[E-Lang] One-Click Amplifiers? (was: what is good about E?)

Mark S. Miller markm@caplet.com
Tue, 24 Jul 2001 21:07:10 -0700 

At 05:26 PM Tuesday 7/24/01, Ken Kahn wrote:
>Marc Stiegler wrote:
>> [...] favorite type is the
>> "my grandmother" type [...] 
>> Capability security is [...] about giving back to the humans
>> the control over what is being done "on their behalf". 
>> Capabilities are
>> about ensuring that, when you install IE5, it doesn't replace Netscape as
>> the default browser, or relabel your html docs with IE5 icons, without your
>> permission. It is about ensuring that, when I install VJ++, it cannot ravage
>> my configuration settings to the point where the PGP plugin to Outlook
>> Express no longer functions (true story, of course). It is really really all
>> about the Principle of Least Authority, [...]
>
>I too think about the grandmother type. But I don't think it is this simple.
>When I wrote the installation script for ToonTalk I worried about these
>issues. [...]
>I've read several reviews of consumer software where the reviewer was
>pleased at the ease of the "one click installation" and others that
>complained an installation was too complex and asked too many questions that
>a "grandmother type" has no clue how to answer.

It may be that the price of requiring explicit authorization is the loss of 
"one click installation" -- these authorization decisions are *the* crucial 
decision point for the user to catch POLA violations.  Here's a fable from 
Norm (with some embellishment from me):

(Note to future readers: This is written in the days before pervasive 
wireless.  The following analogy may no longer mean anything to you, because 
you've either gotten used to or solved the dangers this fable is about.)

When Alice buys an amplifier and takes it home, she unpacks it, and finds 
jacks on the back to be wired to various devices.  "Connect these to your 
left speaker" one of these jacks effectively says, as if there was a unique 
binding in her home of "The left speaker".  There may be a pair of speakers 
in her living room, and another in her bedroom.  The uniqueness is only in 
her choice of deciding which of her various speakers are to be in "the left 
speaker" role of this amplifier.

If the amplifier also wants a connection to a microphone and to your telephone 
line, it's gotta make you wonder.  Why would an amplifier need that?  Maybe 
it's trying to spy on me?  No matter, I just won't give it those connections 
(thereby confining it).  If it doesn't work under those conditions, I'll 
either demand an explanation or return it.


Now imagine instead that the amplifier works the way modern software 
applications work.  You unpack it in your home and with one click tell it to 
install itself in your home.  It attaches itself to anything in your home 
that it feels like, including both a microphone and a telephone line without 
telling you, and proceeds to enable its manufacturer to listen in.  Years later, 
when someone discovers this, the manufacturer points at its eTrust certified 
privacy policy on its web site which claims that this audio sampling is only 
used to aggregate statistical marketing data.

With the coming of Bluetooth, we can imagine just such a future.  The 
problem is not in the technology itself.  The problem is one-click 
installation -- it skips the authorization decision.

Note that a system that's sloppy about authority in this way is probably 
also sloppy about designation.  Our hypothetical self installing amplifier 
makes some choice of which speaker to use as "The left speaker".  This turns 
left-speaker-ness into a global variable.  The places where we are tempted 
into insecurity are often the places where we are tempted to treat a part of 
reality as a global scope.


>I think the grandmother type prefers the one click installation so long as
>it doesn't break anything. They are happy with software that does a lot "on
>their behalf". If you think otherwise then isn't this an empirical question
>that can be answered by surveys or interviews or the like?

Doesn't break anything, or doesn't seem to break anything?  Or won't run off 
with their retirement funds?  As I write this, I realize that all this means 
a secure future may never be a mass market success.  Even a small reduction 
in consumer convenience is often fatal to success.  It depends how virulent 
the attacks are on the insecure, and how badly they suffer as a consequence. 
 Once most of our valuables are in the electronic realm, I see no reason to 
expect these attacks to remain at their current relatively benign level, 
unless our computing base becomes secure.

More soon...


        Cheers,
        --MarkM