[cap-talk] The Limits of POLA's Utility - Social Engineering
david.nospam.hopwood at blueyonder.co.uk
Tue Jun 6 22:55:14 EDT 2006
Toby Murray wrote:
>>For this instantiation, we will use access to another user’s files as the
>>carrot, and revelation of this access to the party spied upon as the
>>stick. Assume there are three parties: Alice, Bob and Charlie. Alice is
>>already infected with the virus, and Bob and Charlie are related to her
>>(employees, colleagues, friends or family). The virus propagates in the
>>The virus sends an email from Alice to Bob, offering access to all of
>>Alice’s emails and documents. [...]
>>As soon as the virus has installed itself, it starts recording everything
>>that Bob does, and in particular the accesses to Alice’s information.
>>Crucially, this includes the search queries performed as well as logs of
>>the documents retrieved. This information is sent back to Alice or another
>>infected third party (that can be known through Alice) for safekeeping,
>>but it is not revealed. The key intuition is that the virus avoids the
>>hard problem of automatic detection of ‘blackmail’ material on Bob’s
>>computer, by collecting evidence on the unsavoury act of spying that it
>>has tempted Bob to commit. The unauthorised access to Alice’s computer,
>>both in the files Bob views, and the search terms he uses (revealing his
>>suspicions of Alice) should in most cases be incriminating material.
>>When a critical mass of incriminating evidence of unauthorised accesses
>>from Bob to Alice’s machine has been gathered, the virus emails Bob
>>with a warning. The warning specifies that if an attempt is made to
>>remove the virus the information gathered will be revealed. A snippet
>>of the information can also be provided to substantiate the threat.
>>To safeguard the virus against retaliation, it sets up a life-line
>>between Bob and Alice’s machine (or a compromised third party holding
>>the incriminating evidence), to monitor Bob’s computer, and ensure
>>that it remains infected. If Bob’s computer does not appropriately
>>respond, the evidence is released.
> I think this would succeed even if Bob's machine implements full POLA
> (ala CapDesk). Bob accepts the offer of the virus, giving it access to
> the network to contact Alice's machine, and thereby supply him access to
> Alice's files. The virus provides Bob access to Alice's files via a
> proxy that records Bob's accesses. POLA has not been violated. The virus
> need not have access to any of Bob's authority except the authority to
> access the network (which Bob *wants* to give it because Bob wants to
> get access to Alice's files).
> The virus has exploited Bob's human weaknesses, thereby corrupting his
> ability to make good trust decisions. The provision of POLA hasn't
> helped Bob.
I have to say that I don't see the problem.
Bob has been hoist by his own petard; he did something illegal (or at
least immoral) and got caught. Tough.
Alice was not running a POLA system, and therefore we cannot say that it
is a failure of POLA that allowed her files to be accessed.
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk