[cap-talk] The Limits of POLA's Utility - Social Engineering

Toby Murray toby.murray at dsto.defence.gov.au
Wed Jun 7 00:01:53 EDT 2006 

David Hopwood wrote:

>Toby Murray wrote:
>[...]
>  
>
>> The virus has exploited Bob's human weaknesses, thereby corrupting his
>>
>>ability to make good trust decisions. The provision of POLA hasn't 
>>helped Bob.
>>    
>>
>
>I have to say that I don't see the problem.
>
>  
>
>Bob has been hoist by his own petard; he did something illegal (or at
>least immoral) and got caught. Tough.
>  
>
Yes. But I wonder if there isn't a case for building systems that 
protect users against themselves.

>Alice was not running a POLA system, and therefore we cannot say that it
>is a failure of POLA that allowed her files to be accessed.
>
>  
>
It's not so much that Alice's files got accessed. It's just the bigger 
question of "Can POLA stop viruses?". One thing that has always been a 
big selling point with capabilities for me is POLA and that in the 
current environment, POLA might largely kill the effectiveness of the 
current breed of malware. I guess I'm just saying that if we can't also 
protect users from themselves, then POLA might not be enough.

I take the implied point that Bob might not "deserve" helping in this 
instance. That said, it's interesting to look at the historical 
precursors to POLA and where they were motivated from. I've read some of 
Nick Szabo's stuff that draws parallels between eg. the Separation of 
Powers and POLA. (I hope I'm not misrepresenting him here). There are 
quotes from the Federalist papers (if I remember correctly) that 
motivate the design of the governmental system with language like 
"ambition must be made to counteract ambition", "if all men were angles 
government wouldn't be necessary". Surely, these are arguments along the 
lines of "The system must protect users against their own [bad] nature, 
for the good of all".

A system that prevented Bob from doing the illegal/immoral thing would 
make him and Alice more secure. My original point was that POLA might 
not be sufficient to do this sort of thing. But if not POLA, then what 
could help protect Bob from himself?

-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.

More information about the cap-talk mailing list