On Tue, May 13, 2008 at 1:51 PM, David A. Wheeler <[EMAIL PROTECTED]> wrote:
>  If you interpret the definition of these terms of "general purpose" and
>  "surveillance" differently, i.e., "limit applications to least
>  privilege, and locally monitor their behavior", then I'd agree.  But
>  this is another way of saying "we need to implement least privilege and
>  local monitoring", which are well-established security principles.  And
>  it's already happening, e.g.:

That's fine in principle.  Have we ever seen a usable system based on
these principles that user's didn't reject/hate?  Look at the general
press and people's perceptions of the security of Leopard v. Vista. We
can complain all we want to about UAC and perhaps the constant
"nagging" but as Apple's commercials so clearly pointed out people
hate their computer explicitly and publicly trying to keep them safe.

>  * Deployment is already moving away from general-purpose privileges.
>  SELinux lets people define very fine-grained privileges, so that a
>  program does NOT have arbitrary rights.  OLPC goes even further; its
>  security model is remarkable and worth learning from.

That's great, but all of these schemes rely on:

 - Expert users to configure a policy for new software
 - Each piece of software to ship with a correct least-privilege
configuration (how do we get the malware authors to do this?)
 - A user who doesn't choose to override the default security settings
so they can see the dancing hamsters

>  * Observing behavior (and making decisions based on them) is ALREADY
>  what some systems and network systems do.

Same here.  We're still light years away from being able to do this in
practice.  We can't tell that the new financial management software
you just downloaded is "supposed" to ask for your bank password, and
that the game you just downloaded shouldn't.   And user's aren't
generally informed enough to make these kinds of decisions either,
especially given the user interface we typically give them.

Don't forget all of the wonderful fun we've had over the years getting
people to not open executables sent via email, not to visit sites with
a self-signed SSL certificate, to check for the lock icon in their
browser, to make sure that their wireless settings don't allow them to
connect to random wireless access points, etc........

>  But the difference is who is in final control.  In the end, the users of
>  computers should be in final control, not their makers, or we have given
>  up essential liberty.

I don't think you're fundamentally wrong in that I'm not (and I can't
speak for others) in favor of removing the controls completely.  But,
we ought to be shipping systems whose fundamental defaults are easier
to use, more secure, and really hard to override.  Compare IE6/FF2 to
IE7/FF3 on this front.  Sure you can still visit the site with the
self-signed certificate, and you can still visit a site that they've
categorized as a phishing site.  But it isn't quite as easy as it used
to be, and I'd say that's a good thing.

If you own a tablesaw it comes with a blade guard.  Its probably a
good idea that it does.  If you really want to you can remove it and I
don't really feel the need to stop you.  Unless I'm paying for your
insurance that is.  Your car also comes with pollution controls.
These pollution controls often inhibit your max speed, acceleration,
etc.  They are really hard to, or impossible to disable.  They also
make our environment cleaner.

Which is the right analogy for the personal computer?

Andy Steingruebl
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to