[cap-talk] "Immutable Law" #1 is alive and well at Microsoft
Stiegler, Marc D
marc.d.stiegler at hp.com
Fri Oct 5 11:14:25 EDT 2007
> On Thu, 4 Oct 2007, Mark Miller wrote:
> > As stated, no one actually believes this "law".
>
> But then why do Microsoft security people still call it
> "Immutable Law #1"? What do they mean when they say this?
While no one can see inside the head of another person, I hypothesize
that the programmers at Microsoft, along with many programmers not at
Microsoft, consider Javascript code in the browser to be not "real"
programs. The wording of Law #1 I would guess they mean is:
"If a bad guy can persuade you to run a *real* program on your computer,
it's not your computer anymore".
In which "real" means, not so manically sandboxed that you can't get any
serious work done. Which, truthfully, is a a reasonable perspective even
if it is not exactly what the law states. I find it hard to think of
javascript in my browser as real myself, since it can't do any real work
-- at its shiny best, in my personal world, javascript displays the mail
I have at gmail so badly that only a bash shell could do worse. This is
not real, this is pathetic.
Of course, in addition to writing off programs that are not "real", you
also have to be ignorant of CapDesk, and Polaris, and Bitfrost. But it
is still easy to not be familiar with any of these, even if you don't
work at Microsoft. At MS, it would be especially easy to be unfamiliar
with these counterexamples -- you are surrounded by worldclass top
experts in security who don't know about CapDesk, and Polaris, and
Bitfrost, who will tell you the immutable law is true.
--marcs
More information about the cap-talk
mailing list