[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"
David Hopwood
david.hopwood at industrial-designers.co.uk
Mon Sep 17 21:10:35 EDT 2007
ihab.awad at gmail.com wrote:
> On 9/17/07, Ka-Ping Yee <cap-talk at zesty.ca> wrote:
>> ... Users do not always predict the consequences of their
>> actions correctly; there are two ways we can address this:
>> 1. Change the system model to fit the mental model.
>> 2. Change the mental model (i.e. educate users) to fit the system.
>
> Given that, does #1, in your view, include adding extra information to
> the system (perhaps contributed by other users)? This would be the
> equivalent of Granma having her 13-year-old grandson looking over her
> shoulder, saying, "Yeah, that's fine!" or "No no no, don't let *that*
> thing communicate with Evil.com!"
>
> Also, does this information include annotating components that are
> *likely* to take advantage of naive users by forming
> hard-to-understand compositions of abilities, so that they are
> blacklisted, or at least red-flagged?
Blacklisting usually isn't very effective. Whitelisting (for specific
sets of permissions) based on contributions by other users might be
effective. However, the criterion for whitelisting something should
be "I have some reason to believe that this component is secure with
these permissions", *not* just "I've never had a security problem with
this component".
--
David Hopwood <david.hopwood at industrial-designers.co.uk>
More information about the cap-talk
mailing list