I've got an idea that I'll try to make coherent enough for someone else to get the gist of...
I want to be able to post photos, messages, and other personal stuff to a site that I pay for the hosting of, which can only be read by certain people. I'd like to offer them the ability to have their own accounts and do likewise. Bonus points for making it possible for them to download and move their stuff later if they so desire.
Facebook does most of these things, if you are willing to ignore all the downsides of being a resource for advertisers to mine, and governments to spy on, and hackers to breach, instead of being their customer.
I'm thinking of coding up something based on a bedrock of capability based security, with layers of filtering restricting authority on each layer to the user.
A private version of facebook, which can be shared... it shouldn't cost much... unless someone goes wild posting video and sucking up server space. I'd guess $5/month or less.
What do you folks think?
Tuesday, November 10, 2015
The Medium is the Message...
cross-posted from a comment at facebook...
It used to be that people had their own published streams, and you could directly choose who to read (for example using RSS to keep tabs on what Scoble had to say).... but then the network effects of things like this got the better of us, and we're all here in a place where we have to either pay facebook for attention, or say something so outrageous that it goes viral to get around their paywall.
We need to go back to blogs to get the middlemen out, and tune our filters to the bigger, slower, and vastly more important real stories we need to pay attention to.
The medium (facebook) is the message...
Friday, October 30, 2015
I don't git it
Why y'all continue to trust applications to do anything is beyond me.
You don't hand your wallet to the clerk at the gas station, but you'll hand your whole machine over to any random bit of code, and get upset when it goes awry.
Your OS should ask which files to let your application access... until that changes, you're going to keep getting skunked.
Friday, October 02, 2015
CapabilityPipes v0.001 - A very rough draft of an incredibly powerful idea
This is a raw dump of an idea that came to me at 4AM... I hope it's coherent enough to catch on... I will of course keep refining it.
This is v0.001 of the idea
++ Capability Pipes
Unix/Linux is a set of tools which work together to allow you to pipe output from one program into another, and the resulting plumbing lets you do very powerful things. We need a similar set of tools for the capability security model. This would allow you to have complete and total control over your applications, your network useage, and everything your computer does on your behalf, in a rational and expandable manner.
Instead of trusting applications to do everything, why not use the pipe/api model to limit their connections to the world, so that you can tightly restrict the side effects of everything, as needed?
Give the user a traditional view of the world, just like the linux they have now, but instead of trusting applications blindly, force them all to use capability pipes (like file handles) to do all their I/O.
Of course, you could always default things to the current look/feel of a typical linux desktop, to make transitioning easy for users.
It is impossible to overstate the amount of power this would put back into the hands of users.
Examples, use cases:
A mute filter to allow control over the audio output of a web browser.
Filtering of which URLs a web browser is allowed to access
A batch file which could do more than chroot ever could, with all the limits hard enforced by the operating system
All file pipes would be chosen / supplied from outside the application.
iptables allows a linux system administrator to do very powerful things with the network stack of a machine... this would be a much more fine grained approach as you could control I/O of everything down to the bit level, or not... as you see fit, in the unix way.
You could count the bytes a web browser sends or recieves on each and every page. You could log things.
Digital Rights Management would be killed stone dead as a nice side effect.
Ad blocking could be scripts that users could tweak themselves.
This is v0.001 of the idea
++ Capability Pipes
Unix/Linux is a set of tools which work together to allow you to pipe output from one program into another, and the resulting plumbing lets you do very powerful things. We need a similar set of tools for the capability security model. This would allow you to have complete and total control over your applications, your network useage, and everything your computer does on your behalf, in a rational and expandable manner.
Instead of trusting applications to do everything, why not use the pipe/api model to limit their connections to the world, so that you can tightly restrict the side effects of everything, as needed?
Give the user a traditional view of the world, just like the linux they have now, but instead of trusting applications blindly, force them all to use capability pipes (like file handles) to do all their I/O.
Of course, you could always default things to the current look/feel of a typical linux desktop, to make transitioning easy for users.
It is impossible to overstate the amount of power this would put back into the hands of users.
Examples, use cases:
A mute filter to allow control over the audio output of a web browser.
Filtering of which URLs a web browser is allowed to access
A batch file which could do more than chroot ever could, with all the limits hard enforced by the operating system
All file pipes would be chosen / supplied from outside the application.
iptables allows a linux system administrator to do very powerful things with the network stack of a machine... this would be a much more fine grained approach as you could control I/O of everything down to the bit level, or not... as you see fit, in the unix way.
You could count the bytes a web browser sends or recieves on each and every page. You could log things.
Digital Rights Management would be killed stone dead as a nice side effect.
Ad blocking could be scripts that users could tweak themselves.
Saturday, August 22, 2015
It's not the Snowden effect, either.
John Robb suspects that Edward Snowden is indirectly responsible for the continuing breakdown of "cyber security" because he's still alive, proving the US impotent. While I can understand the conclusion he's drawn, I believe he's quite wrong.
Snowden merely proved what many in the world already suspected... that the US is spying on everyone, all the time. The credibility of the US in terms of morals took a small hit, but there is a far larger supply of suppressed hypocrisy hidden all over the internet waiting to be tapped... it's just beginning.
The root cause of the wave of insecure computing isn't the users, or the internet, or evil hackers, or lack of "defense". It is the continued use of a security model suitable for the 1970s University Computer Science department, in the age of always on worldwide networking. Back then you were worried about users doing the wrong thing, and the system was set up to protect itself from them, in a fairly straightforward way.
Unfortunately, to the contrary of the opinions of many a system administrator, the users really aren't the problem. It is squarely the fault of the operating systems that we all choose to use on a daily basis. They simply aren't designed to cope.
The ONLY effective solution is going to be to replace the operating systems we all use... which is going to be annoying, and cost a bit, but can definitely be accomplished.
When your operating system trusts every program you run, you have a problem.
Snowden merely proved what many in the world already suspected... that the US is spying on everyone, all the time. The credibility of the US in terms of morals took a small hit, but there is a far larger supply of suppressed hypocrisy hidden all over the internet waiting to be tapped... it's just beginning.
The root cause of the wave of insecure computing isn't the users, or the internet, or evil hackers, or lack of "defense". It is the continued use of a security model suitable for the 1970s University Computer Science department, in the age of always on worldwide networking. Back then you were worried about users doing the wrong thing, and the system was set up to protect itself from them, in a fairly straightforward way.
Unfortunately, to the contrary of the opinions of many a system administrator, the users really aren't the problem. It is squarely the fault of the operating systems that we all choose to use on a daily basis. They simply aren't designed to cope.
The ONLY effective solution is going to be to replace the operating systems we all use... which is going to be annoying, and cost a bit, but can definitely be accomplished.
When your operating system trusts every program you run, you have a problem.
You get what you pay for
For a long time I've been aware of the decreasing quality of my interactions with the internet. I'm far more of a consumer now that I was in the beginning. I've let the notion that I'm powerless to change things infect my thinking, and it has eased me in a daily routine which results in lots of "likes", shares, and a few attempts at humor our sarcasm.
It doesn't have to be this way, and I don't have to let it continue. The web isn't dead. Blogging isn't dead.. this entry is an existence proof of that. The tools still work, and are still valuable. RSS still works, and RSS readers are still around to support it. I, and many of my peers (like Scoble, for example) have decided to let them go fallow. It's time to take back our time and attention and pull together a future which combines the best of the past, and the best of the new tools.
I agree with Dave's criticism of Facebook, in the middle of a post about libraries, and that prompted this post. As I told Doc Searls a very long time ago, you get what you tune your own feedback loops to optimize on. I'm going to tweak my own settings a bit. 8)
If you consume media all day, and only offer up a like, or a sharing of something interesting... you have to be VERY selective if you are actually helping increase the quality of discourse. I've not been selective, and for that I am sorry.
It doesn't have to be this way, and I don't have to let it continue. The web isn't dead. Blogging isn't dead.. this entry is an existence proof of that. The tools still work, and are still valuable. RSS still works, and RSS readers are still around to support it. I, and many of my peers (like Scoble, for example) have decided to let them go fallow. It's time to take back our time and attention and pull together a future which combines the best of the past, and the best of the new tools.
I agree with Dave's criticism of Facebook, in the middle of a post about libraries, and that prompted this post. As I told Doc Searls a very long time ago, you get what you tune your own feedback loops to optimize on. I'm going to tweak my own settings a bit. 8)
If you consume media all day, and only offer up a like, or a sharing of something interesting... you have to be VERY selective if you are actually helping increase the quality of discourse. I've not been selective, and for that I am sorry.
Monday, August 10, 2015
Living within our means?
Imagine if we actually lived within our means, instead of leeching off the rest of the planet via the worlds largest military...
We'd all lose 80% of our standard of living, but there would be health care for all, savings would again pay interest, and debt would be a thing to be avoided at all costs... in the long run we'd all be happier, but it would be a rough 20 years scaling down to live within our means, and apologizing.
What do you think?
We'd all lose 80% of our standard of living, but there would be health care for all, savings would again pay interest, and debt would be a thing to be avoided at all costs... in the long run we'd all be happier, but it would be a rough 20 years scaling down to live within our means, and apologizing.
What do you think?
Thursday, July 30, 2015
On Cyberwar
If your operating system isn't smart enough to require a list of resources to feed a program you want it to run, you lose.
If you built your entire civilization on such a stupid foundation, you lose.
Anyone smarter than that can wipe you off the face of the earth, unless you can survive long enough to correct your deeply embedded mistake.
If you built your entire civilization on such a stupid foundation, you lose.
Anyone smarter than that can wipe you off the face of the earth, unless you can survive long enough to correct your deeply embedded mistake.
Tuesday, January 06, 2015
What to do while we wait for secure computing
The problem with secure computing is that it is an obscure design feature that has to be written in at the base level of an operating system, as it effects all subsequent layers... so it is going to take quite a bit of time and effort for people to get it done, once awareness is raised enough to stimulate a demand.
The best measures to take are, in the meanwhile, common sense. Make backups, TEST them. Don't put anything into your computer that can ruin your life if shared with the world. Assume at some point your computer will be wiped randomly... hardware failure is still a fact of life.
Putting operating systems inside of virtual machines is a crude form of capability security, if you lock down the permissions and networking... not something for the casual home user, though.
Let's be careful out there.
The best measures to take are, in the meanwhile, common sense. Make backups, TEST them. Don't put anything into your computer that can ruin your life if shared with the world. Assume at some point your computer will be wiped randomly... hardware failure is still a fact of life.
Putting operating systems inside of virtual machines is a crude form of capability security, if you lock down the permissions and networking... not something for the casual home user, though.
Let's be careful out there.
Monday, January 05, 2015
Secure computing can be easy to use
Thanks to the PowerBox pattern, capability based security can be fairly easy to use, and in many use cases, it can be almost click for click identical with current ways of getting things done.
A PowerBox is a traditional file dialog box, with a twist in that the results give capabilities (similar to file handles) to an application, instead of just letting the application grab resources as required. The end result is a system in which an application is never directly trusted, and only gets the resources the user decides are appropriate to provide.
The Genode operating system provides such a system called nit-picker (if my reading is correct)... and this could have been done as long ago as 1995 for Windows, if the need for better security was more apparent back then...
Your computer can be safe, secure, and easy to use.... but we have to demand change to get there.
Hand over your purse or wallet to continue this transaction
Imagine if you had to surrender your wallet or purse in order to buy a pack of gum at the local store... so the clerk could remove the appropriate amount of money, then hand it back to you at the end of the transaction.
This is obviously an unacceptable and odd way of doing things, the clerk could do all sorts of unacceptable things to your possessions, and you would have no way of stopping them. In technical terms: The side effects in this situation are unlimited in scope.
Back in the real world, we have a much simpler way of dealing with it, we hand over a small amount of cash, and expect change. This limits both the amount of risk, and the side effects that are possible. In technical terms: There are hard, a-priori limits to the scope of the transaction.
When you run a program, browse a web page, open a PDF file, your computer's antivirus attempts to guess if the action is safe... and most of the time gets it right. But there is no way to limit the damage that can be caused by a wrong guess... which in 2015 is just plain stupid.
This is the gist of why I've decided to start this campaign to bring security to our modern PC operating systems... we need to be able to be at least as safe as we were in 1983 when we had dual-floppy IBM PCs.... the A: disk was write protected, and the worst you could do was corrupt the floppy in the B: drive if you had a bad day. You could make backups in less than 5 minutes, and they always worked.
Things can get better...awareness of the problem is the first step
This is obviously an unacceptable and odd way of doing things, the clerk could do all sorts of unacceptable things to your possessions, and you would have no way of stopping them. In technical terms: The side effects in this situation are unlimited in scope.
Back in the real world, we have a much simpler way of dealing with it, we hand over a small amount of cash, and expect change. This limits both the amount of risk, and the side effects that are possible. In technical terms: There are hard, a-priori limits to the scope of the transaction.
When you run a program, browse a web page, open a PDF file, your computer's antivirus attempts to guess if the action is safe... and most of the time gets it right. But there is no way to limit the damage that can be caused by a wrong guess... which in 2015 is just plain stupid.
This is the gist of why I've decided to start this campaign to bring security to our modern PC operating systems... we need to be able to be at least as safe as we were in 1983 when we had dual-floppy IBM PCs.... the A: disk was write protected, and the worst you could do was corrupt the floppy in the B: drive if you had a bad day. You could make backups in less than 5 minutes, and they always worked.
Things can get better...awareness of the problem is the first step
Sunday, January 04, 2015
Windows needs a grenade sump
In warfare, you dig defensive positions to incorporate a grenade sump, so that an inbound grenade can be directed to a place where it will result in minimum harm....
There is no equivalent of a grenade sump in Windows... nowhere you can stick a program that you don't trust, then wait and see if it blows up.
There is no equivalent of a grenade sump in Windows... nowhere you can stick a program that you don't trust, then wait and see if it blows up.
Saturday, January 03, 2015
Windows is like a Fort made out of explosive bricks
Here's an over the top analogy to help make my point:
Imagine you just completed an old fashioned Fort, with thick sloped masonry walls to deflect incoming artillery, etc.... only to learn all the bricks were actually blocks of Plastic Explosive (due to a massive supply chain failure).
You have a Fort that can destroy itself and offers zero defense...
This is the exact situation we all find ourselves sitting in, because our operating systems trust all the code they run by default. Any piece of code executing has no effective limits on what it can do, the side effects of any byte of code are unlimited. The damage that can be done by any instruction about to be executed next is unlimited.... and the one after that, etc.... it can all chain react and there is no way to prove program won't do that (although to be fair, it's not very likely at any given moment)
Operating systems exist that don't ever trust programs to do what they say on the tin... we need to adopt them.... by about 10 years ago.,
The closest you're going to get in the open source world is to browse over to the Genode project... the rest of the systems are old and obsolete, because nobody (besides me) is convinced we need them.
Operating systems exist that don't ever trust programs to do what they say on the tin... we need to adopt them.... by about 10 years ago.,
The closest you're going to get in the open source world is to browse over to the Genode project... the rest of the systems are old and obsolete, because nobody (besides me) is convinced we need them.
Comments, suggestions welcome.
Subscribe to:
Posts (Atom)