How we lost the upcoming cyberwar, in the 1970s.

There is a lot of talk about an upcoming (ongoing?) “cyberwar” with Russia and China. I believe strongly that this "war" was lost in the 1970s, in a manner similar to the way we ended up with the Y2K problem. The scope of programs slowly shifted, and base design decisions haven’t been revisited adequately in the intervening decades.

Ambient Authority is a design decision which only appears once you have multiple users sharing a computer. In early computing environments, there were military, commercial, or academic constraints on the users, and it was sufficient to limit the programs to the authority of the user, so no change was needed, except for the provision of ACL (Access Control List) security, the kind where permissions are added to files and folders, in the form of who is allowed to access a given file.

ACL was deemed to be adequate, and as a result, everyone just kept using Ambient Authority without much thought. Fast forward 40 years, andl we find ourselves in a world of persistent networks, mobile code, no system administrators, and multiple layers of firmware and OS from various hardware and software vendors.

In such a system, any code runs with the full authority of the user who started the task, and the users have no effective means of limiting the side effects of running a given program. This in turn means we have to try to guess the intent of code (which is equivalent to solving the halting problem, and is thus impossible). The band-aid is to then try to enumerate all the bad code in the world (virus scanners), and to enumerate all the code bugs in all our programs (security updates), and to eliminate the trust of users (DRM, forced updates, "safety" filters in our browsers). None of these band-aids will work against a determined individual, let alone a nation-state.

Running tasks with the least possible privilege, the "Principle of Least Authority" (POLA) allows a user in such a system to decide ahead of time exactly what files the program is allowed to read, write, etc. Because we're all used to dialog boxes, and drag to drop GUI elements, this doesn't even require any special training of users to accomplish.

Of course, rebuilding our infrastructure to fix a design flaw of the size and scope of using 2 digit years (the Y2K problem we once faced), isn't going to be easy... especially when there's no deadline to make the need for action obvious. It's just going to remain an insidious vulnerability instead for decades to come.

If you think EAL certifications address this, they don't. 8(

Data storage trivia

If printed with dense codes, you can fit about 1/2 megabytes on one side sheet of letter sized paper, reliably. This means 1 megabyte per page.
A case of paper is 500 (sheets/ream) * 10 reams -> 5000 megabytes.

One case of paper is 5 gigabytes.

21st century deep perceptron nets

Long ago, the Perceptron showed great promise as a way to have machines learn. There were limitations, but unfortunately these were extrapolated prematurely to conclude it was a dead end, and the technology languished for years before being reborn as neural networks, and eventually deep neural networks, or "DeepNet".

The cool thing about perceptrons was they were analog, and each unit cell could adjust its own parameters in a simple, analog, and provably effective manner.

IBM has just figured out how to mix Non Volatile Memory (NVM) and CMOS technology to build analog perceptrons on a chip, thus making it possible to have analog deep nets, which saves incredible amounts of compute time by doing everything in the analog domain.

I expect this to make a big difference in the long run.

We need to have a deep discussion about computer security.

I think that we need to have a very deep discussion about security. There are many folks who figure that things are just fine, except the users, OS vendors, administrators, or some other "blame sink" is the problem.  Things are not fine, not even just slightly broken, they are a ticking time bomb.  We've built a civilisation on top of a layer upon layer of code that is full of holes, and should never be trusted.

I have a radical idea to sell... no product, no service, no profit for me.  Please consider this idea, and not reject it out of hand.  If you find it appealing, just help spread it, refine it, and you can leave me out of it for all I care.

Computer Security can be fixed.  The fix is expensive, because the flaw is in the foundational assumptions of what makes a good operating system, which means we have to rebuild from ground zero.   Operating Systems are supposed to fairly share the resources available in a computing device according to the policies set in place by the designers, administrators, and users.   To do this, some assumptions are made, one of which is that a program, once set in to motion by a user, should have the full authority of the user at its disposal at all times.  This ambient authority is baked into everything out there, the trillions of lines of code running almost every device on the internet, and off.

Programs can be written in a different way, without the need for ambient authority. This is called capability based security, and also goes by some other names, including the principle of least privilege.  There are historic examples of Capability Based operating systems in the past, like KeyKOS, which prove that it can at least be done.  There is a project in Germany, the Genode project, which appears to be close to usable for building capabilities based systems, though I haven't had my hands on it yet.... it's getting close.

Capability Based secure systems don't even have to work differently for most users.  Capability UX Tools like a "powerbox" replace dialog box and the subsequent opening of a file, giving the same results without the need for ambient authority.

Programs without ambient authority don't present a vector for the spread of malware. In fact, it might be possible to completely dispense with virus scanners, firewalls, and the whole mess of "security" software that we layer onto our PCs in an attempt to keep them safe.

So, there it is... a lot of text written freestyle into a dialog box on a web page.  I hope I did a good enough job to convince you to give the idea some consideration.  I'll do whatever it takes to help spread it.

--Mike--
mike warot - chezmike@gmail.com

The minimum viable demo for Capability Based Security

I have a vision of how computers can be made secure, but apparently in order to convince my fellow programmers that it can be done, it is necessary for be to build an "existence proof". Clearly I'm not up to building an Operating System, not even a custom linux distro.... something far less ambitions is required, a minimum viable demo... I'll be pondering this for a while, any suggestions would be appreciated.

I have a dream, the Capability Based Security version

I have a dream, that one day, we shall have secure general purpose computing. We shall no longer need virus scanners, we shall no longer have multiple gigabyte “security updates”, and we shall no longer fear to click on a link, or try out a program… I have a dream.

General purpose computing needs to be secured, this will fix IoT as a secondary effect. There’s not enough money in small gadgets to do this the other way around. We fix IoT security the same way we fix workstation security, by deploying operating systems that don’t lubricate applications in a sea of authority, with all the explosive results.

There are operating systems that default to NO permissions what so ever, and yet are capable of getting things done. Linux, Windows, Mac OS all work by letting applications do whatever the user is allowed to do… which is pretty much anything and everything. IOS and Android attempt to sandbox off a bit of this, but still assume they can open any file, do anything, within the sandbox… over time the sandbox has more holes poked in it to let more “features” happen, and make it more porous.

Capability based security, it’s not a silver bullet, but it can fix general purpose computing, and solve IoT security as a side benefit.