Friday, February 26, 2010

Why I'm the next super-empowered individual of note

I hereby declare myself a super-empowered individual. I'm one of those folks who can change the world if he so desires. I have decided there is a situation which needs to change, and I have started to change it. It will take time and focused effort, but things will change.

I'm just an average American... it the old school sense of things. Just one of "the folk". I have no special skills or resources... just a set of observations and a set of theories derived from them.

I believe one thing that I believe sets me apart from most people:

Computers can be made secure in the hands of the average user.

The average user is by far the most maligned portion of the entire computer security world. The commonly held belief is that if we were smarter, or more careful, we users wouldn't be in this mess.

To that I call bullshit. This blaming the user has to stop. Users have no sane set of tools with which to work. The current choices of tools are so poor the equivalent would be be like blaming a heart surgeon for not being able to complete a triple bypass operation with a pair of wire cutters and a roll of duct tape. If he were really smart, and inventive, like McGuyver, he could pull it off, right? Wrong!

The tools required by the user are simple... an operating system that allows you to specify a set of capabilities to be supplied to a program the user wishes to run. The operating system would then be responsible for making sure that ONLY those capabilities were used, and nothing else.

It's simple to state, but very hard to grasp if you've been immersed in the world as it is, with usernames, passwords, virus scanners, "trusted code", and a whole system designed to make things appear to be stable by listing everything that is bad code, and trying to filter it out.

I intend to provide examples and conversation and guidance to help ALL of us change things for the better.

I'm changing the world. You're already helping by reading this. Thank you for your time and attention.

I want to change the world, can you help?

Here it is, a plea to help change the world, for the better. It's sincere, honest, direct, and you might even be able to help.

I believe that computer security can be fixed. There is a basic concept called capability based security, which was invented back in the 1950s and 1960s, and it really works. In the shuffle through Unix, the PC revolution, and now with Windows, Linux, etc... the lessons learned back then have been forgotten.

I want to help bring this knowledge to the masses, especially programmers, and others. This would allow the creation of an entire new crop of capability based systems and models which I believe could be mathematically proven to be secure. (If all else, far less leaky, by orders of magnitude)

Truly secure computing means you don't need virus scanners, and a lot of the headaches associated with owning a general purpose computer go away.

There is, of course a catch... a big catch: You have to replace all of your software...
or at least figure out how to replace the OS....
or at least sandbox each of your existing apps if you still want them...
and we could probably make it easy enough to deal with for the general public, given enough minds working on the problem.


So... I'm posting this plea here, and will be pointing back to it to try to get a conversation started.

It's been posited that any idea with at least 5 people backing it fully can take off. I believe this can be done.

Now, please help me change the world, and let's talk about it.

Cyberwar, and how you (and 4 buddies) can stop it cold.

I just posted this in a comment at Global Guerrillas: (which I highly recommend you read daily)

I think it's really sad that nobody even imagines that the systems we all depend on could be made secure.

Everything we do in the commercial world is based on a crappy security model, one barely better than none, but not sufficient to secure more than a case of beer in a college dorm room.

Everything, Linux, Windows, Mac, etc... all work based on a default permissive environment. This means you have to trust code to do exactly want you want. Which is just plain insane.

A better way is to run code without any permissions by default, and only supply it with exactly the capabilities necessary to get the job done. In the world of real security, it's called "need to know".

Credit card systems operate in the same way... if someone knows a few key details about you, they can have all your money, and more.... which is just pain nuts. It doesn't have to be that way, and it can be fixed.

I'll talk to anyone who wants to help fix this, for free, because I believe it's my duty to point out the insanity of the system we currently have rigged up.

John, it CAN be fixed... it would take a core of a few people, just people dedicated to spreading the word, and making examples that people can relate to. No big investment, no massive Manhattan style projects.

Yes, it would involve replacing our infrastructure, but we do that all the time anyway. We just need to replace the parts with something that actually works better as we go.