[cap-talk] Midori in The Register

James A. Donald jamesd at echeque.com
Mon Aug 4 23:13:27 CDT 2008 

Rob Jellinghaus wrote:
> I do think I can disclose that I am currently working
> for Microsoft, on a team with (among others) Ravi
> Pandya, Dean Tribble, Pavel Curtis, Eric Northup, and
> Chris Brumme.  (The latter is a familiar name if you
> follow the CLR world.)  Ravi and Dean recruited me in
> February and I started in earnest in early May.  My
> wife and I are glad to have relocated, both life-wise
> and work-wise!   And our team is, in fact, hiring....

Can you disclose to what extent Microsoft is aware of
the ideas of how to make a usable and user friendly
operating system in which programs *cannot* do things
that would surprise the user, without burdening the the
user with a multitude of mysterious security dialogs of
the form
	"Click *yes* to make changes in your security
	arrangement that no one can possibly comprehend,
	thereby exposing your credit card numbers and
	passwords to the entire world, click *no* to
	fail completely to do whatever you were trying
	to do."
and
	"Do you really intend to do what you just told
	the program to do?"

I am kind of worried by the references to "managed
code", which is Microsoft's latest big idea, an idea
which I think leads to disaster, for though the virtual
machine that runs the managed code can provide security
guarantees, the problem is not providing security
guarantees, but ensuring that the user's naive
inexplicit, and unconscious security expectations are
met, a different, and rather harder problem.  I would
prefer to see references to "the powerbox user interface
pattern."  Security usually fails at the user interface.

In
<C:\code\pub\www.mas\security\safe_operating_system.html>
I summarize what I think is the wisdom that I have
seen as
	"With the powerbox user interface pattern, most
	programs are incapable of accessing most files
	and most resources unless you tell them to,
	prevented by the operating system from doing
	pretty much anything until commanded to do it."
and
	"At present most programs run with the full
	power of the user, and anything the user is
	permitted to do, they are permitted to do ...
	your solitaire game can, and quite possibly
	will, read your contact list and spam them in
	each other's name, put a plugin in your browser
	that will watch what websites you login to,
	stash the information and sell it to
	advertisers, monitor your bank logins, collect
	the passwords and bank account numbers, sell the
	collected information to the highest bidder, use
	all your disk space to store child porn, spam
	the entire world offering to sell the child porn
	on your computer in your name, while forwarding
	any payments to Nigeria, and use any remaining
	bandwidth to launche a distributed denial of
	service attack against popular web sites."

More information about the cap-talk mailing list