Linux, IRIX, and "POSIX Capabilities"
Tue, 9 Nov 1999 10:50:26 -0500

A couple of comments on this thread.

First, Casey Schaufler, if I remember him correctly, is a good guy, and
willing to learn.

> How shall we put the abusers on the defensive?

You're about 13 years too late on this.  Changing the POSIX term abuse
would now require revising several accepted POSIX and IEEE standards
documents.  I think a better strategy is gentle humour of the form: "How
effective can this technology be when the people who created it didn't even
know enough to use the established terminology correctly?"

> This isn't a "major operating system security effort".
> This is a major "let's patch some holes in Unix" effort.

Any effort involving so many companies spending so much money can
justifiably be called a major effort.

> Perhaps some of the people doing this would agree.
> If Casey thought it was a major security effort,
> I doubt he would have said "hey, we need some
> security guys".  This means they know that they are
> not security guys.  This is cause for much hope.

I can't help but read into this thread an incredible tone of arrogance.  If
it's not there, then forgive me, but I think it's not helping matters.
Capabilities are a vitally important technology for solving a number of
security problems, but saying that they are enough is simply wrong -- it
reflects a failed understanding of what the requirements are.  More on this
in my next message, as I do intend something productive out of this

Second, I find the idea that "they are not security guys" an unfortunate
framing.  One of the points we made in our funding proposal at IBM is that
there isn't anyplace in our proposed system that you can point to and say:
"there's the security box."  security is an end to end engineering problem.
I know you all know this; I only caution about the dangers of imprecise
words spoken by people with some amount of credibility.  This harkens back
to an earlier comment by Tyler: the fact that the mainstream readers of
this list are all in each other's mental trousers is not a good
justification for sloppy expression.  We want the thread here to be
something that outsiders can come to and say "these guys are thinking
carefully."  To abuse Justice Brandeis: "Security must not only be done, it
must be seen to be done."

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595