[cap-talk] The Limits of POLA's Utility - Social Engineering

[Ian G]

Toby Murray wrote:

> It's not so much that Alice's files got accessed. It's just the bigger 
> question of "Can POLA stop viruses?". One thing that has always been a 
> big selling point with capabilities for me is POLA and that in the 
> current environment, POLA might largely kill the effectiveness of the 
> current breed of malware. I guess I'm just saying that if we can't also 
> protect users from themselves, then POLA might not be enough.
> 
> I take the implied point that Bob might not "deserve" helping in this 
> instance.

A more acceptable interpretation might be that we
can't figure out economically how to help Bob.  So
he has to suffer;  we are not a public utility.

> That said, it's interesting to look at the historical 
> precursors to POLA and where they were motivated from. I've read some of 
> Nick Szabo's stuff that draws parallels between eg. the Separation of 
> Powers and POLA. (I hope I'm not misrepresenting him here). There are 
> quotes from the Federalist papers (if I remember correctly) that 
> motivate the design of the governmental system with language like 
> "ambition must be made to counteract ambition", "if all men were angles 
> government wouldn't be necessary". Surely, these are arguments along the 
> lines of "The system must protect users against their own [bad] nature, 
> for the good of all".

Separation of powers is a concept well utilised
in governance, a.k.a. accounting.  (I would imagine
the examples you quote draw from that science, which
has been practiced ever since the invention of the
agent, I suppose.)

In this case, the assumption is that the technical
system cannot protect, so we must augment it with
additional eyes.  The 4 eyes principle is that there
are always two pairs of eyes on an activity that is
subject to perversion.  The 6 eyes principle is that
one person instructs, another acts, and a third just
watches.  Accountants could go on for ever on this...

This is something of somewhat current note - in the
phishing debacle, we have often expressed the claim
that a system of strong security must include the
user, and a system of security that does not include
the user is a weak one.  It's not a comfortable claim
though.

(The military analogue is the minefield, which is
considered futile unless guarded with troops.)

> A system that prevented Bob from doing the illegal/immoral thing would 
> make him and Alice more secure. My original point was that POLA might 
> not be sufficient to do this sort of thing. But if not POLA, then what 
> could help protect Bob from himself?
> 

No system can do that.  Bob is himself, the system
is just his agent.

iang