[E-Lang] Re: Caplet Launcher issues

Marc Stiegler marcs@skyhunter.com
Thu, 30 Nov 2000 15:43:56 -0700 

> Thanks for the detailed answer. The big question underlying all this is
how
> you would set things up for your mother (the classical form of the
question
> usually involves your grandmother - in my case I think about how to set
> things up for 8-year olds). I like the permanent directory solution but I
> wonder if there aren't holes. Couldn't your mother still acquire a Word
> macro virus? While the damage would presumably be limited to the documents
> she has saved on the permanent directory, it still would be bad (though
much
> better than the current situation).

A point of clarity: I would expect that the permanent directory would be
full of preferences and custom dictionaries, and not be the regular store
for all Word documents. I do not believe we lose any intuitive understanding
on the user's behalf if we do so. Of course, an evil Word could make copies
of all the docs in that permanent directory, which is why it represents a
data leak, but not a capability leak.

Regardless of whether the permanent store kept the docs or not, the Word
macro virus is an interesting case. If Word were written in E, then
presumably the macro language would be "E for Applications", not VB for
Applications. In that situation, the Word application would start its macros
as separate caplets, and grant those caplets authorities only when it seemed
reasonable, just as the launcher only grants caps to Word when reasonable.
So a Word macro virus would not have access to all the Word docs even if all
the docs were stored in a directory over which Word itself had full
authority (I am assuming here that this is an "honorable" Word: if it is an
evil Word, the macros add no interesting security issues). A macro virus
would be in a world of hurt right off the bat.

>
> It seems to me that a sophisticated user can have the security that
> capabilities provide without significant inconveniences. A grandmother or
> 8-year old has to live with some pre-designed capability assignments that
is
> a compromise between security and convenience.

I too have been thinking about this in the context of "how would you set it
up for your grandmother?" I have had the fortunate and entertaining
opportunity to appear as a guest lecturer for Intro to Computing classes at
the local community college, to describe capability based security for them.
These classes are mostly filled with grandmothers :-) When I explain
capability security to them (with the example of Melissa Virus vs. Capzilla,
the preface to Intro to Cap Security at www.skyhunter.com/marc.html), their
eyes light up with understanding and enthusiasm. They know enough about
computer viruses to be very afraid. And though they wouldn't buy a computer
that just had a sticker outside saying "New, Improved Security", in the
example it becomes clear that what is really going on is, we are giving them
control over what the software on their computer is doing to/for them, and
they like it.

That said, I agree that the grandmothers will want/need a simpler view of
their system than is compatible with all aspects of fine-grain capability
security (unless we have some really good insights into user interface
strategies, finding additional powerful capability oriented metaphors like
drag/drop). Shucks, so will I! :-) So the first capability secure desktops
will likely be imperfectly secure, especially against data leaks. But they
will be hysterically better than NT or Unix, with very little loss in
intuitive operation.

--marcs