<div>Ben:</div>
<div> </div>
<div>First: it isn't my paper.</div>
<div>Second: while I think the conclusions of the paper are fine as far as they go, the paper doesn't go far enough in the systemic analysis. While the impact (cost) on the first-order victim may be very low, the systemic impact is much larger and much harder to account for.</div>
<div> </div>
<div>The main point that I think is relevant to cap-talk is that "structural security" is vital to any resolution. What I mean by "structural security" is system architecture in which the natural thing for a naive developer to do usually pushes them in the direction of the "pit of success". Capabilities are certainly not a universal cure-all, but when used strategically they are most definitely a useful structural security mechanism.</div>
<div> </div>
<div>If you look at the things that security groups need to configure under the general heading of centralized security policy, I think you'll find that it falls into three categories:</div>
<ol>
<li>Legitemately centralized policy. This category exists because the effect of weak security is systemic and the local user's costs and benefits are not aligned well (or even badly) with those of the organization as a whole. The users who provide vulnerable end systems are not feeling pain directly, even though the victim of the DDoS attack feels a whole lot of pain.</li>
<li>Centralized policy that is required as a consequence of the absence of locally structural security or the presence of local bugs that constitute exploitable vulnerabilities.</li>
<li>Centralized policy that guards against computer-unrelated liability. Example: companies are liable if unlicensed software gets installed, so they have a legitemate interest in preventing that.</li></ol>
<div>Administrators routinely mis-assess all of these categories; sometimes through ego, sometimes through error, and sometimes through ignorance. But the key point here is that the role of centralized policy specification is both legitemate and pragmatically necessary, and especially so given the misalignment of defensive incentives.</div>
<div> </div>
<div>Until we get to the day that users can install their own malware with confidence that they remain in control, the need for centralized policy won't go away. Once users can do that, the need for centralized policy will continue to exist as a countermeasure against <em>other</em> centralized policy (e.g. installation controls as a guard against copyright violation).</div>
<div> </div>
<div> </div>
<div>shap</div>
<div> </div>
<div><br><br> </div>
<div class="gmail_quote">On Wed, Jan 13, 2010 at 4:32 PM, Ben Kloosterman <span dir="ltr"><<a href="mailto:bklooste@gmail.com">bklooste@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div lang="EN-AU" vlink="purple" link="blue">
<div>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt">Hi Jonathan , </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt"> </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt">While this is undoubtedly correct, only a company like Microsoft or maybe Apple or Google can change the behaviour of security departments with lots of marketing and people explaining it ( hundreds of books , blogs, developer conferences etc) . If you want people to use a new more secure operating system the best market is the high security niche which means you need to convince the existing security people. As capability systems can do centralized management at least you give the security departments an option and something to think about. </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt"> </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt">Take your Walmart example, what you are trying to do is not build a WalMart but change an existing more corrupt organization to become more honest which is a different kettle of fish. </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt"> </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt">Regards, </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt"> </span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt">Ben Kloosterman</span></p>
<p class="MsoNormal"><span style="COLOR: #1f497d; FONT-SIZE: 11pt"> </span></p>
<div style="BORDER-BOTTOM: medium none; BORDER-LEFT: blue 1.5pt solid; PADDING-BOTTOM: 0cm; PADDING-LEFT: 4pt; PADDING-RIGHT: 0cm; BORDER-TOP: medium none; BORDER-RIGHT: medium none; PADDING-TOP: 0cm">
<div>
<div style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0cm; PADDING-LEFT: 0cm; PADDING-RIGHT: 0cm; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<p class="MsoNormal"><b><span style="FONT-SIZE: 10pt" lang="EN-US">From:</span></b><span style="FONT-SIZE: 10pt" lang="EN-US"> <a href="mailto:cap-talk-bounces@mail.eros-os.org" target="_blank">cap-talk-bounces@mail.eros-os.org</a> [mailto:<a href="mailto:cap-talk-bounces@mail.eros-os.org" target="_blank">cap-talk-bounces@mail.eros-os.org</a>] <b>On Behalf Of </b>Jonathan S. Shapiro<br>
<b>Sent:</b> Thursday, January 14, 2010 5:00 AM<br><b>To:</b> <a href="mailto:jamesd@echeque.com" target="_blank">jamesd@echeque.com</a>; General discussions concerning capability systems.<br><b>Subject:</b> Re: [cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.</span></p>
</div></div>
<div>
<div></div>
<div class="h5">
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Relevant to this:</p></div>
<div>
<p class="MsoNormal"> </p></div>
<div>
<p style="MARGIN-LEFT: 36pt" class="MsoNormal"><a href="http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf" target="_blank"><span>http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf</span></a></p>
<p style="MARGIN-BOTTOM: 12pt" class="MsoNormal"> </p></div>
<div>
<p class="MsoNormal">On Sat, Dec 19, 2009 at 12:18 PM, James A. Donald <<a href="mailto:jamesd@echeque.com" target="_blank">jamesd@echeque.com</a>> wrote:</p>
<p class="MsoNormal">Ben Kloosterman wrote:<br>> - The desire by admins ( and hence organizations) to allow only<br>> system/security admins to approve certain functions which may includes<br>> installing applications in some organizations. This includes the<br>
> centralized control of rights.<br><br>People desire what is not good for them. What they desire is that other<br>people are required to do certain tasks, and then required to seek<br>permissions to accomplish those tasks - which pretty much guarantees<br>
that users will work to subvert security. And since the end user has<br>physical control of the box or the data, the end user will always<br>succeed. The petty bureaucrat, by maximizing his power within the<br>organization, undermines the organization's security.<br>
<br>Observe that one of the big reason's for walmart's success is that other<br>big box company purchasing managers routinely accept bribes from<br>salesmen, while Walmart purchasers are notoriously honest.<br><br>
Meeting admin desires is in this case meeting admin desire to undermine<br>security for personal benefit. Security mechanisms have to benefit the<br>person who has physical control of the data and the box on which it<br>
resides, not the admin, or else they will always be bypassed.</p>
<div>
<div>
<p style="MARGIN-BOTTOM: 12pt" class="MsoNormal"><br>_______________________________________________<br>cap-talk mailing list<br><a href="mailto:cap-talk@mail.eros-os.org" target="_blank">cap-talk@mail.eros-os.org</a><br>
<a href="http://www.eros-os.org/mailman/listinfo/cap-talk" target="_blank">http://www.eros-os.org/mailman/listinfo/cap-talk</a></p></div></div></div>
<p class="MsoNormal"> </p></div></div></div></div></div><br>_______________________________________________<br>cap-talk mailing list<br><a href="mailto:cap-talk@mail.eros-os.org">cap-talk@mail.eros-os.org</a><br><a href="http://www.eros-os.org/mailman/listinfo/cap-talk" target="_blank">http://www.eros-os.org/mailman/listinfo/cap-talk</a><br>
<br></blockquote></div><br>