[E-Lang] what is good about E?

Marc Stiegler marcs@skyhunter.com
Tue, 17 Jul 2001 12:13:05 -0700 

> There are three types of people: 1. people who don't want to hear any more
talk
> about "security" (such as Richard described himself in the quoted letter),
2.
> security fans and cypherpunks who love thinking about infosec ideas, 3.
the
> occasional bored IT manager who has decided to cover his ass by installing
the
> most widely accepted security tool so that he can claim that he did the
> Accepted Thing if his network gets hacked.
>
> Type 1 people are vastly in the majority, even among hackers, although
there is
> certainly a sizeable niche of type 2 hackers which would probably make a
> profitable market for E.

Actually, there are more types of people than this. My favorite type is the
"my grandmother" type, who while taking her first computer class on Web
surfing is terrified of computer viruses though she doesn't exactly know
what they are. I have explained the Love Bug virus to community college
classes full of such people, and I have explained to them what would happen
differently if they had a capability secure desktop. They understand it
immediately. Capability security is not half so much about "security"
(passwords and that stuff, ick), as it is about giving back to the humans
the control over what is being done "on their behalf". Capabilities are
about ensuring that, when you install IE5, it doesn't replace Netscape as
the default browser, or relabel your html docs with IE5 icons, without your
permission. It is about ensuring that, when I install VJ++, it cannot ravage
my configuration settings to the point where the PGP plugin to Outlook
Express no longer functions (true story, of course). It is really really all
about the Principle of Least Authority, which grandmothers grok in an
eyeblink, and go home after my guest lecture dreaming of having one day.

Personal, nonscientific research suggests there is a huge market for
regaining control over your computer by confining applications with POLA.
Sometimes we want to call that security, sometimes not, depending on the
audience. My grandmothers have typically been fine with calling it security,
perhaps because I start the introduction using computer viruses as the
example. "POLA not Passwords" is perhaps a marketing slogan we should
embrace.

A second great category of enthusiasts for capability security are people
who have just discovered that their machines are infected with a virus. My
wife never thought there was much market for this stuff...until she got hit
with a virus 48 hours before leaving for a month. She is careful. She
updates Norton Antivirus every month, she never executes email attachments,
and she swears she did not execute this one...but the evidence proves she
was mistaken. So she spent the last 2 days before her vacation in a frantic
race to disinfect her machine. This person, folks, is a marketing target
supreme, once we have something to offer as an alternative.

--marcs