[cap-talk] Capabilities and Freedom vs. Safety

Pierre THIERRY nowhere.man at levallois.eu.org
Sun Jul 22 00:09:33 EDT 2007 

Scribit James A. Donald dies 22/07/2007 hora 11:48:
>> Could you detail how a Trojan or malware could be designed as to
>> effective when run confined?
> Imagine a program that plays music, and gets free legal music off the
> internet, and organizes your music files and reports your music files
> to the RIAA through backchannels that exist during its downloads of
> free legal music.

That sounds like an application of the Principle of Most Authority...
Why would I ever want to have a single program have so much authority at
once?

Why wouldn't I just have the following separated programs:

- one to play music (only authorities: reading files I ask to play and
  sound output),
- one to organize my music (authority: reading all my music files, maybe
  some kind of powerbox to delete them), 
- one to download music (authority: restricted network access and adding
  new files to an incoming directory),

Each instantiation of the download program would be started confined, so
I know it has no access to durable mutable state it can read back.

To add to the difficulty of any spyware, note that I would probably give
a network access restricted to a very narrow set of domains, so the
music download site would have to cooperate with the RIAA for this to
work.

Even if either they do cooperate or I give full network access to the
download program, I don't see how it could send any valuable information
to the RIAA apart from what is currently downloaded.

> For a recent real world example, Firefox, apparently in return for
> payments from google, implemented headers in Firefox that facilitate
> charging for ads, and impair users privacy.

Do you have any reference on that? I couldn't find any, which is pretty
surprising (I would expect many people from the free software community
to make a lot of noise about it).

>> And why should an uninspectable code be more malicious than one
>> inspectable?
> They are more likely to get caught, and thereby suffer bad publicity.

But you should always consider any code from a third party to be
malicious by design, whatever its form.

Curiously,
Pierre
-- 
nowhere.man at levallois.eu.org
OpenPGP 0xD9D50D8A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070722/5d3c4737/attachment-0001.bin

More information about the cap-talk mailing list