[E-Lang] defense in depth

Nikita Borisov nikitab@cs.berkeley.edu
24 Jan 2001 21:49:27 GMT

In article <004b01c08629$efa62c80$0100a8c0@www.ctaz.com>,
Marc Stiegler <marcs@skyhunter.com> wrote:
>My first question is, what is isaac.lists.e-lang, and how did this become
>the discussion group rather than e-lang@eros-os.org? My Outlook Express was
>unable to reply-all to this thing (I guess it's a newsgroup not a mailing
>list). So I posted this reply to e-lang and David; David, if there is
>someone on the newsgroup who would be interested who is not part of the
>e-lang group, I request that you forward this.

The isaac.lists.e-lang group is a local newsgroup that mirrors e-lang
list and provides a newsreader interface for a few folks here at
Berkeley.  I believe messages that David sends, as well as this message,
should include a "To: e-lang@eros-os.org" field, but it will also have a
"Newsgroups:" field in the header.  If this is not the case, or if the
Newsgroups header confuses your mail reader, I should be able to install
a filter to fix this.

>I am reminded of arguments I used to have with socialist friends of mine
>over the quality of grocery stores in the Soviet Union. I would say that the
>only reason the stores are empty is that there is no free market. They would
>snort in disgust and say, "there's no silver bullet". Well, in fact, the
>free market was a silver bullet. It still is. Of course, today, most of the
>people I used to have the argument with would say, "well, of course free
>markets make the difference, it was always obvious they would" :-)

An interesting analogy, given the sorry state that the Russian economy
experienced post introduction of free markets.  Free markets certainly
made a difference, but calling them a "silver bullet" is questionable.

>--defense to a depth of 2 for things that are directly manipulated by
>humans, because of the problems with human error, and the need to be able to
>survive the "Ooops!" experience.

But most everything in a system is manipulated by humans.  Humans write
programs that pass capabilities among various modules, and they make
mistakes.  I would agree with an argument that languages like E make it
easier for humans to express good security policies, but do you assert
that E programmers won't make security mistakes?  If not, there is at
least some reason to believe that specifying an additional security policy,
enforced by a separate mechanism, will provide a potentially useful
additional defense layer.

Of course, this additional layer does not come without cost.  But the
question is to trade off this cost of defense in depth against the
potential benefits.  It seems that a lot of people in this thread are
asserting that the additional benefit is zero, which I find hard to
believe.  Am I misunderstanding what people are saying?

- Nikita