Thursday, February 25, 2021

Praise for the humble wallet.

 I have a wallet, it was given to me, it is a good, but worn wallet.  I keep money, ID, and a few important pieces of data in it.  The technology of the wallet has yet to be replicated on my computer.

You see, I can take money from my wallet, and hand it to another person, and they could put it in their wallet... they could just run away with it... but the largest amount they could cause to be lost from my wallet was decided by me, in advance, at my discretion.

On this spiffy computer, however... there is no wallet, nothing comes close.  There is no way for me to take a file, and give access to that file to a program, without giving that program access to everything that the computer associates with me. There is no way for me, in advance, at my discretion, to trust only a limited and carefully chosen subset of what is in my computer, to a program.

You can't do it on Linux, you can't do it on a Mac, you can't do it in Windows.

*A technically savvy person could point out that he could tell the computer not to allow access to everything but that file... but that's hardly the same thing, is it? I don't require a skilled banker to limit which notes I pull from my wallet, why should I require a system manager to do the simple task of picking a file?

This is, in my mind, collective insanity.

I have hope, however... in a few years, a system which has been in the works for a long time, called Genode will be available which actually lets you decide what you want to do with your computer, without the programs you run being able to override that decision, or get confused, and lose your data.

Until then, here's to the humble wallet, a technology not matched by the latest products of silicon valley!

How to win the war for general purpose computing.

 We're losing the war for general purpose computing.

We need to secure our computers before the war is lost and we no longer have them to secure.

The root cause (in my estimation) is a failure to use multilevel secure systems, such as the never shipped GNU Hurd, or the hopefully soon to be approachable, and steadily progressing Genode project. (German engineering to the rescue)

Back in the 1980s, it was possible to secure a computer using nothing more than MS-DOS and a few write protect labels. The hardware supported read-only mode on the storage media, and the media was easy to copy.  Everyone had multiple copies of their OS, and their data.  Copies were a few minutes investment, even on a machine with only one floppy disk. (You swapped A: and B: in the same drive, the OS kept track of which was which)

With this setup, you never had to worry about bricking your hardware, or losing your data. You could run ANYTHING in perfect safety.

In our current environment, our systems are so complex, there are nooks and crannies for malware to be implanted at almost any level. Thus the operating system, unlike in the MS-DOS days, MUST NOT let any program have direct access to the hardware, ever.  The defaults fail on Mac, Linux, Windows, and MS-DOS was merely a program loader.

Multilevel Secure Systems do this, they are also known as Capability Based systems... unlike the capabilities used in "apps" like "can this app know your location", in capability systems, they are fine grained access to a file or other resource. The capabilities are granted by the user, through a system supplied dialog box, rather than the application supplied dialog in Windows, Linux, etc. This means that apps in a Capability Based system can't go rogue and plant bugs in the firmware, etc.  Capability Systems make it possible to have actually secure computing once again.

If we can get capability based computing into the mainstream, then it becomes possible to experiment on our computers without fear.  It becomes possible to surf the net without fear, and the people won't have to stay in walled gardens to feel safe.

We can turn this around, but capability based computing is a required step

And most people have never heard of it, nor used it on a computer.

We've all used capabilities in real life though... they're called wallets (or purses).  A coin or dollar note is a capability. I was taught to deal with them at a very young age, as I'm sure were most of you. 

Computers can make it as easy, drag and drop, or file dialogs (called PowerBoxes in secure systems) make it work the same way, from a user perspective.

Sunday, February 21, 2021

If Germans are good at engineering, how come they don't dominate computer operating systems?

I recently came across a Quora question:

If Germans are good at engineering, how come they don't dominate computer operating systems or mobile operating systems?

As a native citizen of the United States, I can categorically state that I know of no widely used operating system in the US that even stands a chance of being made secure. The widespread risk taking “cowboy” attitude in the US that leads to fast innovation also leads to things like the Challenger Disaster. There were layers of management at NASA who weren’t engineers, but thought they were because they could run an Excel spreadsheet, and they had been “lucky” so far, which prevented them from learning otherwise.

There will, in about 5–10 years or so, be a complete change in the basis of operating systems worldwide.  The cowboy attitude that Linus Torvalds managed to build into Linux, with his worldwide following, has gathered another layer of people who because they can run a C compiler and make, think they know what they are doing.

In the Shuttle Disaster, the would be engineers thought that they could measure the amount of erosion of O-rings, and the probability of failure was linearly proportional to the amount of O-ring eroded. Because there were multiple rings, and only the first had eroded a maximum of 33%, they thought the had a 1 in 1000,000 odds of failure.

 The original engineers knew better, and documented their findings… if ANY erosion occurred, they indicated it was a need for a COMPLETE REDESIGN of the system because it had already failed.

In the case of Linux, there is an assumption that an operating system can be build in one large piece, a monolithic kernel, and that the users can’t be trusted. Smart and careful system administrators, and reliable careful application programmers with layers of firewalls and sandboxes can keep things safe.  If the stack is breached, they add more layers of protection.

The original engineers had built a system called Multics, and in response to some failures of computers to live up to their promises during the Viet Nam conflict, had designed a system which carefully protected itself at all layers by default. This was the multi-level secure model of computing, also known as Capability Based Security.  A process in such a system can only access the resources it has been given a capability to access, and NOTHING ELSE. 

They considered it imperative to reduce to as small as reasonably possible the amount of code that runs with full privilege to do anything what so ever, that code then manages everything else, and grants NO privileges by default. (The entire Linux kernel, on the other hand… is the kernel, millions of lines of code, any of which could take it all down).

There are some small pockets of sanity in the US, but they are unknown to most of the IT community here, and unfortunately, don’t even seem to be the system vendors of choice for our security agencies.

In Dresden, there are a team of programmers at work, slowly and methodically to build the now academic concept of a capability based operating system into a production ready operating system that is actually secure by default. They are a few years away, in my opinion, but should be gathering traction quite quickly once the need for their system is realized.

Genode is the system, and Genode Labs is the company funding the work.

I don’t work for Genode Labs, I’m not paid, and receive no compensation from them what-so-ever.  I just want sanity to prevail in the end, and they seem to be the best chance of getting it to happen.

Sunday, February 14, 2021

Racket - A new language for me

 One of the big problems in programming is to get a good fit between the ideas in your brain, and the written code the computer knows how to deal with... if you can translate between the two effectively, you'll be a productive programmer.

Certain languages appeal to me, others "smell bad". C, C++, etc have always smelled bad to me. I love Pascal, and the simplicity of forth, basic, assembler, etc.  Python is ok.

Pascal for me, is very easy to write in.  It matches the way I think.

However, there are a set of problems that just don't match the tools that Pascal provides. This is why I learned Python a while ago.  I find myself learning Racket.  It has tools for letting you match more than one type of problem with appropriate language.

For example, you can write programs in it,  and it has a layer you can add on top for making documents. It allows you to build languages within its language.

It's my first day, but it looks very promising.