[cap-talk] Lampson: Principle Of Least Privilege as damaging

[Raoul Duke]

hi Jed,

(Thanks for your non-flagging interest in sussing out where people are
coming from, and why, and how it relates to what could/should be. It
strikes me as a real attempt to be educated and to continue
education.)

What you noted about Lampson's talk makes me wonder something which is
probably a neophyte or tangential question: Can we say at a high level
what we want to avoid -- If so, what happens to turn that into the
actual implementation details? It seems at first blush that one can
say simple broad statements about what we want security to prevent.
But those apparently aren't sufficient because (one approach to)
security appears to quickly get into more atomic/nitty-gritty details
- which I think Lampson says kills us due to usability and
risk-benefit thoughts. (I'd argue that in some situations people are
very confused about the risk vs. cost e.g. all the SSNs that are
released accidentally so often.) Is there some way of understanding
more rigorously the transformation from natural language statements
like "Look, I just don't want my data trashed" to the different
choices (e.g. bailing vs. POLA) of implementation?

Some things are complicated because they just are. Some things are
complicated because nobody has yet noticed the way to make them
simple(r). I think to date security has been seen to be the former.
But I always wonder if there's a chance of the latter ever coming to
be. (As you mention, the way to simplicity might be through tremendous
complexity - via proofs and tools; then things might work magically a
la A. C. Clark's old quote.)

sincerely.