[cap-talk] Windows Vista: security by admonition
david.nospam.hopwood at blueyonder.co.uk
Mon Jun 5 19:33:39 EDT 2006
David Wagner wrote:
> David Hopwood writes:
>>David Wagner wrote:
>>>Micah Brodsky writes:
>>>>More fundamental than needing trusted input is having a privileged,
>>>I don't see any reason why you would need a full command-line
>>>shell. If you're building a GUI system along the lines of MS Windows,
>>>all you need is the ability to launch new programs in response to user
>>>requests. You don't need to be able to specify complex pipelines,
>>>job control, command-line editing, arguments, etc.
>>I don't see why it isn't feasible to specify complex pipelines, job
>>control, command-line editing, and program arguments in a secure shell.
>>None of these are rocket science.
> Well, I'm not disagreeing. I'm not agreeing, either. I'm deliberately
> not taking any position about whether it is feasible to build a
> trustworthy shell/launcher with all of these features.
My position is that these features are necessary, since a system that takes
major compromises on functionality in order to obtain security will not be
accepted. An operating system cannot get away with not having a command-line
shell; I think that has been firmly established by the history of OS
development and adoption.
If anything, new secure systems will have to provide more functionality than
their predecessors before they have any chance of being widely accepted.
This is unfortunate, but AFAICS unavoidable.
> I think that is
> a distraction. All I'm saying is that you don't need these features to
> build a useful and secure GUI system.
That is true, but beside the point if a GUI-only secure system is not enough.
In that case the ability to build one would not be sufficient to refute
Micah Brodsky's argument.
Although he referred to a "shell" singular, Windows has a "Command Prompt"
shell as well as its Explorer shell. It would do little good to eliminate UAC
prompts when the GUI shell is used, if they still happened on most commands
entered from a command prompt. Such an OS would be shunned by power users,
which would be disastrous for its credibility (not because most users are
power users, but because it is vital to have *some* power users in a healthy
OTOH, as I've already stated, I believe it is quite feasible to build a
full-featured command-line shell, as well as a GUI shell, that are both
securely implemented and that both obtain the benefits of bundling
designation with authority.
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk