[cap-talk] Useless engagement (was: Re: If not God, then Lampson)
jed at nersc.gov
Mon Apr 7 13:59:52 CDT 2008
On 4/7/2008 9:55 AM, Jonathan S. Shapiro wrote:
> On Mon, 2008-04-07 at 09:39 -0700, Jed Donnelley wrote:
>> The problem that we face isn't so much from one person (e.g.
>> Butler), but it is more, as FredS noted, that the "door is
>> closed." It is that the visible and accepted view of POLA and
>> capabilities is dominated by such 'lights of industry'
>> and is negative.
> You don't open doors by argument. You open doors by demonstration. Quit
> diverting your energy into a useless engagement, and get on with the
I do not believe engagement is useless. I believe there is an
important role for both demonstration and engagement. Here
is my argument:
I spent roughly 15 years of my career (~1975 - 1990) focusing
almost exclusively on demonstration - developing a good product.
I lead the development and production deployment of a capability
based, micro kernel, network operating system (NLTSS:
) that had nearly all the properties that we are
pushing on cap-talk. We even optimized it sufficiently
(where nearly 1/2 our time was spent) and made it compatible
with an existing API (where much of the other 1/2 was spent)
so that it was accepted in the rather demanding environment
of scientific computing by sophisticated users. That was
very satisfying work with terrifically talented people that
felt very productive. That system ran in production from
~1983 until 1995.
From my perspective during that time things got worse.
From PSOS giving up on capabilities to P-1935 (that I didn't
challenge at the time because I was focused on demonstration,
even though a colleague [Dan Nessett] was involved), what
was accepted state of the art turned against POLA and
capabilities. We also had KeyKOS as a demonstration during
that time and other available 'demonstrations.' I believe
our main problem was not inadequate demonstrations, but
rather lack of adequate engagement.
I expect that almost nobody on cap-talk had even heard
of NLTSS before I became active. KeyKOS might have had a
bit more visibility, but even it's visibility was
negligible, easily ignored in the gestalt of the time.
What we didn't have then was engagement with the accepted state
of the art - particularly in academic circles. I kick myself
now for not publishing more and making more arguments during
that time when we had obvious production systems as
demonstrations. I kick myself for not being *more* engaged.
It was too easy to simply focus on making a good product.
Without the engagement the demonstrations are useless.
At the end of that time Unix and Windows swept the field
in the market for operating systems, the Internet boom
amplified (inflation) the state of things in the early
1990s, and we have the state of things today where computer
security is ranked as the #1 tech failure with things
having gotten worse for the last 30 years.
Demonstrations are certainly valuable, even necessary,
but without engagement they can and often are simply
ignored. Think of it as sales if you like. Do
you consider sales useless?
Of course we can ask how most productively to spend
our "engagement" time. I was quite impressed with
MarkM's engagements during the Usenix Security Symposium,
tirelessly bringing out the CapDesk demo time and again,
generally arguing for POLA with whomever he could engage.
There certainly is some amount of preaching to the
choir on cap-talk. However, I've been surprised
and pleased at how often contrarian views are
ably defended on cap-talk, resulting in what I
consider valuable exercises for wider dissemination.
How to best do that wider dissemination I don't know.
I consider my work on the Capability Systems Workshop
in the context of such engagement. As MarcS said,
"buzz". I'm open to suggestions, but of course those
suggestions would be in the form of more productive
engagement, not in the context of engagement as
I do not believe engagement is useless. You can
engage me to convince me otherwise (you've seen my
arguments above) or of course ignore my efforts,
which will appropriately end this engagement and
let you get back to your demonstration work.
More information about the cap-talk