Thursday, April 05, 2012

If you can't even express a correct answer, you'll always be wrong.

In response to an ongoing thread on /. about computer security... I wrote this

What we have here, is a failure to communicate...
It's not the user.
Nor is in the internet
Nor is it the administrator
Nor is in the OS vendors
It's a very deep paradigm/vocabulary issue
The problem IS lack of security.... quick... how can You, in YOUR CHOICE OF ENVIRONMENT tell your OS that you want a program to enforce this set of rules on a program you want to test:
  • read access to itself, and it's install directory
  • read access to all of the system libraries
  • read-write access to a single folder
  • access to a specific set of windows in the gui (if any)
  • and nothing else?
If you can even begin to fulfill this list of un-restrictions, you're probably approaching it in terms of a locked down user account, which is exactly the problem. This list of un-restrictions is otherwise known as a capabilities list, and should be assigned on the basis of the needs of the moment, not some static definition.
If you can't even express the correct answer, you'll never get it right.
While people remain unable to even express ideas in terms of capabilities, it won't happen, and we'll be vulnerable... I suspect it's going to take about 12 more years.

No comments: