[cap-talk] The Limits of POLA's Utility - Social Engineering

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Tue Jun 6 22:55:14 EDT 2006 

Toby Murray wrote:
[...]
>>For this instantiation, we will use access to another user’s files as the
>>carrot, and revelation of this access to the party spied upon as the 
>>stick. Assume there are three parties: Alice, Bob and Charlie. Alice is
>>already infected with the virus, and Bob and Charlie are related to her
>>(employees, colleagues, friends or family). The virus propagates in the
>>following manner:
> 
>>1. Temptation. 
> 
>>The virus sends an email from Alice to Bob, offering access to all of
>>Alice’s emails and documents. [...]
> 
>>2. Monitoring. 
> 
>>As soon as the virus has installed itself, it starts recording everything
>>that Bob does, and in particular the accesses to Alice’s information. 
>>Crucially, this includes the search queries performed as well as logs of
>>the documents retrieved. This information is sent back to Alice or another
>>infected third party (that can be known through Alice) for safekeeping,
>>but it is not revealed. The key intuition is that the virus avoids the
>>hard problem of automatic detection of ‘blackmail’ material on Bob’s
>>computer, by collecting evidence on the unsavoury act of spying that it
>>has tempted Bob to commit. The unauthorised access to Alice’s computer,
>>both in the files Bob views, and the search terms he uses (revealing his 
>>suspicions of Alice) should in most cases be incriminating material.
> 
>>3. Blackmail. 
> 
>>When a critical mass of incriminating evidence of unauthorised accesses
>>from Bob to Alice’s machine has been gathered, the virus emails Bob 
>>with a warning. The warning specifies that if an attempt is made to
>>remove the virus the information gathered will be revealed. A snippet
>>of the information can also be provided to substantiate the threat.
>>To safeguard the virus against retaliation, it sets up a life-line
>>between Bob and Alice’s machine (or a compromised third party holding
>>the incriminating evidence), to monitor Bob’s computer, and ensure 
>>that it remains infected. If Bob’s computer does not appropriately
>>respond, the evidence is released.
> 
> I think this would succeed even if Bob's machine implements full POLA 
> (ala CapDesk). Bob accepts the offer of the virus, giving it access to 
> the network to contact Alice's machine, and thereby supply him access to 
> Alice's files. The virus provides Bob access to Alice's files via a 
> proxy that records Bob's accesses. POLA has not been violated. The virus 
> need not have access to any of Bob's authority except the authority to 
> access the network (which Bob *wants* to give it because Bob wants to 
> get access to Alice's files).
> 
> The virus has exploited Bob's human weaknesses, thereby corrupting his 
> ability to make good trust decisions. The provision of POLA hasn't 
> helped Bob.

I have to say that I don't see the problem.

Bob has been hoist by his own petard; he did something illegal (or at
least immoral) and got caught. Tough.

Alice was not running a POLA system, and therefore we cannot say that it
is a failure of POLA that allowed her files to be accessed.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list