[cap-talk] capabilities Q - charts review + comments
Karp, Alan H
alan.karp at hp.com
Fri Jun 16 11:31:38 EDT 2006
Jed wrote:
>
> and At 06:45 PM 6/13/2006, Sandro Magi wrote:
> >
> >...even grandma can understand that Solitaire shouldn't be able
> >to e-mail her financial statements.
>
> Perhaps I'm being too "technical" here, but I think people, including
> grandma, also understand that Solitaire came with their OS and they
> presumably will and should have more trust in it. There really
> shouldn't be a fundamental problem with the Solitaire program.
> Even though one shouldn't need to trust it, there shouldn't be
> a problem with doing so.
>
Sandro stated the point I'm making with the example. Everyone
understands that Solitaire doesn't need all that authority. Everyone
understands that Solitaire has all that authority. They know that some
apps have been compromised, even though Solitaire has not. They then
understand why a malicious macro or a flaw in any program can be used to
compromise their systems.
>
> Where this lack of POLA really binds and cuts in today's
> technology environment IMO is when people want to and are
> sometimes forced to run software from relatively un trusted
> sources.
I agree, but that's a problem everyone is aware of. People simply
aren't consciously aware of the problem that the Solitaire example
brings to their attention.
>
> And then there is the business of downloading software
> or otherwise receiving software over the Internet. In today's
> world it seems to be a no no. Wouldn't it be nice if one
> could do so in relative safety? If you could run that
> Christmas display or amusing game software that you're
> cousin sent you safely? That's POLA.
Exactly the point made a couple of slides later. I point out that the
current approach to security turns off a feature every time a new kind
of attack occurs. I offer POLA as a better option than this feature
starvation.
>
> To me it simply seems that there are enough flaws
> in the simple Solitaire example that it should at least
> be mentioned in the more general context.
>
I agree. That's why it's not used in isolation.
>
> Probably they'd also zone out if you mentioned "suid" programs,
> but to me that seems a key place where confused deputies arise
> in today's computer systems.
Then I'd have to explain what suid does, why you'd use it, blah blah
blah. Remember, few of the people I present to speak Unix. Besides,
the example of Bob asking Alice to do something Bob can't do but Alice
can is exactly the suid example without the technical detail. I've
found that precision often interferes with communicating the idea at a
conceptual level.
_________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 423 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20060616/9a0b987e/attachment.vcf
More information about the cap-talk
mailing list