[cap-talk] Interesting Presentation: AusCERT 2007

[Jed Donnelley]

On 11/10/2007 5:50 PM, Ivan Krstić wrote:
> On Nov 10, 2007, at 7:30 PM, Mark Miller wrote:
>> http://www.fladotnet.net/downloads/ 
>> SecurityArchitectures_KenHamerHodges_20070821.ppt
> 
> Thanks for sharing the link, Mark. Some of the points are quite  
> similar to ones I made in my May keynote on OLPC and security at  
> AusCERT; should this group find it of interest, my slide deck is here:
> 
>      <http://radian.org/~krstic/talks/2007/auscert/slides.pdf>

Hi Ivan.  Thanks for sharing!  I'll make some comments:

Regarding the discussion about kids learning - I think
the Montessori principles (e.g.:

http://www.webstart.com/projects/montessori/montessori.html

).  I've seen that approach keep children learning as
curiosity-driven, largely peer-based (though a directress/
director certainly plays a role in at least structuring
the environment), happens "everywhere" and all-day.

That discussion would take us too far afield, but I mention
it for further discussion elsewhere if you're interested.

Boy, the jump from the picture of a developing world kid
with no access to a teacher to "We can do laptops now and
let schooling fix itself over time." is a big one.  Just
the thought that a laptop (even network connected) would
provide an advantage over the existing peer and adult
interactions that even developing world children have
even without a formal "teacher" seems like a big assumption
to me.  We of course are all aware of the concern about
the isolating effects of spending more time with computers
and less with people.


That then leads up to your key point (pg. 31) which gets
into the focus of cap-talk:

R.e. "Web site Certified by an Unknown Authority" - I simply
consider this a symptom of the fact that there is a marginally
operational monopoly on Web browsers that is conspiring with
other companies doing certificate signing in what amounts
to a shake-down racket that provides no security value.

The access is as secure (with SSL) with or without going
through a certificate signed by a known, on the take,
certificate authority.  It's pretty difficult to present
any sort of reasonable choice to the user in a situation
like that.  I say just leave it out as was the case in
the past - though without enabling sufficient income for
the leaches who sign certificates as a source of income
(sorry for the strong language).

You say (slide 42):

> But the user knows as much about
> computer security as they do about
> gravitational waves, closed strings and
> D-branes.

People do know about the notions of controlling
access - e.g. to information (secrets, etc.).
With an effective paradigm for controlling
access and a matching user interface users
could use that intuitive grasp of access control
to manage their computer security effectively.
As you note, worrying about who signs a
certificate isn't getting us there...

I like your reasoning sequence from chart
#45:

> And here we are. It’s 2007, we’ve failed, but
> how on Earth did we get here?

through chart #62 - "Sticks and stones".  Ha!


I was prepared to agree with MarkM's concern
about the mention of the B5000 on chart #66:

> A nit: I'm uncertain about how much credit to give the B5000.

, but seeing the reference in context I think it
is reasonable.  The Burroughs systems did contribute
to an "object" oriented approach to computing with
their tagged architecture.  As MarkM notes, the
Burroughs systems were essentially unsecurable systems.
They had no concept of a user/supervisor mode and
depended completely on trusted compilers.  One chink
in the complier armor that lead to an unsafe code
being complied and stored on disk and the systems
were completely vulnerable.  I had such a program
and can attest to such complete control = lack
of security.

But I think that is an aside.

I like this theme on chart #82:

> Instead of protection from executing
> untrusted code, Bitfrost protects the
> machine while executing untrusted code.

On chart #94 when you say:

> But we’ve actually decided to break
> backwards compatibility to provide strong
> security.

I assume you mean that neither Windows nor
Unix programs will run under this OS?


Regarding chart #106:

> No idea what’s going to happen to the web,
> but the security picture is getting scary, and
> browser security teams are already having a
> hard time keeping up with issues.

This is where I believe a different paradigm
that provides an intuitive UI for access control
(see my recent:

http://www.eros-os.org/pipermail/cap-talk/2007-November/009232.html

for my view - 1. and 2. in that message for my view)

is needed.

This call on chart #118:

> My call to you: let’s wake up, shake off
> 35-year old assumptions, work less on sexy
> problems and more on hard ones, and let’s
> fix this.

seems to echo the call from Ken Hamer-Hodges,
though as I note, how to answer the call is
not clear to me.


As I indicated in the message above, it seems
to me that we need to both spread the word about
POLA, but also to come up some concrete moves
forward that we can agree on.  I could have
added Bitfrost to the set of pulls in many
directions that we are experiencing in a
common cause (POLA).  Got any ideas on a
way out?

I haven't looked closely enough to know what
the crucial interfaces are for Bitfrost.
Giving up any compatibility with other
APIs certainly seems a risky move to me.
Neither Polaris nor Plash seemed to have
to give us existing APIs for POLA.  Why
did Bitfrost?  What does the user interface
for access control look like in Bitfrost?
How are those kids going to control sharing
with their peers?

Regardless of my heartfelt concerns,
Good luck!!

I don't sense consensus in this good cause.
Seems unfortunate to me.

--Jed