[cap-talk] The Limits of POLA's Utility - Social Engineering

Wed Jun 7 14:27:00 EDT 2006

> Yes. But I wonder if there isn't a case for building systems 
> that protect users against themselves.

Sounds like a Microsoft plan (or a Soviet plan :-). I have to say, my
preferred answer is to ensure people understand the choices they are
making, and then let them choose. It is appropriate to realize that we
have done such a poor job of enabling people to understand the choices
in cyberspace, we have no real idea how well they'd do if they were well
informed. Let us see how that plays out before going for the "nanny
state" :-)

> 
> >Alice was not running a POLA system, and therefore we cannot 
> say that 
> >it is a failure of POLA that allowed her files to be accessed.
> >
> >  
> >
> It's not so much that Alice's files got accessed. It's just 
> the bigger question of "Can POLA stop viruses?". One thing 
> that has always been a big selling point with capabilities 
> for me is POLA and that in the current environment, POLA 
> might largely kill the effectiveness of the current breed of 
> malware. I guess I'm just saying that if we can't also 
> protect users from themselves, then POLA might not be enough.

POLA is certainly not enough. Another crucial element is to introduce
tokens/money into the mix. One reason attacks are so successful is that
you can send out billions of attacks virtually for free ($3/month to
rent a spambot). If you can make billions of attacks, and make a profit
if you only get a %0.001 success rate, attacks will still be profitable.

Also, if you introduced money, people would take it all more seriously:
even just having 10 mailbucks on your system for introducing yourself to
people you haven't met before (to get through their email filters for
strangers, that demand mailbucks) would inspire many people to take much
more seriously the idea that maybe they shouldn't install the virus as
part of the OS.

> 
> I take the implied point that Bob might not "deserve" helping 
> in this instance. That said, it's interesting to look at the 
> historical precursors to POLA and where they were motivated 
> from. I've read some of Nick Szabo's stuff that draws 
> parallels between eg. the Separation of Powers and POLA. (I 
> hope I'm not misrepresenting him here). There are quotes from 
> the Federalist papers (if I remember correctly) that motivate 
> the design of the governmental system with language like 
> "ambition must be made to counteract ambition", "if all men 
> were angles government wouldn't be necessary". Surely, these 
> are arguments along the lines of "The system must protect 
> users against their own [bad] nature, for the good of all".

This is not the point of the Federalist papers. The point of those
arguments was not to protect people from themselves, but rather to
protect people from government, which only incidentally happens to be
run by (untrustworthy) people. The moral equivalent in a computer/human
relationship is, building assurances that the human will not be
exploited by the developers of the OS (where OS developers are the moral
equivalent of government leaders in the analogy). People are protected
from each other by law, and people are protected from lawmakers by
separation of powers among different groups of lawmakers. POLA is
interesting because it is a good piece of machinery for implementing
both policies, whether in physical or cyber worlds. The 10th amendment
is specifically the POLA amendment: all powers not explicitly granted to
the national government are expressly reserved to the states and the
people.

It is important that we do not allow our computers to compromise the
10th amendment the way the government has :-)

--marcs