[e-lang] Granma's Rules Of POLA

Marc Stiegler marcs@skyhunter.com
Sun, 17 Feb 2002 12:29:42 -0800


This is a multi-part message in MIME format.

------=_NextPart_000_03B8_01C1B7AE.C6906970
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

As I have toured the countryside in the last month giving presentations =
about the capability secure desktop (see the screenshots under the =
Technology section at http://www.combex.com, they are pretty cool), =
there's a particular point I keep making that needs to be backfilled =
with real data. The particular point is, "The typical home user only has =
to follow 6 or 7 simple rules to be safe from viruses and trojan =
horses." It would really be good to know what those rules are :-)=20

Herewith, then, is a proposed list of Granma's Rules of POLA. The rules =
are at the bottom of this email; first we must set the stage by =
describing the threat model which Granma faces, and her interests in the =
face of the threat.

Granma does not have security needs like a guy working in a compartment =
at the NSA. She really doesn't have any terribly confidential =
information: if someone breaks in and steals all the email she has =
exchanged with her adorable 13-year-old grandson Bobbie, it will not =
make for good blackmail material, and doesn't enable insider trading. =
Everyone who knows her thinks she is a cool octogenarian; no one is =
explicitly targeting her, unique in all the world, for a customized =
attack.

All Granma wants to do with her computer is browse the web for new =
cookie recipes, send email to her grandson, create and print clever =
Valentine's Day cards of her own devising, and play Nancy Drew Virtual =
Reality Team with her granddaughter. This requires that she be able to =
download and try card-creation applications (drawing packages, word =
processors, etc.) and the same for mystery games. She needs to not fear =
opening attachments sent with her grandson's name on it...she has heard, =
though she doesn't exactly understand how, people can send her email =
with Bobbie's name on it but with malicious contents.

She is terrified of having her computer taken over by some 13 year old =
who is not as adorable as Bobbie, and having her computer used for =
nefarious purposes (she doesn't know that the FBI might come knockin' on =
her door some day if someone used her computer in a DDOS attack, but if =
she did, she would recognize that that is a reason why bad kids =
shouldn't be allowed to control her machine).

Granma is also terrified of someone breaking in and stealing her money. =
She uses the computer to tell the Social Security Admin where to deposit =
her checks, and she has been thinking about getting a digital cash =
account using Hansa Dollars or e-gold rather than those blasted credit =
cards, but she won't put real money on her computer until she thinks it =
would be safer to have money on her computer than it would be to throw =
the money into the intersection of 5th and Vine.=20

Bobbie, her adorable grandson, not only loves Granma's choco-chip =
cookies, but is also wanted in 15 states by the FBI for computer =
cracking. He knows just how dangerous it is out there, and wants to make =
sure Granma can't be attacked by some creep with no more ethics or =
scruples than...uh...himself. When he sees CapDesk as an alternative, he =
immediately loads up his own computer and Granma's computer so that they =
can both be safe.=20

Here are the rules he gives Granma as he completes installation, and =
shows her how to drive around:

-- If an application, during installation, proposes for itself a name or =
an icon that looks a lot like the name or the icon of something else =
Granma already has, give it a new name and a new icon. Don't be shy, =
Granma, it's your computer and your application!

-- If an application asks for a bunch of different authorities, just say =
no. No legitimate application needs many authorities. (well, except for =
things like development environments, which Granma doesn't need to worry =
about).

-- If an application asks for read or edit authority outside the Desktop =
folder, just say no. (the current draft layout of stuff in a CapDesk =
world is,  ~/Desktop/MyDocuments contains docs,  ~/Desktop has stuff =
you're currently working on, ~/caplets contains applications, and =
~/capData contains info for and about those applications. Proposals for =
rearranging folders are welcome). Granma, you shouldn't go mucking =
around outside ~/Desktop either :-) (a real installer, unlike the =
current capDesk installer, would copy the caplet executable into the =
~/caplet directory for the user as part of the installation).

-- If an application asks for read authority on a bunch of stuff, and =
also asks for a connection to the Web, just say no. (granma doesn't =
quite need this one, but it is a good rule anyway).

-- If an application asks for wide-ranging access to the Web, like all =
of the http protocol, only say yes if she plans to use it as a Web =
browser, or if Bobbie says it is ok. A Nancy Drew shared reality team =
game should only need an Internet connection to one place at a time.

So, there is my draft list, with comments in parentheses that are =
extraneous to Granma. There's only 5 of them, room for a 40% increase =
before there are more rules than I've been telling people :-)=20

What clever and terrible attacks can folks think of that will beat these =
simple rules? In what ways is my specification of Granma's needs and =
interests incorrect, that requires more flexibility than allowed by =
these rules?


--marcs

------=_NextPart_000_03B8_01C1B7AE.C6906970
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>As I have toured the countryside in the =
last month=20
giving presentations about the capability secure desktop (see the =
screenshots=20
under the Technology section at <A=20
href=3D"http://www.combex.com">http://www.combex.com</A>, they are =
pretty cool),=20
there's a particular point I keep making that needs to be backfilled =
with real=20
data. The particular point is, "The typical home user only has to follow =
6 or 7=20
simple rules to be safe from viruses and trojan horses." It would really =
be good=20
to know what those rules are :-) </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Herewith, then, is a proposed list of =
Granma's=20
Rules of POLA. The rules are at the bottom of this email; first we must =
set the=20
stage by describing the threat model which Granma faces, and her =
interests in=20
the face of the threat.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Granma does not have security needs =
like a guy=20
working in a compartment at the NSA. She really doesn't have any =
terribly=20
confidential information: if someone breaks in and steals all the email =
she has=20
exchanged with her adorable 13-year-old grandson Bobbie, it will not =
make for=20
good blackmail material, and doesn't enable insider trading. Everyone =
who knows=20
her thinks she is a cool octogenarian; no one is explicitly targeting =
her,=20
unique in all the world, for a customized attack.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>All Granma wants to do with her =
computer is browse=20
the web for new cookie recipes, send email to her grandson, create and =
print=20
clever&nbsp;Valentine's Day cards of her own devising, and play Nancy =
Drew=20
Virtual Reality Team&nbsp;with her granddaughter. This requires that she =
be able=20
to download and try card-creation applications (drawing packages, word=20
processors, etc.) and the same for mystery games. She needs to not fear =
opening=20
attachments sent with her grandson's name on it...she has heard, though =
she=20
doesn't exactly understand how, people can send her email with Bobbie's =
name on=20
it but with malicious contents.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>She is terrified of having her computer =
taken over=20
by some 13 year old who is not as adorable as Bobbie, and having her=20
computer&nbsp;used for nefarious purposes (she doesn't know that the FBI =
might=20
come knockin' on her door some day if someone used her computer in a =
DDOS=20
attack, but if she did, she would recognize that that is a reason why =
bad kids=20
shouldn't be allowed to control her machine).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Granma is also terrified of someone =
breaking in and=20
stealing her money. She uses the computer to tell the Social Security =
Admin=20
where to&nbsp;deposit her checks, and she has been thinking about =
getting a=20
digital cash account using Hansa Dollars or e-gold&nbsp;rather than =
those=20
blasted credit cards, but she&nbsp;won't put real money on her computer =
until=20
she thinks it would be safer to have money on her computer than it would =
be to=20
throw the money into the intersection of 5th&nbsp;and Vine. =
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Bobbie, her adorable grandson, not only =

loves&nbsp;Granma's choco-chip cookies, but is also wanted in 15 states =
by the=20
FBI for computer cracking. He knows just&nbsp;how dangerous it is out =
there, and=20
wants to make sure Granma can't be&nbsp;attacked by some creep with no=20
more&nbsp;ethics or scruples than...uh...himself. When he sees CapDesk =
as an=20
alternative, he&nbsp;immediately loads up his own computer and Granma's =
computer=20
so that they can both be safe. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Here are the rules he gives&nbsp;Granma =
as he=20
completes installation, and shows her how to drive around:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-- If an application, during =
installation, proposes=20
for itself&nbsp;a name or an icon that looks a lot like the name or the =
icon of=20
something else Granma already has, give it a new name and a new icon. =
Don't be=20
shy, Granma, it's your computer and your application!</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>--</FONT>&nbsp;<FONT face=3DArial =
size=3D2>If an=20
application asks for a bunch of different authorities, just say no. No=20
legitimate application needs many authorities. (well, except for things =
like=20
development environments, which Granma doesn't need to worry=20
about).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-- If an application asks for read or =
edit=20
authority outside the Desktop folder, just say no. (the current draft =
layout of=20
stuff in a CapDesk world is,&nbsp; ~/Desktop/MyDocuments contains =
docs,&nbsp;=20
~/Desktop has stuff you're currently working on, ~/caplets contains=20
applications, and ~/capData contains info for and about those =
applications.=20
Proposals for rearranging folders are welcome). Granma,&nbsp;you =
shouldn't go=20
mucking around outside ~/Desktop either&nbsp;:-) (a real installer, =
unlike the=20
current capDesk installer,&nbsp;would copy the caplet executable into =
the=20
~/caplet directory for the user as part of the =
installation).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-- If an application asks for read =
authority on a=20
bunch of stuff, and also asks for a connection to the Web, just say no. =
(granma=20
doesn't quite&nbsp;need this one, but it is a good rule =
anyway).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-- If an application asks for =
wide-ranging access=20
to the Web, like all of the http protocol, only say yes if&nbsp;she =
plans to use=20
it as a&nbsp;Web browser, or if Bobbie says it is ok. A Nancy Drew =
shared=20
reality team game should only need an Internet connection to one place =
at a=20
time.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>So, there is my draft list, with =
comments in=20
parentheses that are extraneous to Granma. There's only 5 of them, room =
for a=20
40% increase&nbsp;before there are more rules than I've been telling =
people=20
:-)&nbsp;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>What clever and terrible attacks can =
folks think of=20
that will beat these simple rules? In what ways is my specification of =
Granma's=20
needs and interests incorrect, that requires more flexibility than =
allowed by=20
these rules?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial =
size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial =
size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>--marcs</FONT></DIV></BODY></HTML>

------=_NextPart_000_03B8_01C1B7AE.C6906970--