[cap-talk] Capabilities and Freedom vs. Safety

[Jonathan S. Shapiro]

On Mon, 2007-07-23 at 11:35 +0200, Marcus Brinkmann wrote:
> At Fri, 20 Jul 2007 11:27:29 -0400,
> "Jonathan S. Shapiro" <shap at eros-os.com> wrote:
> You raise an interesting point about networked systems:
> 
> > In the real world, systems are networked. One consequence is that your
> > mistakes have a negative impact on me, in the sense that your
> > compromised system becomes a basis for attacking mine. The interaction
> > of your freedoms and my freedoms must therefore be considered. In
> > consequence, some of the actions you might take on your machine cease to
> > be exercises of freedom and begin to be exercises of license: actions
> > that undermine the freedom of others or the liberties of society.
> 
> The problem you describe is real enough.  The solution you offer is
> tempting, but potentially dangerous.  History seems to favor losely
> coupled networks of peers over restricted networks.  Wikipedia is
> successful, while Nupedia faltered.  The internet is successful, while
> BTX faltered.  This may mean that the (perceived) benefit of open
> networks exceeds their costs even at a global scale.

I agree with all of this. I do not imagine constructing some grand,
invasively restrictive system. Rather, I imagine a system in which
"oblivious safety" is the norm.

Most users, I claim, do not *want* their applications to become DoS
droids. [Most do not know this is possible, but when they are told, most
basically want to be decent folks.] In consequence, forcing the
application to establish external connections through a power box is not
viewed by the user as invasive.

Similarly, most users understand at some level that there is
functionally critical data on their system. If the password database is
corrupted, you are going to have real pain. Most users would be quite
happy knowing that there was software in place to check the integrity of
this data.

My sense is that there is a middle ground between "invasively
restrictive" and "emperor has no clothes", and that this middle ground
can be very effective from a security perspective.

BUT, as a qualifying example:

I do *not* envision a system where you cannot create new programs on
your machine and give them broad authority. I *do* envision a system
that makes it easy to build programs with better structure than that, so
that the most natural and simplest way to build things is the safer way.

I am not so much concerned with programs you build and shoot yourself
with. If you are building a program, we are already assuming some
sophistication. I am much more concerned with the programs that you
create that *I* run.

Or to put that another way, MarcS can hold my wallet any day, but I'm
not sure that Marcus can. :-)  [Kidding. Actually I would have no
reservations about that.]

> But what
> about the harm done by access restrictions?

I am very aware of this harm. There are some days when I do not think
you believe this. I am not seeking a straightjacket for users or
computation (I might make an exception for RAID systems this week). I am
seeking a middle ground.

It seems to be an unfortunate reality about this sort of design goal
that you cannot evaluate it until the design is fairly concrete, and by
then it is usually too late to change. I can only suggest that we not
become too alarmist too quickly. A range of experiments in this space is
the only way we have to discover the best place to stand.

> In the absence of an extensive cost/benefit analysis, on what basis
> should such decisions be made?  Clearly we all have ideological bias
> and preferences, but if we ask what's best for society, we need
> something more substantial than that.

Unfortunately, the only way to *get* something better than that is to
experiment. And yes, I understand the societal cost and risk of such
experiments. I can only point out that in the big scheme, the risk of
*not* experimenting is even higher.

> I support the goal of oblivious safety of others.

I know that you do. I apologize if it seemed that I was saying something
else. What I was *trying* to say was that the Hurd architecture has not
yet started to address this issue -- or at least it seems that way to
me. Since I didn't say it before: I have confidence, given the people
involved, that Hurd will do so.

> Strategies of equity of living conditions, education, and cultural
> change, just to give examples.

I used to believe this, but I don't think it is simple anymore. I
believe that it is an obligation to present each person with real
opportunities at several levels, primarily including education. There is
no obligation to force them to accept them, and no obligation to "prop
up" the people who decline to engage in society. If I can mangle an old
saying: you have to lead the horse to the water, show them that it *is*
water, and give them a credible chance to drink. After that, if the
horse dies of dehydration it's the horse's fault.

An interesting and disturbing study was recently published. What it
shows is that the "terrorists are motivated by poverty" theory is wrong.
If the study is sound (and I suspect it is), terrorists often come from
above-average incomes and have significantly more education than the
norms for their societies.

As to cultural change, I agree. My fear is that deep cultural change
takes centuries, and at the moment we cannot afford to wait that long.

> And with apologies to Marc, I don't
> think that defensive living and US hit-teams will help.

Defensive living, no. US hit-teams can be very persuasive when used
according to manufacturer instructions, but they don't scale. In any
case, you can't get them on eBay, so who cares?


shap