[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-User Security

[Mark S. Miller]

At 05:20 PM Wednesday 3/21/01, Ka-Ping Yee wrote:
>> There is no way to protect the user if he allows "pranksters" to access 
>> a machine with his authority. Thats why everyone should lock their
>> screens!
>
>Markm will probably argue with me on this also, but in my opinion
>this statement seems representative of a very unfortunate approach.
>The attitude is pervasive in computer interaction design, and boils
>down to disclaiming responsibility because "the user is stupid".

You're correct -- I will give you an argument.

The issue is not the intelligence of the user, it's the intelligence of the 
attacker.  If the machine in question is stock hardware, then Robert's first 
sentence is literally true: There is *no way* to protect these users.  The 
situation's actually much more severe than Robert's second sentence would 
indicate: locking the screen makes no difference.  A machine that an 
attacker may have had physical access to must be assumed to be corrupt.  
Software security means nothing in the absence of restricted physical 
access.  Special hardware (opaque boxes) can provide such restrictions 
within the box, but they have other problems.

This leaves stock desktop machines in unlocked offices in an untenable 
situation.  Software by itself can do nothing to repair the situation.  This 
may be the strangest argument yet for telecommuting -- separation of 
physical vulnerabilities.


        Cheers,
        --MarkM