[cap-talk] Capabilities and Freedom vs. Safety
James A. Donald
jamesd at echeque.com
Wed Jul 25 07:31:38 EDT 2007
David Chizmadia (JHU) wrote:
> I can read (at least) two possible meanings into your
> statement that:
>> ... every durable privilege is a security flaw.
> On my first through third readings, I interpreted it
> to mean that a system that you would consider to be
> "properly" engineered should never contain durable
> privileges, since their durability is intrinsically
Obviously you need some durable privileges - and every
such privilege is a problem. Cannot always be avoided,
but should be minimized. Communicable durable
privileges are a considerably bigger problem, much as
durable secrets are a problem, and durable shared
secrets a considerably more serious problem.
> > Any program that do(es) enough to be useful, can do
> > enough to harm you. The point is to reduce the
> > potential harm, and to detect it, not to eliminate
> > potential harm.
> and realized that you might have meant to say that all
> function in a system can be used for either "good" or
> "evil" intent. Such an interpretation is logically
> consistent with the observation (which I heard from
> Mario Tinto in the late '80s) that "one only has a
> security problem when sharing is required in a
> Would you please clarify which meaning you intended.
All of the above. The most deadly form of malware is
that which turns the computer into a zombie, giving an
adversary complete control, and obviously our highest
priority is to make that impossible. But lesser forms
of malware, for example adware and spyware, are also
serious problems. Whenever we try to limit the
capabilities of malware there are costs. At lower
levels of malevolence, it is increasingly difficult to
get a decent cost benefit ratio.
More information about the cap-talk