we need to give up our liberty just to "obtain" some security. Benjamin Franklin already explained what happens to such people. --- David A. Wheeler _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________