[14312] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Reliance on Microsoft called risk to U.S. security

daemon@ATHENA.MIT.EDU (Jeroen C.van Gelderen)
Sat Sep 27 18:23:34 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 27 Sep 2003 16:46:32 -0400
Cc: Bill Frantz <frantz@pwpconsult.com>,
	Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
To: Victor.Duchovni@morganstanley.com
From: Jeroen C.van Gelderen <jeroen@vangelderen.org>
In-Reply-To: <Pine.GSO.4.58.200309271543250.9026@sasas1.ms.com>


On Saturday, Sep 27, 2003, at 15:48 US/Eastern, 
Victor.Duchovni@morganstanley.com wrote:

> On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:
>
>> I continue to believe that few users would grant an email message
>> access to both the Internet and the Address Book when they are asked
>> those two questions, provided that the user had not been conditioned 
>> to
>> clicking "YES" in order to get any work done at all.
>>
>
> You have not met my users!

Indeed, but I'm here to learn :)

>  This is really rather naive. Users don't
> understand pop dialogues, they raise their stress level, always 
> clicking
> "yes" makes the problem go away.

True. But don't you think that this may be in part because the popup 
dialogues are shown way too often in the course of normal use? And 
because they ask questions that cannot be understood by Real Users? Is 
it naive to assume that Real Users are intelligent but that an 
ill-designed security architecture has *conditioned* them to always 
click YES, as you say because that is the only way for them to get any 
work done at all?

I have to imagine starting with a clean slate, with unconditioned users.

Now imagine that the Alice, a Real User, can usually do a full day's 
worth of work (Excel, Word, Browsing, Email) without seeing a security 
popup asking some weird question. Imagine this is the status quo. In 
this scenario, a security popup is cause for concern. After all, normal 
use doesn't result in popups so this is a clear indication that 
something is wrong. Why would she click "YES"?

Now additionally imagine that security popups ask Alice an intelligible 
question. Not "FooBar is trying TCP to port 1223, that okay with you?" 
but rather something like "This website wants access to ALL YOUR 
PERSONAL FILES, that okay with you?" Or: "This email wants to access 
the Internet and your Address Book, that okay with you?"

Because I'm an optimist I believe that Alice will read the dialog and 
err on the side of caution. Maybe that isn't realistic. So we teach 
Alice to always click "NO". We can do so because unlike today, Alice's 
"NO" will not interfere with her ability to get work done.

>>> Also security is not closed under composition, two individually 
>>> secure
>>> components can combine to produce an insecure system. I think that no
>>> such secure *non-trivial* least privilege system exists for a
>>> graphical general purpose computer either in theory, or in practice.
>>
>> Are you familiar with the KeyKOS and EROS operating systems and/or
>> Stiegler's CapDesk, a secure desktop in Java? They are all based on 
>> the
>> Principle Of Least Privilege (trough capabilities) and they manage to
>> preserve security in the face of composition. Do you consider those
>> systems to be trivial, or broken? What is the reason these systems
>> cannot exist in theory or practice?
>
> What fraction of "real" users will be able to use these systems? Will
> users really understand the composition properties of security 
> policies?

I agree that such composition must be intuitive or we cannot expect it 
to work. I think that CapDesk is a nice publicly available prototype of 
a workable capability desktop. It would be very interesting to see your 
assessment on whether a CapDesk approach would be workable for your 
users. And if it isn't, why not. I hope you can lend your experience.

Cheers,
-J

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post