Reliance on Microsoft called risk to U.S. security

Sat Sep 27 15:48:29 EDT 2003

On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:

> I continue to believe that few users would grant an email message
> access to both the Internet and the Address Book when they are asked
> those two questions, provided that the user had not been conditioned to
> clicking "YES" in order to get any work done at all.
>

You have not met my users! This is really rather naive. Users don't
understand pop dialogues, they raise their stress level, always clicking
"yes" makes the problem go away.

> There is no way around asking the user because he is the ultimate
> authority when it comes to making trust decisions. (Side-stepping the
> issues in a (corporate) environment where the owner of the machine is
> entitled to restrict its users in any way he sees fit. The point is
> that the software agent cannot make trust decisions.)
>

See above.

> > Also security is not closed under composition, two individually secure
> > components can combine to produce an insecure system. I think that no
> > such secure *non-trivial* least privilege system exists for a
> > graphical general purpose computer either in theory, or in practice.
>
> Are you familiar with the KeyKOS and EROS operating systems and/or
> Stiegler's CapDesk, a secure desktop in Java? They are all based on the
> Principle Of Least Privilege (trough capabilities) and they manage to
> preserve security in the face of composition. Do you consider those
> systems to be trivial, or broken? What is the reason these systems
> cannot exist in theory or practice?
>

What fraction of "real" users will be able to use these systems? Will
users really understand the composition properties of security policies?

-- 
	Victor Duchovni
	IT Security,
	Morgan Stanley

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com