[cap-talk] Capabilities and Freedom vs. Safety
David Chizmadia (JHU)
chiz at cs.jhu.edu
Tue Jul 24 22:18:49 EDT 2007
I can read (at least) two possible meanings into your statement that:
> ... every durable privilege is a security flaw.
On my first through third readings, I interpreted it to mean that a
system that you would consider to be "properly" engineered should
never contain durable privileges, since their durability is
On my fourth and fifth readings, I noticed your next statement that:
> Any program that do(es) enough to be useful, can do enough
> to harm you. The point is to reduce the potential harm,
> and to detect it, not to eliminate potential harm.
and realized that you might have meant to say that all function in a
system can be used for either "good" or "evil" intent. Such an
interpretation is logically consistent with the observation (which I
heard from Mario Tinto in the late '80s) that "one only has a
security problem when sharing is required in a system."
Would you please clarify which meaning you intended.
More information about the cap-talk