[E-Lang] what is good about E?

[Marc Stiegler]

> I too think about the grandmother type. But I don't think it is this
simple.
> When I wrote the installation script for ToonTalk I worried about these
> issues. Should I make an association with a unused extension without
asking?
> (I agree it is rude to take over an extension in use without asking.) How
> should I make tradeoffs of speed vs. disk space consumed?  Should I, as
> Microsoft suggests and my own testing indicates is a good idea, update
> Microsoft facilities such as DirectX? (I recommend it but ask first.)
>
> I've read several reviews of consumer software where the reviewer was
> pleased at the ease of the "one click installation" and others that
> complained an installation was too complex and asked too many questions
that
> a "grandmother type" has no clue how to answer.

I do not think people object too much to installations that ask sensible
questions, they object to installations that ask nonsensical ones (there is
of course a limit to total number of questions you can ask, too, but it is
larger than 1). You gave a perfect example: no one is going to object to
recommending an upgrade of DirectX if appropriate (which brings up some
interesting capability secure installation questions I need to think about,
thank you :-). On the other hand, the tradeoffs of speed vs disk space may
annoy people if there are several other questions as well. The size of the
tradeoff has to be really big to make this an appropriate user question.

One of the surprising and amusing things I have discovered thinking about
the questions one needs to ask to do a capability secure installation is
that they can be small in number and easy to understand for a broad variety
of applications, including just about everything a grandmother might use. It
cannot be a one-click installation, but it can, for standard office
applications (word processor etc) be a 3-click or so installation (I won't
pin this down exactly yet till I've built an installer, it might be 4 clicks
:-). The clicks are all easy to understand. Mail tools (like Eudora) and
browsers (like Netscape) need some special authority, they need an
additional click or two, but again I think the explanation for the clicks is
easy to understand. A professional-quality installer must include
explanations and examples, and default-cluster-OK buttons. An innovation or
two in user interface to capability systems would be nice to have too, but I
think we can get most of the grandmothers going without any breakthroughs.

> Going back to your IE5 example, suppose that Netscape wasn't already
> installed. Shouldn't it automatically associate HTM with IE? Or should it
> get your permission?

Interesting question. My first installer will not do this automatically, but
it doesn't seem like a terrible violation of security principles offhand
(let markm, jonathan, and norm make serious assertions about that, however
:-) Certainly, it could show up on a tab of simple, common, and
usually-just-fine authorizations that are by default checkboxes that are
checked, and the user could just click "OK" to accept them all. The
particular tab view I have in mind is one that asks the user for a pet name,
a pet icon, and a default extension, filling all 3 in with the default
recommendations made by the program itself to the installer. 99% of the time
you can just click OK.

My current plan for an installer/execution system always gives the program
the authority to create a window (when would you not want the app to be able
to talk to you? :-) and the "authority" to _request_ a file, and the
authority to read their own resources. And program windows are always
targets for drag/drop operations, which are excellent metaphors for
conveying authority. Like I said, the questions my installer would ask a
grandmother for a grandmother's apps would be simple and few.


> I agree that capabilities are a nice way to think about what an
installation
> script does but I'm not sure I see a connection with E.

It is in general connected with E because E enables capability confinement
inside a single machine as well as across a network. It is specifically
connected with E right now because we are building for DARPA an "E Language
Machine", built on top of a sanitized Linux kernel (no ftp, no telnet, no
services that offer entry to the outside world). The E Language Machine will
run eDesk as its "desktop", and will launch a capability confined Web
browser that is itself capability confining its rendering engine, which will
be malicious. It would be nice (though perhaps not necessary) to be able to
install the web browser so that when it comes to life it arises with the
capabilities it needs (notably the ability to reference http urls).

> I think the grandmother type prefers the one click installation so long as
> it doesn't break anything. They are happy with software that does a lot
"on
> their behalf".


We all like our machinery to do a lot on our behalf, and we all hate it when
the machinery does too much :-) One-click installation always risks breaking
everything, and in addition risks giving total control of your machine and
complete identity theft authority to a lurking Sub7Server Trojan, as just
one example.


>If you think otherwise then isn't this an empirical question
> that can be answered by surveys or interviews or the like?

It is certainly an empirical question, and one upon which I have conducted
informal interviews of classes full of grandmothers taking their first web
surfing class. While more serious research is a really good idea, my
preliminary finding is that they love the idea of having a virus-free
computing world, even at the cost of a few extra clicks during installation.
The only people I've met who fear computer viruses more than grandmothers
are people in sensitive sections of the military. And on this matter, the
grandmothers are more correct than the rest of us. It is really scary out
there (I recommend the writeup at www.grc.com for anyone who missed it: an
extremely well told story of a DDOS attack, in which the really really scary
thing was the fleet of home user computers Zombiefied for the attack).

--marcs