[cap-talk] the value of non-delegatable authority?

[Karp, Alan H]

David Hopwood wrote:
>
> If human Alice has access to a document, she can always give human
> Bob access to it. If we don't want that, we have to trust Alice not
> to do so. Alternatively, we have to lock Alice in a room while she
> reads the document, and then kill her or wipe her memory afterwards --
> which is impractical even for defence employees.
>
I was asked to consult on a security implementation along these lines.  The people were confined to use the classified material only in a closed environment with no external communciations channels.  The computers they used had no removable media, and the people were searched to make sure they didn't have any cameras.  What they took with them in their brains when they left was considered a sufficiently low bandwidth covert channel, which obviated the need for executions.  (I declined the offer just in case.)
>
> Programs often have bugs that make them exploitable. Humans may have
> psychological flaws and may be susceptible to coercion, but the means
> of detecting or preventing such human flaws are quite different from
> detecting or preventing a bug.
>
The rational for the Orange Book was, "We trust our people.  It's the programs they run that we don't trust."  Clearly, the previous paragraph does not describe an example of this principle.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp