[cap-talk] Ivan Krstic sells POLA at AusCert 2007
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Jun 14 02:52:44 EDT 2007
On Wed, 2007-06-13 at 17:37 -0400, Ivan Krstić wrote:
> Toby Murray wrote:
> > shame it wasn't picked up on other popular tech media though.
>
> From what I recall, CNet, ComputerWorld, ZDNet and the Sydney Morning
> Herald/The Age covered it. The view that modern desktop security
> measures fundamentally aren't good is pretty unpopular, though, and gets
> a lot of people upset.
I'm glad it was better covered than my quick googling revealed. That's
great.
Could you elaborate on who you're referring to when you say that the
idea that modern desktop security measures are no good gets a lot of
people upset. Are you referring to security product vendors, OS vendors
or desktop users? Perhaps all of the above, I wonder. All certainly have
good reasons to be upset about the truth of this statement.
>
> I've explicitly mentioned capability
> systems in all the talks I've given about this, including the AusCERT
> one.
Really? That's interesting. While many on this list believe that
capabilities are the best approach to achieving POLA, I've never thought
that a high-level presentation about the virtues of POLA necessarily
needs to include talk of capabilities. I've always assumed from the fact
that BitFrost eschews caps but still has POLA as one of its goals that
you believe that caps aren't necessary for POLA. Hence, a mention of
caps in talks about BitFrost is intriguing. In what context do you
discusss caps while talking about BitFrost?
Could you clarify your position on the need (or lack of) to use a
capability-based approach to achieve POLA?
> MarkM and MarcS are on the One Laptop per Child security working group.
That's encouraging for POLA on OLPC, given their strong experience
building usable POLA systems.
Thanks heaps,
Toby
More information about the cap-talk
mailing list