[cap-talk] The Limits of POLA's Utility - Social Engineering

[Stiegler, Marc D]

> OK, if I may take this a bit further then, in this example, 
> how can we make Bob aware of the risk of giving this virus 
> the authority to access the network? One obvious risk Bob 
> needs to be aware of is "Any entity that offers you a service 
> can track your use of that service". Hence, if the service is 
> illegal, then you are incriminating yourself to that entity. 
> Is there other options besides user education?
> 
> I don't know if the following is too cute or what...
> Bob has to install the virus (give it write access to some stable
> storage) if it is to persist. At this time, in a POLA 
> environment, he would presumably grant it network access. 
> This is a time when Bob could be warned by "the system". e.g. 
> "You are about to install a networked service. Be aware that 
> your use of this service can be tracked and that any evidence 
> of illegitimate use may be used against you."
> 
> The other thing is to make Bob aware of the risk of running 
> an unknown piece of software in the first place.
> If all of Bob's social group are already infected, then 
> judging the risky-ness of the software based on the 
> trustworthiness of the introducer (which is likely to be one 
> of Bob's friends) may not be all that helpful. This seems to 
> be leading to an argument in favour of the current models of 
> PKI signed code and software blacklists/whitelists. 
> Having a "secondary introducer" (such as the PKI or a 
> software whitelist controlled by an AV company perhaps) could 
> guard against this threat (where Bob's normal trusted 
> introducers have become compromised), allowing Bob to make a 
> better judgement about the risks.

Judging the riskiness of a piece of software based on who gave it to you
is exactly the sort of thing we are trying so hard to avoid. Such a
strategy is a catastrophie for the software industry: who are you going
to trust? Well, you're already totally reliant on microsoft, I guess
I'll trust them. I surely won't trust the developer of DecideRight, whom
I've never heard of before. So I won't buy any innovative new software.

In fact, users have already found a better solution, with no CapDesk,
than trusting the people who wrote or signed the software. They avoid
using their computers for anything dangerous. No one in his right mind
would put digital cash on a modern computer: the only kind of cash you
dare use on a computer is cash for which someone else takes the risk,
like credit cards. Such risk-transfer is expensive and heavyweight.
Hence there can be no lightweight digital cash, hence no spam filtering
based on cash, and no buying an electronic edition of today's Wall
Street Journal for 25 cents.

CapDesk can make it very clear that you are about to grant an
application an excess of authority. Have you read Granma's Rules of
POLA? Ken Kahn came up with enhancements to the installation system that
work even better than Granma's Rules, sort of by embedding the rules in
the installation tool. If you follow the rules, you are in good shape.
Granma will be safe in the face of the virus you just described. The
creep in the scenario might not be safe, but the rest of us will be. 

--marcs