Domain: skyhunter.com
Stories and comments across the archive that link to skyhunter.com.
Comments · 28
-
Precedent in fiction
http://skyhunter.com/marcs/GentleSeduction.html
One of my alltime favorite S.F. short stories (free to read online at this url) Note that the simulation of a deceased friend friend is only a small ( but important ) part of a very well-told story. -
Patching holes in the Titanic
Let's face it, doing patches this often is like putting mattresses in the hole on the side of the Titanic. It merely delays the inevitable, slightly. We need to rip out the ineffective system we're gotten used to, and to move on.
-
Re:snooze
A "theoretically perfect" operating system would be immune to these attacks. Even an operating system that's just a little better designed would be. You nailed the problem: programs users execute receive all the user's powers. Designs for systems that don't do this are fairly well understood (look up 'capability security'), and can be as sophisticated as needed -- you could design rules for browser-launched stuff along the lines of "only allow access to an app-specific portion of the filesystem", "don't allow direct socket connections to other internet sites" (while perhaps still allowing requests through a system-provided resource API), or even "don't allow direct socket access _after_ anything has been read from the local filesystem". It's quite feasible to come up with a system that's as flexible as legitimate application authors would need while having an interface to security controls that's comprehensible to non-technical users. Discussion of that here: http://www.skyhunter.com/marcs/granmaRulesPola.html
-
Prediction markets in Earthweb
Earthweb is a novel by Marc Stiegler.
In Earthweb prediction markets have a major role in the plot. Prediction markets are used to harness the wisdom of the crowds over the whole planet; this is what the title references. The book also speculates on some of the problems that might happen with prediction markets, such as people who just try to figure out an expert's prediction and just bet the same as that expert. (This expert-following skews the results; the followers are not adding any more insight to the market, and they might be lending their support to someone who might be wrong.)
The book is really a bunch of cool future Information Age ideas, with just enough plot to stitch them together. The action sequences are as energetic and implausible as a Tomb Raider game. It's not Shakespeare but I enjoyed it.
P.S. The book also tells, as part of its backstory, about a bunch of inexpensive computing devices with networking built in being air-dropped over the poorest parts of the world, to give poor children some sort of an education. He wrote this years before OLPC.
steveha -
Re:Skynet
A leap in security technology will take a requisite leap in human intelligence.
Not at all. A leap in security will take a requisite change in our development tools, from identity-centric abstractions, to authorization-centric abstractions so we can achieve the Principle of Least Authority (POLA) for all software. Ultimately, it's not about adding security, it's about removing insecurity; most languages have insecure abstractions baked into them, and when those are removed, the resulting software is significantly more secure, and yet, poses no significant burden on the developer; quite the opposite in fact: the software becomes more modular and maintainable. See the discussions on capabilities, and the E, and Emily capability-secure programming languages for examples. There have been numerous case-studies on the vulnerabilities of identity-centric services, and how they were rectified by refactoring the service to use authorization-centric models. -
Re:Unix-style permissions are not enough.
sounds kind of like what is called "capability based" program security http://www.skyhunter.com/marcs/capabilityIntro/in
d ex.html -
Running as admin is irrelevant
User-level security can only protect users from each other. Desktop machines are usually single-user. Therefore, user security is protecting nothing except operating system and program files, which can be trivially replaced by re-installing them. Most users would consider their personal document much more important, yet these are not protected! User security will not stop a virus from searching your home directory for your tax return and mailing it off to some identity theft. Nor will it stop a virus from accessing the internet to launch DDoS attacks, send spam, or reproduce.
Yet, Microsoft and Unix users alike continue to insist that it does some good. Why? All it does is make life more difficult as you constantly have to switch between user and admin to install programs.
We need to move to a model of program-level security, where every program you run is granted only permissions to do the things you actually want it to do. And we need to develop a user interface which can automatically figure out what permissions you want to grant to programs (e.g. if you select a file from the file->open dialog, then it should grant the program permission to read that file). See Capability-based security. -
Names and petnamesI found An Introduction to Petname Systems an interesting reading:
Zooko's Triangle [Zooko] argues that names cannot be global, secure, and memorable, all at the same time. Domain names are an example: they are global, and memorable, but as the rapid rise of phishing demonstrates, they are not secure.
Though no single name can have all three properties, the petname system does indeed embody all three properties. Informal experiments with petname-like systems suggest that petnames can be both intuitive and effective. Experimental implementations already exist for simple extensions to existing browsers that could alleviate (possibly dramatically) the problems with phishing. As phishers gain sophistication, it seems compelling to experiment with petname systems as part of the solution.
There is even a Firefox extension. -
Re:Who wants to eat crow?
I know we need DNS today -- links, bookmarks, advertising, all that.
Bookmarks and links are a technology which actually eliminate the need for DNS[1]. If you could pass bookmarks and links around in a user-friendly manner, why would you need a global namespace like DNS? The links could simply be IP addresses, or preferably, a cryptographic identifier [2],[6]. Finding an entity with an introduction occurs via a e-mail, links on the web, etc. Search engines are used for finding an entity without an introduction (like the Yellow pages) [3],[4].
All the technologies to replace DNS exist today. They aren't quite as easy to use as DNS, given that software hasn't been designed to use them in this fashion, but the DNS is an unnecessary, vulnerable, centralized system, even today.
The technologies I've pointed out further solve the phishing problem, enable secure introduction, and decentralized secure computation.
[1] http://www.skyhunter.com/marcs/petnames/IntroPetNa mes.html (Petnames are a sort-of local DNS directory)
[2] http://yurl.net/ (a YURL redirectory is pretty much like DNS, except that anyone can set one up)
[3] http://www.eros-os.org/pipermail/cap-talk/2005-Feb ruary/002891.html
[4] http://www.eros-os.org/pipermail/cap-talk/2005-Feb ruary/003079.html
[5] http://petname.mozdev.org/ -
Re:Fiction becoming reality
With all due respect to the Good Doctor and Tripmaster Monkey, psychohistory isn't involved. Read Marc Stiegler's Earthweb . (Note: the web page is out of date; for example, the contest is over.) It's set in a world where idea futures markets are commonplace (and periodically save the world).
(If you happen to have read his David's Sling (and if you haven't, you should), you'll recognize the world of Worldweb as the society that Nathan Pilstrom envisions at the end of that book, where the Zetetic Institute's ideas and methods have become commonplace. Reggie Oxenford is what Bill Hardie was trying to become.) -
Re:This is a logical fallacy
The fact is, people's identities are being stolen today. People's lives are being ruined because of this as we speak. What you are basically saying is that we should allow this to happen, because the same technology could POTENTIALLY be used as a building block for evil technology in the future. But it can also be used as a building block for good technology. As can every other invention.
Why not use an invention which secures the computer of the person who's identity got stolen before starting to work on a system like this? I'm not talking about MS Windows here.
Excerpt from Introduction To Capability Based Security
We who use the Web are daily bombarded with warnings about viruses, computer breakins, and other ills that befall those foolish enough to communicate electronically. Reading the news media, one would conclude that all our computer systems are horrifically vulnerable to computer hackers (or, more correctly, to computer crackers, the kind of hacker that turns his skills to evil purposes). That much is indeed true; we are all so vulnerable today it is more a joke than a question. But reading the media would also lead one to conclude that, not only is that the way it is, but that is the way it must always be, forever.
It does not have to be this way. The technology for defeating computer crackers was actually developed decades ago, by men and women of great insight working with mainframe computers. A couple of computer operating systems, notably Multics and KeyKOS, were extremely resistant, indeed virtually invulnerable, to hacking and cracking. However, in the rush to the PC, the knowledge was forsaken.
The time has come to resurrect this knowledge, for we push the Web ever nearer the limits of what we can do without true security. Without true security, we can never make the Web the brilliant center for new kinds of financial transactions and contractual relationships that could make the world ever more free and make every individual ever more successful. Fraud will haunt us. The mega-software-corporations will advertise--and many will believe despite the facts--that buying tried and true (old and tired?) products from them, rather than innovative new products from unknown upstarts, is the safest way to compute. And governments everywhere will jump eagerly at the opportunities to legislate, regulate, control, and censor, all in the name of protecting us from the evil hackers of the world.
Herewith, then, is an Introduction to Capability Based Security, the simple yet powerful paradigm upon which the KeyKOS operating system was based. Capability security is today being resurrected in several places in several ways, notably in the form of the E programming language and the EROS operating system. -
CAPs - a solution to access control problems?
That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).
I find it interesting that every application has to wrestle with these problems time and time again, instead of them being solved by the operating system. The reason for all this trouble is that the Access Control List security model is inherently flawed.
Using ACLs makes us adjust permissions per user basis, while it is not the user who does (good or evil) things with the computer but the processes running on behalf of the user. Thus an application can (be tricked to) do malicious things with the user's full permissions - as if the user himself was actively and knowingly destroying his data, sending it over to an eavesdropper, etc. A correct approach would be to grant permissions to do a certain operation on a certain resource per process basis. This is what the capability based security is all about. (If I am mistaken, I hope someone more enlightened in CAP theory will correct me).
I am amazed that none of the popular operating systems implement capability based security models, since they would eliminate Confused Deputy Problems like this.
Some random links relating to Capability based security:
-
How to make a safe web browser...
It's really rather sad that we've given in to the idea that writing secure large-scale software is essentially impossible. It's not. It's only impossible in the paradigm we use.
Here is how security works on every major OS and in every major programming language today:
- Tell the program about all of the features of the OS by exposing them all through an API.
- Let the program make any request it wants.
- When a request is made, check it against various lists to see if the program is allowed to do it.
Here's how it should work:
- Tell the program only about the features it is allowed to use, by giving the program references to objects implementing these features (i.e. file descriptors, handles, implementations of abstract interfaces, or the like).
- Let the program to whatever it wants with them, because you have not even given it the ability to express a dangerous operation.
This is called Capability-Based Security. Hopefully it is easy to see why the latter would make security much easier to manage. If not, you can read this discussion of the concept.
CBS allows you to execute code without trusting it. In Unix, you'd have to create a new user with no permissions to run your code, which is way too much work for most purposes. In CBS, you can set up every single program to have a different set of permissions based on that program's needs. Furthermore, the program can internally manage those capabilities to insure that only a small amount of the program's own code has access to them. Then, as long as that code is secure, the program is secure, but even if it isn't, the worst it can do is abuse the capabilities you explicitly gave it.
How does this relate to web browsers? Well, a web browser really only needs the capability to render to its GUI window, read its install files, and read/write its config and cache. So don't give it any capabilities beyond that. Voila, now it does not matter what malicious program takes over your web browser, because it can't do a thing to your system.
-
Virus scanning is futile. Limit authority instead.
Scanning for viruses is the wrong answer. It is impossible to determine the intent of a program by scanning it.
Downloaded software should not be given the power to mess with your system in the first place. This is a fundamental flaw in the design of Windows. Because it gives every running program the full power of the user account, Windows is B. A. D. (Broken As Designed). Linux and Mac systems have the same flaw.
To truly solve the virus problem, limit the authority of running programs. -
Eros
-
PHP implementation of SPKI?
Hello folks.
I was thinking about implementing the SPKI system, at least the verifier, in PHP for webmasters and people convinence.
If any of you are intrested please reply to this post/comment.
If you are intrested in computer security chek out erights.org and Introduction To Capability Based Security
-Zarutian
ps. I hope this isnt modded down.
---
sha1 hash of message (excluding the line whith ---): f944e109ee67a9622d60d7e2611a85d021c8fbb8 -
Re:Security...Maybe Tannenbaum is right, and a microkernel is the way to go? Maybe we should take it one step farther and run all applications in jails to effectively limit their access to system resources and one another?
What you are suggesting is effectively a capability based os like EROS. Now, the trouble indeed with current mainstream systems is that even when apps DON'T run as the root user, the actual normal user has way to many priviledges to give to their programs. The trouble is, in a mainstream OS it's damn near impossible to NOT let your program have all the priviledges your user account has. Capabilities are by no means a new idea, and one need not make system less usable to have them. Building an easy-to-use capability system that functions well and does everything that users expect it to do, requires quite a bit thinking and design though.
Just my
.02 euro. -
Re:Security and metaphors
See, that kind of inventing metaphors for supposedly retarded users is precisely one of the problems with this industry.
Well, you are very close to having a point. But not quite.
- Human/computer interface design is all about metaphors. A mouse cursor, a window, a clickable hyperlink etc. are all metaphors (resp. for command I/O, multitasking and a "World Wide Web" that actually doesn't have wires, either). Consider the alternative (command-line everywhere, full-screen text, BBSes one had to write down the phone number for).
- I was talking about security, not useability. Computer security is rocket science right now and is in dire need of convenient metaphors if users from the general public are to cooperate (which they must - witness the "Don't open those attachments!" injunction). Do you really expect all users to manually perform the dance of exchanging a session key (unique per MAC address, for scalable revocation, and 128-bit long, for security) with the wireless access point using their keyboard and a LED display on the a.p. (to prevent man-in-the-middle)?
- Exactly what in my post gave you the "snotty" impression that I consider users=idiots? Metaphors are great for all kinds of homo sapiens (including myself), because it allows one to operate a well-engineered GUI (e.g. Excel® - a good piece of software from Microsoft® if ever there was one) and discover how it works as one goes, without ever needing to RTFM. Worth a lot of time and money.
"what if someone walks through my invisible wire?"
The same thing as if someone walks through your remote's infrared beam. Physical circumstances are not the same of course (messing with 802.11 requires a microwave or a grotty old electric shaver, maybe), but this doesn't cause the metaphor to fall short. And even if it did, that would not be so much of a problem.
-
Earthweb
Particularly intriguing is the use of chat rooms to engage experts thousands of miles away in helping to solve problems at the troop level in the field.
Sounds like something straight out of Earthweb by Marc Stiegler. Except in the book they were fighting this strange interstellar planetoid bent on Earth's destruction.
The book also reminded me of Max Headroom, where that newsroom director "ran" Edison Carter when he was doing those live-on-the-scene reports.
The stuff you saw with Tank and his brother-in-law in the Matrix had many earlier precedents, young jedi.
-
Re:Security vs. UsabilityThe only reason security and usability cannot be successfully combined is that people are so brainwashed they can't even think coherently about the problem any more. "The sky is falling and there is nothing you can do about" is the common, and foolish, wisdom that now verges on being a self-fulfilling prophecy.
In fact security and usability are natural friends if you can think outside the box Microsoft and Unix have locked us inside. Check out the capability secure desktop included with the E capability secure programming language at http://www.erights.org . There you will find a system with no funny security dialog boxes, no stupid passwords, no complicated firewalls, but which is effectively invulnerable to computer viruses and trojan horses. Their secure desktop follows many of Ping's guidelines. You can find descriptions of the approach at http://www.skyhunter.com/narratedIntros.html. The description there is too much like an advertisement for my taste, but it's pretty good for a quick introduction to a serious alternative to the 2 most popular security attitudes out there, namely despair and stupidity.
-
CapabilitiesIntegrating capabilities with the OS's security model would eliminate many of the problems we see currently with email viruses, macro viruses, browser buffer overflows, etc.
If anything Unix needs to push it over the top as far as a secure server operating systems is the ability to tell the OS that "This File can never be deleted and can only be appended to by
...More importantly, I think UNIX needs a better security model. Right now one of the big problems is that all of your executables have the same permissions that you do. In a capability based system, your email program may own capabilities for reading its configuration files, but an open() on a file owned by the user would require active user input to succeed. (Someone wrote a paper about using a Windows-like GUI to make capabities more understandable to the user, but I can't find the url at the moment.)
In any case, here are some links.
"E", a capability-secure language.
Capabilitiesvs. Microsoft's signed execuatables solution. (Part of a good introduction to capabilities).
Linux Kernel Capabilities vs. the standard definition of capabilities. -
It's nice-looking, and reminds me of devices in...
Marc Stiegler's fine book, Earthweb, but unless the users can understand written English (or I'm missing something, which is quite possible) I'm not sure how much it will do "for the billions of people who have yet to set foot in the wired wards of the Global Village."
OTOH, like it or not, English literacy seems to be growing rapidly, and perhaps that fact -- combined with services like Babelfish (if there's a Babelfish lite?) -- means my skepticism is not justified. I hope so.
JMR
-
Re:Information Filtering.Marc Steigler's novel "David's Sling" (itself ref. Information Age warfare) prominently featured something called the "Zetetic Institute" (IIRC). From "The Zetetic Commentaries", as quoted in the novel:
Most of Stiegler's work is Information Age and mass-communication related; some of his work has been the subject of Slashdot discussion in the past.In the Information Age, the first step to sanity is filtering. Filter the information; extract the knowledge.
Filter first for substance.
Filter second for significance.
These filters protect against advertising.Filter third for reliability.
This filter protects against politicians.Filter fourth for completeness.
This filter protects from the media.
--
lairdb -
Re:Human Beowulf Clusters
Knowlege networking has the same synergistic properties as computer networking. Watch over the next decade as people all around the world become part of an enormous Human Beowulf Cluster. It will be quite interesting.
The novel Earthweb by Marc Stiegler explores some of the possible ramifications of that idea. Baen Books has a web page for the book containing some sample chapters to whet your appetite. The author also has a page for it with links to information about some of the technologies that he discusses. He is really exploring the possible results of pervasive net access with persistent, verifiable, but anonymous identities. -
An interesting book that touches on this
Marc Steigler's book EarthWeb mentions this issue. He points out that free and easy access to information undermines governmental attempts to control public opinion. There are a couple of web sites related to the book. The first http://www.skyhunter.com/earthweb/ has information about the author's related activities and links to other sites. The other one belongs to the publisher, Baen Books and contains several sample chapters.
-
Earthweb, an excellent book
Earthweb, by Marc Stiegler is an excellent exploration in fiction of some of the implications, both good and bad, of more freedom on the net and more protection of privacy. Marc's web site for the book is here. Both the related books and related links are interesting, partly because Marc is a programmer who has explored prototypes of some of the things he discusses in the book. If you are interested in a preview of the book, the publisher, Baen Books has put several chapters on the Web here.
For Marc and Baen, if you are reading this, a sequel would be welcome. The story left that possibility open while not desparately screaming for it like far too many books these days. -
Re:OSS vs. Patented Algorithms..
I don't object to the organization helping someone obtain a patent, I just think it can be done somewhat indirectly, and without the need for the organization to end up owning it, (as long as it's licensed under the OPL), and that doing it indirectly can be the more stable solution in the long term.
The strategy I have in mind is to put together either some sort of Idea Futures system as Robin Hanson has discussed, and/or a Castpoint system as Marc Stiegler discusses in Earthweb.
This way other people can end up sponsoring the sort of help you're talking about. As much as I'd like to cross-index all human knowledge myself, partially in order to patent inventions and license them under the OPL with an aim to freeing up knowledge, solving problems, and making money, but mostly because it would be fun, I still think that neither I nor a single organization would be as efficient at it as a system that encourages everybody to have a go. Also, the successful implementation of such a system would show that patents aren't necessary, and that their goals could be met using methods that don't restrict scientific and literary freedoms.
Also, I'm lazy. I would rather PPI act more as a clearinghouse for developing solutions available under the OPL and let others do the legal work that would become necessary than somehow try to incorporate all of those legal functions within PPI through hiring or outsourcing. (I'm not a lawyer, so I try to avoid that sort of thing as much as possible. Obviously I have to go to an IP attorney to ask patent licensing questions and will have to ask for legal help in getting the license checked over and debugged, but all that's quite different from contemplating forming an organization that provides these sorts of legal services itself.)At the moment, however, I think it's more important to develop the license and get legal help in debugging it, and sell people and companies on the idea and the license. That has the possibility of freeing up a lot of patent encumberences quickly, so it's the first thing I'd want to do.
For long term stability, I absolutely agree that we need implement something that helps researchers, for instance, patent their inventions to be licensed under the OPL in the cases where that's possible. (As opposed to cases in which, say, the university claims all rights.)
But I consider selling the license to be the immediate goal. Solving the rest of the world's problems can wait until next year.
:-) -
Re:A vision of the future?
I'd like to second that recommendation. Marc based his book on a lot of the ideas that have swirled around this group (hypertext, idea futures, real computer security, smart contracting, etc.).
By the way, bidirectional linking is not new to the Web. It was new in 1997, when it was introduced by CritLink. I encourage you to check that out, too. It lets anybody annotate any public web page using any browser -- no software required.
-- ?!ng