Anyone between the ages of 6 to 124, who is logged in to myspace from either a library or a school computer lab is almost certainly screwing around -- often while others, like myself, are made to wait.
What's the more important free speech from the perspective of a government funded program, your ability to create yet another academic program that does nothing but prove you can, or the person in front of you who is writing poetry and posting it to MySpace? Are you the next Reiser or are they the next Whitman?
The Govt needs to stay out of it though.
As you say, the government is in no position to judge which free speech is most important and has no place in trying to mandate one over the other.
...some in the industry are asking whether 'open source' has become a cloak used by IT vendors large and small to disguise ruthless and self-serving behavior.
Open source software is a more efficient development model that provides added benefit to users. It is a feature. It is a big feature, but that is all it is.
These reporters seem to have bought into age old propaganda that open source is about a bunch of communist hippies getting together to sing songs and code selflessly for the good of the world. It is a load of horse hockey. People have written code as a hobby for a long time. They open source that code because it benefits them. Companies have written code in order to get things done for a long time. They open source that code because it benefits them. Anyone who expects companies to open source code when it does not benefit them is smoking crack. Most open source coders are paid and not because companies are trying to do charity work to get good PR. It is a lot more effective to donate money to a children's hospital, or buy toys for orphans. They pay people to write open source code because they are not just developers, but users and as users it benefits them for the code to be open.
These "reporters" should really go polish their critical thinking skills, or perhaps look into the lucrative food service industry, where such skills are less important.
Upholding free speech does not mean facilitating it, as occurs in a library.
For an individual or private organization to facility on type of free expression is fine. For the government to facilitate one type of free expression while intentionally going out of their way to limit other forms, is something else entirely. Suppose, for example, the government decided to pass a law that says only materials approved by the Republican party can be carried in libraries. Assuming they had a large enough majority to pass such a law, would it be constitutional? After all, they're just not facilitating certain types of free speech, like anything written by democrats or critical of their party.
The reason the above is unconstitutional is because it is a government funded institution and thus must be impartial as to what free speech is valuable. That is a choice for individuals, not for governments. If the federal government tries to stop pornography or MySpace or Democratic party approved books or books about Islam, it is still restricting specific types of free speech, and that is not the government's place.
Should I demand a nVidia 8800 GTX be installed at the library so I can play World of Warcraft? It won't run with the crappy integrated video at my library's computers. Has the government limited my freedoms by not installing a good 3D card?
Providing given hardware that does not deal with the disabled is not limiting your freedom because it does not artificially restrict free expression. If you can't see the difference between a government institution intentionally blocking some expression and not others and the inherent danger of said action, then I suspect you have a very wrongheaded opinion about our government. It is not wrong for the government to not buy a given book and put it in the library. It is dangerous and illegal for them to not buy particular types of books as a matter of policy, enforced by law.
You know it's an election year... when politicians come up with laws restricting... well, anything.
When do politicians ever come up with laws that don't restrict things? When was the last time a politician ran on the platform of repealing all our stupid, useless, counterproductive laws? Americans do not value freedom very much anymore. It is no longer an important cultural value. Most people see the government and laws as a battleground where they try to force other people to conform to doing things their way rather than the way the other party wants. Very few people want to take a stand in favor of personal choice.
Ever talk to a die hard "pro choice" advocate? They say it is every woman's right to make choices for herself, not have them forced upon her by others. I agree. My opinion might be that abortion is unethical, but it is not up to me to make that choice and force others to agree with me; it is up to each individual to choose. The problem is most of the people I talk to are a lot less in favor of the right to own a firearm or the right to hunt some non-endangered animal, or in some cases the right to eat meat. It is sick and sad that someone can have a "pro choice" bumper sticker, but not even think about the fact that they don't advocate personal freedom to choose in general, just personal freedom to make one particular choice, while they advocate taking other choices away from people. Is it any wonder so many children these days don't even think freedom of speech is an important right?
Freedom in the US died as a cultural value and is dying in our legislature as well. People don't even see it as an issue or concern. They just want to tell other people how to live at gunpoint, whether that is "worship Jeebus" or "don't shoot bunny rabbits."
What have you learned from MySpace that has any value in an educational environment?
I learned:
introductory Web site design and examples of what not to do.
the sociology of cliques
the psychology of conformism and subcultures
Besides, this is only for schools and libraries.
Federal funding means responsibility to act constitutionally, including upholding free speech/expression for adults. The government judging that posting to MySpace is less valuable than posting to Slashdot, or some purely educational forum, is an unconstitutional act. The government should never be making these decisions, individuals should. It is called freedom, even if it is the freedom to waste an hour writing about how cute your poodle is and publishing it.
The case could be made that there is no valid reason for someone to be accessing MySpace from a library other than wasting time.
The case could be made that doing anything other than praying to Allah is a waste of time. The case could be made that reading literature instead of car repair manuals is a waste of time. The point is that it is not the government's responsibility or right to make that call, it is the right and responsibility of the individual.
However, I am assuming that by "schools", he is not including universities and colleges.
Public schools are one thing. The people there are children who are assigned by our society a subset of rights and responsibilities belonging to other people. In that case it is up to the parent's to decide, possibly through the democratic process of the government, subject to some limitations. In public libraries, however, there is no justification. If people actually went to said libraries and read the constitution as well as the essays of the founding fathers, maybe they'd understand why.
Competition to the bottom works great, until you hit a certain point where it's really detrimental to the consumer. Take for example cellphones. Ever notice that Europe and Asia get a lot more cellphones that do everything or nothing, while we get 3-generations behind phones here in North America?
You attribute this to too much competition instead of not enough? The difference between the US and Europe is not that there is less competition among cell phone providers in Europe. The difference is that in Europe Cell phone providers are not allowed to tie cell phones to services and if they did it would not work because they have many cell phone service providers, while in a common location in the US you might have 2 or 3 and there are significant barriers to adding more. The problem in the US is that we don't have enough competition and cell phone service providers are allowed to bypass the competition in the phone market using the service market.
I believe this has happened in other markets as well where the almighty dollar has led to innovation being withheld - ever notice places like Japan and Asia tend to get the latest in technology first? Now it could just be that it's easiest to recoup costs in places where having expensive high-tech toys is a status symbol moreso than cheap products, or even live alongside them, and people still buy expensive stuff.
I think you're failing to show the link between the level of competition and the lack of innovation. Historically and according almost all economic models increased competition drives increased innovation.
Isn't that what competing companies supposed to do?
Yup.
Now a word of waning about Price Wars, The consumer usually wins at first then they they slowly get screwed as the war lingers. Lower Price Chips means less R&D and Less Good Improvements and More Quick Patches and Fixes. So quality will drop.
I'm not sure I agree with this. No company with any sense ties their R&D budget directly to their incoming revenue. R&D is an investment and the amount should be based upon a risk/reward/intitial cost assessment. Just because I lower prices by 20% does not necessarily mean my investment in some new tech has any less potential for profit in the future. The real danger is not lower quality, but the possibility that one company might "win" and monopolize the market, then use that monopoly to entrench their position and ruin other markets. For example, suppose Intel drives AMD out of business, then introduces some patented feature to the "standard x86" chipset. Or suppose they dominate the market, but ship integrated graphics chips with all CPUs, thus forcing consumers to either use theirs or buy a second one as well, that works better.
...to see how many suppliers they can drive out of business before they drive themselves out of business.
How would Dell drive people out of business by making two companies compete for their account? It is not like anyone will sell at under the cost for a prolonged time. Dell only has about 20% of the market. They are not vital to anyone's survival.
Now this is loopy. The government? Where do you think the DCMA (and it's ilk in other countries) came from?
The DMCA came from the fact that politicians were offered money to push it, money they could spend on getting more votes. It was obscure and easily justified because no one understood it and there has been basically no backlash outside of a few geeks. A "free the music" law could get them a pile of votes, so they could very well support it as well. If nothing else some will support it until they are offered a pile of money to change their mind, which may never happen. The government frequently works counter to previous activity, elected officials are vote whores. Why would you assume because they passed the DMCA they would not also support stopping DRM when it suits their campaign strategy?
And DRM working well, producing incompatibilites and more sales? Uh, yeah, that why piracy isn't a problem, right? That's why sales are up?
DRM has nothing to do with piracy, other than being a justification for it. DRM will never stop piracy and the media companies know it, but are interested in other things it can do for them. Why does the rae of piracy have any relation to DRM?
Sales are up because there is currently more and more being offered for sale and more and more people. The RIAA and their ilk, however, look to the long term. That is why they pass laws that will ensure their profits in three generations. Here is the RIAA's worst nightmare. In general, interest in a performer and their work gradually decreases after they release music. With perfect, non-DRMed digital music people would buy copies of the songs, then keep them forever on reliable RAID systems that never, ever fail. No CDs are scratched or dropped out of the car. No LP records get sat on at a party. No cassette tapes are eaten on a road trip. When the purchaser gets sick of the song, they resell it on ebay. When people die, their children inherit the songs and most go on ebay. After a few generations, the RIAA can no longer keep milking old music for centuries reselling it because there is a perfect secondary market and demand is lower.
In the old days people bought a copy of a song for their record player, then bought another for their cassette deck in the car, then another for the cassette deck when the first was eaten, then a CD for home, then another CD for the car and another CD for their kid who liked it as well. They paid full price for each sale. What if all those sales were just one sale, and half of those sales were bargain basement sales in the secondary market?
DRM is about making sure when you buy a song for your Creative player using PlaysForSure, it won't work when you later buy and iPod and later yet when you buy a Zune and later yet when you buy whatever else they come out with. It is about making sure that your kids don't just play your copy after you die, but they have to buy a new copy some day because your copy is outdated.
Yeah, Jobs, the guy who builds DRM into the software and hardware is going to save you?
Job's best interests happen to align with mine. Does that mean I should ignore the opportunity?
Yeah, DRM'd iTunes are killing his sales.
DRM'd iTunes probably result in fewer sales of songs, but he doesn't care because they run their music store as a break even business. It is just their to sell iPods. The more and cheaper music that is available the more iPods he can sell. The fewer Microsoft specific media formats out there the more iPods and Macs he can sell. Can you see where he has motivation to promote something that benefits all of us?
Geez, if you are going to bs... at least make it plausible. Insightful my ass!
Just because you're too slow to understand the realities of the market does not mean they do not exist. Educate yourself... please.
If a deal to drop DRM is ever to be worked out, it will be through backroom deals, not in the tech press.
I disagree. If a deal to drop DRM is ever worked out it will be because the governments of the world stepped in and passed laws when they realized they could portray media companies as evil and greedy and get votes by mandating that DRM goes away.
I think we all know DRM doesn't work well and is a pain...
You're mistaken. DRM works very well and is a pain because the purpose of DRM is not to stop copyright infringement it is to introduce artificial incompatibility as a way to make sure purchased copies eventually "break" and to motivate more sales.
No DRM, no product to sell. It's that simple.
Jobs and company speaking up is about pressuring the RIAA and their ilk to change that, or the government and populace to make them change that.
Two things worth noting: "fair use" is not part of the constitution -- in fact, the constitution doesn't say anything about how copyright law should be applied, it only says that copyright law can be applied. So the erosion of "fair use" does not fly in the face of the constitution, it possibly flies in the face of established copyright law.
Well, the fair use doctrine is law that enshrines particular interpretation of the constitution, but it is not necessary for DRM to be unconstitutional. The constitution does provide for the federal government to restrict copying of works for certain purposes for a limited time. DRM takes advantage of the DMCA to place real restrictions on the copying of works, but makes no effort to provide a way to remove those restrictions or provide an alternate version for when that "limited time" expires (probably since no one actually believes it will ever expire again).
To my knowledge, the courts have stated that time-shifting constitutes fair use (this means, recording a show when you're not at home and then watching it again later, once, commercials and all), certain very short clips (the media equivalent of quoting) when making a commentary on a piece of music or other media, and that's just about it.
Umm, maybe you should review the case law on fair use. There are lots of uses covered under fair use, including the copying en masse and storage of entire works for profit, for the purpose of providing small excerpts (think Google images).
The courts have classically sided with the copyright holder on fair use issues.
That all depends upon the case.
The only way out of this is copyright reform.
With this I agree, but I think your view of fair use in the US is a little colored. The law is very vague, but a lot of precedent to date supports it in many situations, not that it has a lot to do with DRM in the US.
Well, I think we both have a desire for such a system, but realize that most people don't need it, and if they do, they are using a system that supports them already.
I disagree that most people don't need such a system. Most people are running Windows and are besieged by malware. A careful Windows user, who takes a lot of precautions might not need a MAC system such as what we described, but the average Windows user certainly does need it and I doubt security on Windows will ever be even moderately reasonable unless such a system is implemented. Even if Windows managed to duplicate the security of an average Linux system, it would be insufficient as there is simply too much room for malware to operate.
I agree most people running Linux or Solaris, or OS X don't need this system as the malware issue is not a problem on those platforms, but this is largely because they are sitting next to the giant target that is Windows. If every Windows machine was converted to Linux tomorrow, there would be serious malware issues on it in a few months.
I agree that is a difficult problem. However, if you provide an easy environment for people to trade permission configs for programs, like a website linked to from a menu option, then the basic users can find files that have been created by others. Of course that gets into trust relationship issues, but they are not insurmountable and can be solved in much the same way webforums have done since they started caring about such things.
All of this requires a lot of work. Who will do it for Linux and what benefit will that bring? If application developers are not on board, they will not do a good job of making applications that behave well (like writing only to a predefined location for scratch files) and the ACLs will be messy in the extreme. I just don't see enough people getting on board to make this really usable as likely as MS just announcing it is required for developers in the next version of Windows. This is one case where Linux's fragmented community is a hindrance rather than a benefit.
Also, it's not unreasonable to have the program query the user for some types of operations. Also you could have a wizard that builds the initial config, by asking the user what the program is for. This would provide a pretty good starting point for most applications.
The goal should be to make querying the user as rare as possible. My initial outline for such a system included ACLs included with an application, merged with ACLs provided for a given trust level, depending on if the application was pre-installed, distributed by the OS vendor, signed and certified, just certified, just signed, or none of the above. Input from multiple third party verification providers could also work and I considered the idea of application type templates for different types of applications that don't include ACLs with them, but in the long run I think it would be better if an ACL was a basic part of each application package.
We obviously don't agree on all points, but I think fundamentally we're on the same page.
You're talking about Mandatory Access Control, such as implemented by SeLinux? You didn't make that terribly clear in your post.
I wrote, "All software on a machine should be limited by mandatory access controls..." I'm not sure what else you think I might have been referring to.
Besides, I didn't know Windows had any form of MAC. Its entire security model is based on Discresionary Access Control, like most Linux-based operating systems.
We were discussing what MS should be implementing in order to combat the current malware problem, not what they have done. In my opinion Windows is the OS with the most need for a well implemented, ubiquitous MAC framework and one of the few OS's where the vendor has done nothing to facilitate that level of security.
The ultimate first problem is that you SHOULD NOT run code from an unverified source. Period.
Tasks are not defined by what people should do in some mythical fairyland, but need to be based upon what people actually do. People want to run binaries they don't trust. Binaries are all trusted to differing degrees. I trust Photoshop because I have little choice. I need to use it. That does not mean Adobe should have the ability to do anything they want on my machine. I might want to run Halo, but I sure as hell don't trust some programmer at MS did not include a back door for my computer in it. I trust OpenSSH to some degree, but I don't have the time or skill to properly audit the code and don't implicitly trust that it has no exploitable buffer overflows.
The initial assumption for any valid security system in our current climate should be that binaries should not be trusted any more than necessary.
A computer cannot make the decision what to trust and what not to
You mean like firewalls shouldn't be deciding that I don't want traffic on port 20 on a default install? Determining what level of trust should be assigned to an application is a process that should be automated for most people, but should also involve human decision making. Applications can be signed and certified and various vendors or certification agencies can have differing levels of authority. People can even subscribe to services that verify software and provide opinions about the level and types of trust for an application, much as people now subscribe to anti-virus services.
You cannot "sandbox" an all purpose system to the point where the execution of a binary cannot cause harm to any part of it.
You don't sandbox a system, you sandbox each application with different permissions for each.
At the very least, every file accessable with the account's privileges is in danger. And every application that has the right to run "as admin" which can be executed by the user is just as much a security hole.
Please go read up on mandatory access controls. This is exactly what they are designed to prevent. Just because I'm running some random executable is no reason my OS should assume it should be able to read my e-mail address book file, even if my e-mail program does have access to that file. The point is to restrict each application to the resources it actually needs. This way, if some program wants to do something unexpected, the user is given the option of stopping it and if an application is subverted, it still can't do anything the original parent could not. Suppose there is a buffer overflow in an image reader so that a maliciously crafted image can execute code with the same privileges. Since it is an image reader and does not need internet access or the ability to overwrite parts of the kernel, this vulnerability can be useless to worm writers on a properly secure system. Understand?
This is independent of the OS you're using, unless you restrict the account to the point where it is almost unable to actually do anything sensible, but then you might not be able to install and run that game either.
The point of MAC is to make more granular restrictions than the user account, restricting by application, not by user. You can still run games, the games just can't do anything they want and are restricted by default. As for what OS's I'm talking about any Linux distro with SELinux enabled, TrustedBSD, and Solaris all have MAC frameworks. Apple is known to be developing one for OS X and there is a port of the TrustedBSD one for OS X if you want to install it yourself.
The ultimate key to security is the person using the system.
I long for the day when the user is the weakest link in the security chain, but they are a long way from that right now. Fix the OS security first, than educate users for what little remains.
You don't even need to go as far and ponder escalation hacks or loopholes, all you need is a yescl
I don't know anything about programing an OS, but wouldn't that be a maintenance nightmare? If multiple programs use the ZOMG library and each had a unique installation, wouldn't each installation have to be independently updated?
This is a solved problem. OS X uses application bundles that include all the libraries needed and perform dynamic linking at runtime. The cost is slightly more disk use, but it is still less than the same size as most Windows apps now and disks are getting bigger and cheaper all the time.
Hell, Microsoft Office is one of the worst user experiences on Mac OS X. Why does an office productivity suite need an installer on OS X ? On Windows its because Office replaces half of the system DLLs, but why on Mac OS X ?
I haven't updated my copy of MS Office for quite a while, but as of about 3 years ago, it did not have an installer and was drag and drop from the CD. So I think the answer is, it doesn't need an installer.
The security of a system is the minimum of the machine's security and the user's ability.
I mostly agree, but it is a bit more complex than that. The machine's security includes its ability to inform the user and do what the user wants by making the right controls available to the user in a convenient way. Users are willing, for the most part, to spend a few hours learning the rules to safe computer use, provided they can still accomplish their normal tasks while following the rules. Right now they don't bother because that is not an option. They need years of training to learn to safely use a computer to do what they want and even an expert cannot always do what they want with given resources.
For example, a guy I met in a chat room sends me a binary he claims is a game. If I want to install and run that game, but don't want to risk the security of my computer, I better be a bloody security expert. Even making a non-admin account on Windows and installing it there is not really a secure method because of all the local escalations for Windows and it is certainly way beyond the capabilities of the average user and is far, far, far from convenient. To really be safe I need to acquire a VM, install a copy of Windows in that VM, properly restrict the VM, and install and run the "game" in that VM.
With a security setup designed for the realities of today's environment, I should just double click on it and the OS should assume it is untrusted and restrict it properly unless it can verify the certification for the program with a trusted third party.
Uh, this is com-pletely backwards from the truth. In Windows there is no centralized decision maker that can say that, because people would leave the platform in drove[s].
Umm, do you know what a "monopoly" is. Windows-whatever will be shipping on all new computers you can buy at pretty much every store in the US. How are people going to leave it in droves? Are people leaving Windows in droves now because it sucks? With a monopoly you can easily create artificial barriers to going to the competition. Right now those barriers include OEM agreements precluding pre-installing other OS's, much of the internet subverted to nonstandard and proprietary formats like IE-HTML and Active X controls, much of corporate America locked into Word, Excel, Powerpoint, and Exchange, and MS's game company acquisitions and use of DirectX to keep much of the gaming market Windows only.
MS can make the default background in Windows say, "our customers are douche bags" and most people would not go to another OS.
With Linux, or any other Free operating system, a given distribution can make this choice at any time.
True, but that is the problem. Users and developers will target what is best for them in the short term. Since MAC security controls are solving a problem that does not really exist yet on Linux, it is just overhead and unneeded work for developers until the malware problem becomes a major issue. As a result, Linux cannot effectively change unless the community itself is forward thinking enough to put up with inconvenience in order to facilitate future security. This could happen if a coalition of Linux distributions all agreed to move to a more secure format and try to update legacy software, but it would take a lot more collaboration and vision than one bigwig at MS saying, "we're gonna do this and developers will suck it up because they have no choice if they want to stay in business."
But I also think that environments like KDE or GNOME make it feasible to do, since if you are using API calls to create dialog boxes etc., the functionality can be rolled in that way.
What percentage of binaries on Linux, including CLI ones, do you think that accounts for?
But again, this can be solved at the distribution level. Admittedly it would result in a reduced set of packages, but there's plenty of room in a distribution for a "core" of packages that use the system, and simply not installing anything else setuid or allowing it to run as root without forcing you to type an additional command (like sudo.)
Using a core set of binaries and a few picked programs on top is fine for a centrally managed solution, such as would be used in business. Home desktop users, however, want to install arbitrary software and if "Linux" has not standardized on contained, well behaved applications, shipping with ACLs, the security system simply won't work. Further, you need to get commercial developers who generally distribute outside the normal repository channels on board by making the same distribution channel and standards work for them. This means distros can no longer ignore random closed source binaries or registration/licensing when it comes to package management.
That doesn't necessarily matter, because users can create the profiles for applications like this...
For power users, creating a custom ACL for a program might work. For a centrally managed solution, the admins can do it. The problem is, for normal users it is simply not user friendly enough to constantly be tweaking the privileges of random binaries and you'll get into the same situation as Windows where users are regularly prompted for access for non-mailicious software and become conditioned to just allow software to do whatever it wants. This means the UI component of the system is failing because users don't see one or two false positives for every real issue, they see 30 or 40 and they simply stop caring.
While they may call those ACLs, they are very limited compared to standard MACLs, to which we were referring. You need to be able to restrict applications by files they are allowed to modify, sets of files, network resources, system services, and other applications they can talk to. In addition, each application should ship with an ACL from the developer so the OS immediately knows what the application should be doing and can then assign a level of trust to the application that allows or denies each behavior. Only the application developer knows if the app they make will want to send e-mail. Only the user knows if they want to trust that application to send e-mail. If the application developer has not designed the program to send e-mail, then any time it tries to do so probably means it has been overwritten or is spyware and is behaving maliciously and the OS should smack it down. If the user does not trust the application to send e-mail, the OS should likewise smack it down, or at least make sure the user has the option of stopping that behavior. The same goes for overwriting all my jpegs, reading my e-mail address book, or adding a kernel module.
But my original point still stands; on a POSIX machine a user can install apps in her home folder and then run them with her account's privileges. Maybe you use OpenStep bundles, or App Bundles, or just compile the damn thing with GCC, but the result is the same from a security standpoint.
True. Also, not having a central registry allows the apps to be well contained within a defined space, easing the use case where ACLs lock down applications. Did you read the Bitfrost spec from the OLPC project. They actually specify a modified format with bundles closer to the OpenStep ones, including some write space for the application within the application "folder" so that ACLs can be widely deployed without having to worry about applications writing to random files for basic operations. Keeping apps contained within a predefined frame is very important for this type of security improvement.
This avoids forcing you to install apps with admin privileges, which is apparently the case in Windows Vista.
One issue with both Windows and Linux apps is not what can be done, but how current applications actually work. There is quite a bit of Linux software that wants to install bits in weird locations and there are some windows applications (both old and new) where you can install them as an unprivileged user without any real risk. The hard part about increasing security is providing a sandbox or VM for legacy applications while getting all new software to conform to best practices that are predictable and more usable and which lend themselves to no unexpected behavior that a more strict security model would balk at.
. Also, when the heck will we get a linux distribution with support for ACLs? I know you can use them, but it's a chunky, command-line process at best. When will Linux catch up with NT in this area?
Linux will get ACLs usable for a particular market segment when they are needed by that market segment. Right now you can get ACLs that work just fine, provided your task is to set up a super secure server or a locked down workstation that is centrally managed. Currently, however, average users have no need for these functions since they basically never have security problems where this would be a real benefit. As such, very little work has gone into developing them for that use case.
I find it hardest to forgive Linux, actually, since the software is Free and free. Why not use it? Because it's too hard? Security is hard.
Getting such a system in widespread use on Linux is a lot harder than doing the same on Windows or OS X. There is no centralized decision maker for Linux that can say, okay we're only running binaries that ship with a cert and an ACL and which use the new protocol for registration and updates. Most developers simply don't want to spend their time modifying every existing bit of software in order to solve a potential security issue in the future. So they won't and people will move to a distro that does not have a broken security model in their way. MS or Apple could simply implement this and provide a sandbox for old applications or even ACLs for common legacy applications and developers would groan and get on with implementing it.
OSX would need a whole new subsystem to do this.
Apple announced on their info for developers site the inclusion of both a MAC framework and a application signing framework in Leopard, but then pulled all references to them silently near the end of 2006. I don't know if this means they are not going to ship with Leopard or if they are part of one of the "secret" features. Someone has also ported the MAC from trustedBSD to OS X.
So would Windows.
The Windows kernel actually includes fairly well conceived ACL support form what I've seen. Adding a framework for developers would be a lot easier than dealing with legacy applications and writing a good UI, which are really the hard parts of this.
Linux has one, and the majority of us don't even use it (including me.)
Anyone who has used SELinux knows why no one uses it on a home desktop. It is not standard so applications do not conform well enough, nor do they ship with ACLs from the developer. Further, package management on Linux is designed with open source software repositories in mind and poorly handles commercial applications that are downloaded. Since those applications are the ones with the highest risk, this really needs to be addressed before such a system would be practical.
They're not polar opposites? Security involves increasing the amount of authentication/authorization/auditing involved in performing a particular action. Therefore removing security increases ease of use.
You're mistaken. Those are common security mechanisms, but they are not security. Security is making sure the software only does what the user wants and not things they don't want. Usability is making it easy to do what the user wants and not other things. See how those are sort of complementary. For example, If a watchdog process scanned all outgoing internet activity on the packet level and informed the user vie a message at the top of the screen whenever they send more than 5 e-mails in a single minute, would that increase security? Sure, a lot of spam sending worms would trigger that behavior and the user would then know what the computer was doing. The computer doing things silently in the background is one of the largest usability problems. The computer informing them makes the OS more usable, because the user now has better information about what their computer is doing. This is a a usability win in the same way adding sound or a monitor is.
A couple of examples to support the generalization:
Okay, lets go through them.
Your door is easier to use when it does not have locks.
What is the purpose of the door? Is the purpose to keep the weather out? Is the purpose of the door to allow access to the right people and deny it to the wrong people? What if the door has a EM scanner and perfectly detects the identity of those approaching and automatically opens for the owner but no one else? That is more usable yet than having a lock because it performs its desired function (to keep out everyone but the user) better by opening automatically in the correct case. Your example is one where currently security and usability conflict, from a certain perspective. That does not make it a truism.
A DVD is easier to rip when it does not have DRM.
Ahh, but the purpose of DRM is not security at all, but specifically to reduce usability. You don't actually buy that "stopping pirates" BS do you?
It is easier to enter a client's building when you don't have to sign a security log and obtain a visitor's pass.
It is easier yet when all the security guards know you and open the door for you and escort you inside and help carry your packages. It is a lot easier when they shoot the guy trying to mug you outside while you're trying desperately to get inside.
I think you are fundamentally mistaken on this point. Usability and security are not opposites at all. Some security measures decrease usability while others increase it. It is important not to assume that some measure which decreases usability is going to increase security, and that is a very, very common mistake in the security industry.
I'll take a clunky UI to a security system tested by someone I trust (me, in many cases) over "ease-of-use" any day of the week.
The problem is if you believe that dichotomy and don't understand that you can implement security measures that also increase usability. MS certainly seems to believe this. My company makes security products and one of the main functions is simply telling users what is going on and giving them options to make a situation better. What is more usable: A) Your network stops functioning and won't talk to the outside world and your Web server cannot respond. You drive to the colocation facility and log into the console and start reading logs to figure out what happened or B) you get an e-mail informing you that a DoS attack is directed at your network and that all traffic to your Web server traffic is being blackholed (except connections from your intranet), but the rest of your network is up and running. You are then given options to restore given chunks of the blackholed traffic to restore partial service until the DoS attack is stopped?
Gee, that sounds like every client-based firewall on the market (including XP's). The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.
In a way. A client based firewall is insufficient because it is too easy for something to escalate privileges and get around it. A MAC ACL is built into the core of the OS and deals not only with network access, but also access to hardware resources, system services, and files. With a client based firewall a worm can still overwrite some other binary or run a buffer overflow and start sending spam regardless of what the firewall wants. With MAC, it can't overwrite anything and if it overruns a buffer it can only perform the limited actions for the binary that overflowed.
Another aspect to this is currently Windows applications often do not install to a contained location and do not have a good install process, so keeping them contained and prevented from maliciously overwriting data at install time is a serious problem (especially on Vista).
The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.
Application signing, by itself, is not all that useful unless it is automatically applied to determine levels of trust, behind the scenes and without user intervention. Further, it needs very granular levels of trust beyond simple good app or bad app. I might trust some Adobe app enough to run because I have to have it for my job, but at the same time I might not trust it enough to have arbitrary internet access, like connecting to some random site in Europe whenever it starts up (one did this for no reason anyone I found could explain). If that same app shipped with an ACL from Adobe, they would have to choose if that was part of it and explain why it needed that permission. Third party verification companies could easily publish their own ACLs as well, which would stop such unneeded behavior and override the one that shipped with it. To make this clean, an official update mechanism and license/registration service and protocol would need to be established, but since those are also very nice features for end users and developers, it would be easy to push the industry in that direction, especially when you have a monopoly. Sadly, this same sort of security is a lot harder to get widely deployed on Linux, because there is no centralized decision making. MS and maybe Apple could implement this and people would go along with it to the benefit of all. Hopefully some day they will.
Anyone between the ages of 6 to 124, who is logged in to myspace from either a library or a school computer lab is almost certainly screwing around -- often while others, like myself, are made to wait.
What's the more important free speech from the perspective of a government funded program, your ability to create yet another academic program that does nothing but prove you can, or the person in front of you who is writing poetry and posting it to MySpace? Are you the next Reiser or are they the next Whitman?
The Govt needs to stay out of it though.
As you say, the government is in no position to judge which free speech is most important and has no place in trying to mandate one over the other.
Open source software is a more efficient development model that provides added benefit to users. It is a feature. It is a big feature, but that is all it is.
These reporters seem to have bought into age old propaganda that open source is about a bunch of communist hippies getting together to sing songs and code selflessly for the good of the world. It is a load of horse hockey. People have written code as a hobby for a long time. They open source that code because it benefits them. Companies have written code in order to get things done for a long time. They open source that code because it benefits them. Anyone who expects companies to open source code when it does not benefit them is smoking crack. Most open source coders are paid and not because companies are trying to do charity work to get good PR. It is a lot more effective to donate money to a children's hospital, or buy toys for orphans. They pay people to write open source code because they are not just developers, but users and as users it benefits them for the code to be open.
These "reporters" should really go polish their critical thinking skills, or perhaps look into the lucrative food service industry, where such skills are less important.
Upholding free speech does not mean facilitating it, as occurs in a library.
For an individual or private organization to facility on type of free expression is fine. For the government to facilitate one type of free expression while intentionally going out of their way to limit other forms, is something else entirely. Suppose, for example, the government decided to pass a law that says only materials approved by the Republican party can be carried in libraries. Assuming they had a large enough majority to pass such a law, would it be constitutional? After all, they're just not facilitating certain types of free speech, like anything written by democrats or critical of their party.
The reason the above is unconstitutional is because it is a government funded institution and thus must be impartial as to what free speech is valuable. That is a choice for individuals, not for governments. If the federal government tries to stop pornography or MySpace or Democratic party approved books or books about Islam, it is still restricting specific types of free speech, and that is not the government's place.
Should I demand a nVidia 8800 GTX be installed at the library so I can play World of Warcraft? It won't run with the crappy integrated video at my library's computers. Has the government limited my freedoms by not installing a good 3D card?
Providing given hardware that does not deal with the disabled is not limiting your freedom because it does not artificially restrict free expression. If you can't see the difference between a government institution intentionally blocking some expression and not others and the inherent danger of said action, then I suspect you have a very wrongheaded opinion about our government. It is not wrong for the government to not buy a given book and put it in the library. It is dangerous and illegal for them to not buy particular types of books as a matter of policy, enforced by law.
You know it's an election year... when politicians come up with laws restricting... well, anything.
When do politicians ever come up with laws that don't restrict things? When was the last time a politician ran on the platform of repealing all our stupid, useless, counterproductive laws? Americans do not value freedom very much anymore. It is no longer an important cultural value. Most people see the government and laws as a battleground where they try to force other people to conform to doing things their way rather than the way the other party wants. Very few people want to take a stand in favor of personal choice.
Ever talk to a die hard "pro choice" advocate? They say it is every woman's right to make choices for herself, not have them forced upon her by others. I agree. My opinion might be that abortion is unethical, but it is not up to me to make that choice and force others to agree with me; it is up to each individual to choose. The problem is most of the people I talk to are a lot less in favor of the right to own a firearm or the right to hunt some non-endangered animal, or in some cases the right to eat meat. It is sick and sad that someone can have a "pro choice" bumper sticker, but not even think about the fact that they don't advocate personal freedom to choose in general, just personal freedom to make one particular choice, while they advocate taking other choices away from people. Is it any wonder so many children these days don't even think freedom of speech is an important right?
Freedom in the US died as a cultural value and is dying in our legislature as well. People don't even see it as an issue or concern. They just want to tell other people how to live at gunpoint, whether that is "worship Jeebus" or "don't shoot bunny rabbits."
What have you learned from MySpace that has any value in an educational environment?
I learned:
Besides, this is only for schools and libraries.
Federal funding means responsibility to act constitutionally, including upholding free speech/expression for adults. The government judging that posting to MySpace is less valuable than posting to Slashdot, or some purely educational forum, is an unconstitutional act. The government should never be making these decisions, individuals should. It is called freedom, even if it is the freedom to waste an hour writing about how cute your poodle is and publishing it.
The case could be made that there is no valid reason for someone to be accessing MySpace from a library other than wasting time.
The case could be made that doing anything other than praying to Allah is a waste of time. The case could be made that reading literature instead of car repair manuals is a waste of time. The point is that it is not the government's responsibility or right to make that call, it is the right and responsibility of the individual.
However, I am assuming that by "schools", he is not including universities and colleges.
Public schools are one thing. The people there are children who are assigned by our society a subset of rights and responsibilities belonging to other people. In that case it is up to the parent's to decide, possibly through the democratic process of the government, subject to some limitations. In public libraries, however, there is no justification. If people actually went to said libraries and read the constitution as well as the essays of the founding fathers, maybe they'd understand why.
Competition to the bottom works great, until you hit a certain point where it's really detrimental to the consumer. Take for example cellphones. Ever notice that Europe and Asia get a lot more cellphones that do everything or nothing, while we get 3-generations behind phones here in North America?
You attribute this to too much competition instead of not enough? The difference between the US and Europe is not that there is less competition among cell phone providers in Europe. The difference is that in Europe Cell phone providers are not allowed to tie cell phones to services and if they did it would not work because they have many cell phone service providers, while in a common location in the US you might have 2 or 3 and there are significant barriers to adding more. The problem in the US is that we don't have enough competition and cell phone service providers are allowed to bypass the competition in the phone market using the service market.
I believe this has happened in other markets as well where the almighty dollar has led to innovation being withheld - ever notice places like Japan and Asia tend to get the latest in technology first? Now it could just be that it's easiest to recoup costs in places where having expensive high-tech toys is a status symbol moreso than cheap products, or even live alongside them, and people still buy expensive stuff.
I think you're failing to show the link between the level of competition and the lack of innovation. Historically and according almost all economic models increased competition drives increased innovation.
Isn't that what competing companies supposed to do?
Yup.
Now a word of waning about Price Wars, The consumer usually wins at first then they they slowly get screwed as the war lingers. Lower Price Chips means less R&D and Less Good Improvements and More Quick Patches and Fixes. So quality will drop.
I'm not sure I agree with this. No company with any sense ties their R&D budget directly to their incoming revenue. R&D is an investment and the amount should be based upon a risk/reward/intitial cost assessment. Just because I lower prices by 20% does not necessarily mean my investment in some new tech has any less potential for profit in the future. The real danger is not lower quality, but the possibility that one company might "win" and monopolize the market, then use that monopoly to entrench their position and ruin other markets. For example, suppose Intel drives AMD out of business, then introduces some patented feature to the "standard x86" chipset. Or suppose they dominate the market, but ship integrated graphics chips with all CPUs, thus forcing consumers to either use theirs or buy a second one as well, that works better.
How would Dell drive people out of business by making two companies compete for their account? It is not like anyone will sell at under the cost for a prolonged time. Dell only has about 20% of the market. They are not vital to anyone's survival.
Now this is loopy. The government? Where do you think the DCMA (and it's ilk in other countries) came from?
The DMCA came from the fact that politicians were offered money to push it, money they could spend on getting more votes. It was obscure and easily justified because no one understood it and there has been basically no backlash outside of a few geeks. A "free the music" law could get them a pile of votes, so they could very well support it as well. If nothing else some will support it until they are offered a pile of money to change their mind, which may never happen. The government frequently works counter to previous activity, elected officials are vote whores. Why would you assume because they passed the DMCA they would not also support stopping DRM when it suits their campaign strategy?
And DRM working well, producing incompatibilites and more sales? Uh, yeah, that why piracy isn't a problem, right? That's why sales are up?
DRM has nothing to do with piracy, other than being a justification for it. DRM will never stop piracy and the media companies know it, but are interested in other things it can do for them. Why does the rae of piracy have any relation to DRM?
Sales are up because there is currently more and more being offered for sale and more and more people. The RIAA and their ilk, however, look to the long term. That is why they pass laws that will ensure their profits in three generations. Here is the RIAA's worst nightmare. In general, interest in a performer and their work gradually decreases after they release music. With perfect, non-DRMed digital music people would buy copies of the songs, then keep them forever on reliable RAID systems that never, ever fail. No CDs are scratched or dropped out of the car. No LP records get sat on at a party. No cassette tapes are eaten on a road trip. When the purchaser gets sick of the song, they resell it on ebay. When people die, their children inherit the songs and most go on ebay. After a few generations, the RIAA can no longer keep milking old music for centuries reselling it because there is a perfect secondary market and demand is lower.
In the old days people bought a copy of a song for their record player, then bought another for their cassette deck in the car, then another for the cassette deck when the first was eaten, then a CD for home, then another CD for the car and another CD for their kid who liked it as well. They paid full price for each sale. What if all those sales were just one sale, and half of those sales were bargain basement sales in the secondary market?
DRM is about making sure when you buy a song for your Creative player using PlaysForSure, it won't work when you later buy and iPod and later yet when you buy a Zune and later yet when you buy whatever else they come out with. It is about making sure that your kids don't just play your copy after you die, but they have to buy a new copy some day because your copy is outdated.
Yeah, Jobs, the guy who builds DRM into the software and hardware is going to save you?
Job's best interests happen to align with mine. Does that mean I should ignore the opportunity?
Yeah, DRM'd iTunes are killing his sales.
DRM'd iTunes probably result in fewer sales of songs, but he doesn't care because they run their music store as a break even business. It is just their to sell iPods. The more and cheaper music that is available the more iPods he can sell. The fewer Microsoft specific media formats out there the more iPods and Macs he can sell. Can you see where he has motivation to promote something that benefits all of us?
Geez, if you are going to bs... at least make it plausible. Insightful my ass!
Just because you're too slow to understand the realities of the market does not mean they do not exist. Educate yourself... please.
If a deal to drop DRM is ever to be worked out, it will be through backroom deals, not in the tech press.
I disagree. If a deal to drop DRM is ever worked out it will be because the governments of the world stepped in and passed laws when they realized they could portray media companies as evil and greedy and get votes by mandating that DRM goes away.
I think we all know DRM doesn't work well and is a pain...
You're mistaken. DRM works very well and is a pain because the purpose of DRM is not to stop copyright infringement it is to introduce artificial incompatibility as a way to make sure purchased copies eventually "break" and to motivate more sales.
No DRM, no product to sell. It's that simple.
Jobs and company speaking up is about pressuring the RIAA and their ilk to change that, or the government and populace to make them change that.
Two things worth noting: "fair use" is not part of the constitution -- in fact, the constitution doesn't say anything about how copyright law should be applied, it only says that copyright law can be applied. So the erosion of "fair use" does not fly in the face of the constitution, it possibly flies in the face of established copyright law.
Well, the fair use doctrine is law that enshrines particular interpretation of the constitution, but it is not necessary for DRM to be unconstitutional. The constitution does provide for the federal government to restrict copying of works for certain purposes for a limited time. DRM takes advantage of the DMCA to place real restrictions on the copying of works, but makes no effort to provide a way to remove those restrictions or provide an alternate version for when that "limited time" expires (probably since no one actually believes it will ever expire again).
To my knowledge, the courts have stated that time-shifting constitutes fair use (this means, recording a show when you're not at home and then watching it again later, once, commercials and all), certain very short clips (the media equivalent of quoting) when making a commentary on a piece of music or other media, and that's just about it.
Umm, maybe you should review the case law on fair use. There are lots of uses covered under fair use, including the copying en masse and storage of entire works for profit, for the purpose of providing small excerpts (think Google images).
The courts have classically sided with the copyright holder on fair use issues.
That all depends upon the case.
The only way out of this is copyright reform.
With this I agree, but I think your view of fair use in the US is a little colored. The law is very vague, but a lot of precedent to date supports it in many situations, not that it has a lot to do with DRM in the US.
Well, I think we both have a desire for such a system, but realize that most people don't need it, and if they do, they are using a system that supports them already.
I disagree that most people don't need such a system. Most people are running Windows and are besieged by malware. A careful Windows user, who takes a lot of precautions might not need a MAC system such as what we described, but the average Windows user certainly does need it and I doubt security on Windows will ever be even moderately reasonable unless such a system is implemented. Even if Windows managed to duplicate the security of an average Linux system, it would be insufficient as there is simply too much room for malware to operate.
I agree most people running Linux or Solaris, or OS X don't need this system as the malware issue is not a problem on those platforms, but this is largely because they are sitting next to the giant target that is Windows. If every Windows machine was converted to Linux tomorrow, there would be serious malware issues on it in a few months.
I agree that is a difficult problem. However, if you provide an easy environment for people to trade permission configs for programs, like a website linked to from a menu option, then the basic users can find files that have been created by others. Of course that gets into trust relationship issues, but they are not insurmountable and can be solved in much the same way webforums have done since they started caring about such things.
All of this requires a lot of work. Who will do it for Linux and what benefit will that bring? If application developers are not on board, they will not do a good job of making applications that behave well (like writing only to a predefined location for scratch files) and the ACLs will be messy in the extreme. I just don't see enough people getting on board to make this really usable as likely as MS just announcing it is required for developers in the next version of Windows. This is one case where Linux's fragmented community is a hindrance rather than a benefit.
Also, it's not unreasonable to have the program query the user for some types of operations. Also you could have a wizard that builds the initial config, by asking the user what the program is for. This would provide a pretty good starting point for most applications.
The goal should be to make querying the user as rare as possible. My initial outline for such a system included ACLs included with an application, merged with ACLs provided for a given trust level, depending on if the application was pre-installed, distributed by the OS vendor, signed and certified, just certified, just signed, or none of the above. Input from multiple third party verification providers could also work and I considered the idea of application type templates for different types of applications that don't include ACLs with them, but in the long run I think it would be better if an ACL was a basic part of each application package.
We obviously don't agree on all points, but I think fundamentally we're on the same page.
You're talking about Mandatory Access Control, such as implemented by SeLinux? You didn't make that terribly clear in your post.
I wrote, "All software on a machine should be limited by mandatory access controls..." I'm not sure what else you think I might have been referring to.
Besides, I didn't know Windows had any form of MAC. Its entire security model is based on Discresionary Access Control, like most Linux-based operating systems.
We were discussing what MS should be implementing in order to combat the current malware problem, not what they have done. In my opinion Windows is the OS with the most need for a well implemented, ubiquitous MAC framework and one of the few OS's where the vendor has done nothing to facilitate that level of security.
The ultimate first problem is that you SHOULD NOT run code from an unverified source. Period.
Tasks are not defined by what people should do in some mythical fairyland, but need to be based upon what people actually do. People want to run binaries they don't trust. Binaries are all trusted to differing degrees. I trust Photoshop because I have little choice. I need to use it. That does not mean Adobe should have the ability to do anything they want on my machine. I might want to run Halo, but I sure as hell don't trust some programmer at MS did not include a back door for my computer in it. I trust OpenSSH to some degree, but I don't have the time or skill to properly audit the code and don't implicitly trust that it has no exploitable buffer overflows.
The initial assumption for any valid security system in our current climate should be that binaries should not be trusted any more than necessary.
A computer cannot make the decision what to trust and what not to
You mean like firewalls shouldn't be deciding that I don't want traffic on port 20 on a default install? Determining what level of trust should be assigned to an application is a process that should be automated for most people, but should also involve human decision making. Applications can be signed and certified and various vendors or certification agencies can have differing levels of authority. People can even subscribe to services that verify software and provide opinions about the level and types of trust for an application, much as people now subscribe to anti-virus services.
You cannot "sandbox" an all purpose system to the point where the execution of a binary cannot cause harm to any part of it.
You don't sandbox a system, you sandbox each application with different permissions for each.
At the very least, every file accessable with the account's privileges is in danger. And every application that has the right to run "as admin" which can be executed by the user is just as much a security hole.
Please go read up on mandatory access controls. This is exactly what they are designed to prevent. Just because I'm running some random executable is no reason my OS should assume it should be able to read my e-mail address book file, even if my e-mail program does have access to that file. The point is to restrict each application to the resources it actually needs. This way, if some program wants to do something unexpected, the user is given the option of stopping it and if an application is subverted, it still can't do anything the original parent could not. Suppose there is a buffer overflow in an image reader so that a maliciously crafted image can execute code with the same privileges. Since it is an image reader and does not need internet access or the ability to overwrite parts of the kernel, this vulnerability can be useless to worm writers on a properly secure system. Understand?
This is independent of the OS you're using, unless you restrict the account to the point where it is almost unable to actually do anything sensible, but then you might not be able to install and run that game either.
The point of MAC is to make more granular restrictions than the user account, restricting by application, not by user. You can still run games, the games just can't do anything they want and are restricted by default. As for what OS's I'm talking about any Linux distro with SELinux enabled, TrustedBSD, and Solaris all have MAC frameworks. Apple is known to be developing one for OS X and there is a port of the TrustedBSD one for OS X if you want to install it yourself.
The ultimate key to security is the person using the system.
I long for the day when the user is the weakest link in the security chain, but they are a long way from that right now. Fix the OS security first, than educate users for what little remains.
You don't even need to go as far and ponder escalation hacks or loopholes, all you need is a yescl
I don't know anything about programing an OS, but wouldn't that be a maintenance nightmare? If multiple programs use the ZOMG library and each had a unique installation, wouldn't each installation have to be independently updated?
This is a solved problem. OS X uses application bundles that include all the libraries needed and perform dynamic linking at runtime. The cost is slightly more disk use, but it is still less than the same size as most Windows apps now and disks are getting bigger and cheaper all the time.
Hell, Microsoft Office is one of the worst user experiences on Mac OS X. Why does an office productivity suite need an installer on OS X ? On Windows its because Office replaces half of the system DLLs, but why on Mac OS X ?
I haven't updated my copy of MS Office for quite a while, but as of about 3 years ago, it did not have an installer and was drag and drop from the CD. So I think the answer is, it doesn't need an installer.
The security of a system is the minimum of the machine's security and the user's ability.
I mostly agree, but it is a bit more complex than that. The machine's security includes its ability to inform the user and do what the user wants by making the right controls available to the user in a convenient way. Users are willing, for the most part, to spend a few hours learning the rules to safe computer use, provided they can still accomplish their normal tasks while following the rules. Right now they don't bother because that is not an option. They need years of training to learn to safely use a computer to do what they want and even an expert cannot always do what they want with given resources.
For example, a guy I met in a chat room sends me a binary he claims is a game. If I want to install and run that game, but don't want to risk the security of my computer, I better be a bloody security expert. Even making a non-admin account on Windows and installing it there is not really a secure method because of all the local escalations for Windows and it is certainly way beyond the capabilities of the average user and is far, far, far from convenient. To really be safe I need to acquire a VM, install a copy of Windows in that VM, properly restrict the VM, and install and run the "game" in that VM.
With a security setup designed for the realities of today's environment, I should just double click on it and the OS should assume it is untrusted and restrict it properly unless it can verify the certification for the program with a trusted third party.
Uh, this is com-pletely backwards from the truth. In Windows there is no centralized decision maker that can say that, because people would leave the platform in drove[s].
Umm, do you know what a "monopoly" is. Windows-whatever will be shipping on all new computers you can buy at pretty much every store in the US. How are people going to leave it in droves? Are people leaving Windows in droves now because it sucks? With a monopoly you can easily create artificial barriers to going to the competition. Right now those barriers include OEM agreements precluding pre-installing other OS's, much of the internet subverted to nonstandard and proprietary formats like IE-HTML and Active X controls, much of corporate America locked into Word, Excel, Powerpoint, and Exchange, and MS's game company acquisitions and use of DirectX to keep much of the gaming market Windows only.
MS can make the default background in Windows say, "our customers are douche bags" and most people would not go to another OS.
With Linux, or any other Free operating system, a given distribution can make this choice at any time.
True, but that is the problem. Users and developers will target what is best for them in the short term. Since MAC security controls are solving a problem that does not really exist yet on Linux, it is just overhead and unneeded work for developers until the malware problem becomes a major issue. As a result, Linux cannot effectively change unless the community itself is forward thinking enough to put up with inconvenience in order to facilitate future security. This could happen if a coalition of Linux distributions all agreed to move to a more secure format and try to update legacy software, but it would take a lot more collaboration and vision than one bigwig at MS saying, "we're gonna do this and developers will suck it up because they have no choice if they want to stay in business."
But I also think that environments like KDE or GNOME make it feasible to do, since if you are using API calls to create dialog boxes etc., the functionality can be rolled in that way.
What percentage of binaries on Linux, including CLI ones, do you think that accounts for?
But again, this can be solved at the distribution level. Admittedly it would result in a reduced set of packages, but there's plenty of room in a distribution for a "core" of packages that use the system, and simply not installing anything else setuid or allowing it to run as root without forcing you to type an additional command (like sudo.)
Using a core set of binaries and a few picked programs on top is fine for a centrally managed solution, such as would be used in business. Home desktop users, however, want to install arbitrary software and if "Linux" has not standardized on contained, well behaved applications, shipping with ACLs, the security system simply won't work. Further, you need to get commercial developers who generally distribute outside the normal repository channels on board by making the same distribution channel and standards work for them. This means distros can no longer ignore random closed source binaries or registration/licensing when it comes to package management.
That doesn't necessarily matter, because users can create the profiles for applications like this...
For power users, creating a custom ACL for a program might work. For a centrally managed solution, the admins can do it. The problem is, for normal users it is simply not user friendly enough to constantly be tweaking the privileges of random binaries and you'll get into the same situation as Windows where users are regularly prompted for access for non-mailicious software and become conditioned to just allow software to do whatever it wants. This means the UI component of the system is failing because users don't see one or two false positives for every real issue, they see 30 or 40 and they simply stop caring.
Operan
While they may call those ACLs, they are very limited compared to standard MACLs, to which we were referring. You need to be able to restrict applications by files they are allowed to modify, sets of files, network resources, system services, and other applications they can talk to. In addition, each application should ship with an ACL from the developer so the OS immediately knows what the application should be doing and can then assign a level of trust to the application that allows or denies each behavior. Only the application developer knows if the app they make will want to send e-mail. Only the user knows if they want to trust that application to send e-mail. If the application developer has not designed the program to send e-mail, then any time it tries to do so probably means it has been overwritten or is spyware and is behaving maliciously and the OS should smack it down. If the user does not trust the application to send e-mail, the OS should likewise smack it down, or at least make sure the user has the option of stopping that behavior. The same goes for overwriting all my jpegs, reading my e-mail address book, or adding a kernel module.
But my original point still stands; on a POSIX machine a user can install apps in her home folder and then run them with her account's privileges. Maybe you use OpenStep bundles, or App Bundles, or just compile the damn thing with GCC, but the result is the same from a security standpoint.
True. Also, not having a central registry allows the apps to be well contained within a defined space, easing the use case where ACLs lock down applications. Did you read the Bitfrost spec from the OLPC project. They actually specify a modified format with bundles closer to the OpenStep ones, including some write space for the application within the application "folder" so that ACLs can be widely deployed without having to worry about applications writing to random files for basic operations. Keeping apps contained within a predefined frame is very important for this type of security improvement.
This avoids forcing you to install apps with admin privileges, which is apparently the case in Windows Vista.
One issue with both Windows and Linux apps is not what can be done, but how current applications actually work. There is quite a bit of Linux software that wants to install bits in weird locations and there are some windows applications (both old and new) where you can install them as an unprivileged user without any real risk. The hard part about increasing security is providing a sandbox or VM for legacy applications while getting all new software to conform to best practices that are predictable and more usable and which lend themselves to no unexpected behavior that a more strict security model would balk at.
. Also, when the heck will we get a linux distribution with support for ACLs? I know you can use them, but it's a chunky, command-line process at best. When will Linux catch up with NT in this area?
Linux will get ACLs usable for a particular market segment when they are needed by that market segment. Right now you can get ACLs that work just fine, provided your task is to set up a super secure server or a locked down workstation that is centrally managed. Currently, however, average users have no need for these functions since they basically never have security problems where this would be a real benefit. As such, very little work has gone into developing them for that use case.
I find it hardest to forgive Linux, actually, since the software is Free and free. Why not use it? Because it's too hard? Security is hard.
Getting such a system in widespread use on Linux is a lot harder than doing the same on Windows or OS X. There is no centralized decision maker for Linux that can say, okay we're only running binaries that ship with a cert and an ACL and which use the new protocol for registration and updates. Most developers simply don't want to spend their time modifying every existing bit of software in order to solve a potential security issue in the future. So they won't and people will move to a distro that does not have a broken security model in their way. MS or Apple could simply implement this and provide a sandbox for old applications or even ACLs for common legacy applications and developers would groan and get on with implementing it.
OSX would need a whole new subsystem to do this.
Apple announced on their info for developers site the inclusion of both a MAC framework and a application signing framework in Leopard, but then pulled all references to them silently near the end of 2006. I don't know if this means they are not going to ship with Leopard or if they are part of one of the "secret" features. Someone has also ported the MAC from trustedBSD to OS X.
So would Windows.
The Windows kernel actually includes fairly well conceived ACL support form what I've seen. Adding a framework for developers would be a lot easier than dealing with legacy applications and writing a good UI, which are really the hard parts of this.
Linux has one, and the majority of us don't even use it (including me.)
Anyone who has used SELinux knows why no one uses it on a home desktop. It is not standard so applications do not conform well enough, nor do they ship with ACLs from the developer. Further, package management on Linux is designed with open source software repositories in mind and poorly handles commercial applications that are downloaded. Since those applications are the ones with the highest risk, this really needs to be addressed before such a system would be practical.
They're not polar opposites? Security involves increasing the amount of authentication/authorization/auditing involved in performing a particular action. Therefore removing security increases ease of use.
You're mistaken. Those are common security mechanisms, but they are not security. Security is making sure the software only does what the user wants and not things they don't want. Usability is making it easy to do what the user wants and not other things. See how those are sort of complementary. For example, If a watchdog process scanned all outgoing internet activity on the packet level and informed the user vie a message at the top of the screen whenever they send more than 5 e-mails in a single minute, would that increase security? Sure, a lot of spam sending worms would trigger that behavior and the user would then know what the computer was doing. The computer doing things silently in the background is one of the largest usability problems. The computer informing them makes the OS more usable, because the user now has better information about what their computer is doing. This is a a usability win in the same way adding sound or a monitor is.
A couple of examples to support the generalization:
Okay, lets go through them.
Your door is easier to use when it does not have locks.
What is the purpose of the door? Is the purpose to keep the weather out? Is the purpose of the door to allow access to the right people and deny it to the wrong people? What if the door has a EM scanner and perfectly detects the identity of those approaching and automatically opens for the owner but no one else? That is more usable yet than having a lock because it performs its desired function (to keep out everyone but the user) better by opening automatically in the correct case. Your example is one where currently security and usability conflict, from a certain perspective. That does not make it a truism.
A DVD is easier to rip when it does not have DRM.
Ahh, but the purpose of DRM is not security at all, but specifically to reduce usability. You don't actually buy that "stopping pirates" BS do you?
It is easier to enter a client's building when you don't have to sign a security log and obtain a visitor's pass.
It is easier yet when all the security guards know you and open the door for you and escort you inside and help carry your packages. It is a lot easier when they shoot the guy trying to mug you outside while you're trying desperately to get inside.
I think you are fundamentally mistaken on this point. Usability and security are not opposites at all. Some security measures decrease usability while others increase it. It is important not to assume that some measure which decreases usability is going to increase security, and that is a very, very common mistake in the security industry.
I'll take a clunky UI to a security system tested by someone I trust (me, in many cases) over "ease-of-use" any day of the week.
The problem is if you believe that dichotomy and don't understand that you can implement security measures that also increase usability. MS certainly seems to believe this. My company makes security products and one of the main functions is simply telling users what is going on and giving them options to make a situation better. What is more usable: A) Your network stops functioning and won't talk to the outside world and your Web server cannot respond. You drive to the colocation facility and log into the console and start reading logs to figure out what happened or B) you get an e-mail informing you that a DoS attack is directed at your network and that all traffic to your Web server traffic is being blackholed (except connections from your intranet), but the rest of your network is up and running. You are then given options to restore given chunks of the blackholed traffic to restore partial service until the DoS attack is stopped?
In the above scenario the user is given more
Gee, that sounds like every client-based firewall on the market (including XP's). The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.
In a way. A client based firewall is insufficient because it is too easy for something to escalate privileges and get around it. A MAC ACL is built into the core of the OS and deals not only with network access, but also access to hardware resources, system services, and files. With a client based firewall a worm can still overwrite some other binary or run a buffer overflow and start sending spam regardless of what the firewall wants. With MAC, it can't overwrite anything and if it overruns a buffer it can only perform the limited actions for the binary that overflowed.
Another aspect to this is currently Windows applications often do not install to a contained location and do not have a good install process, so keeping them contained and prevented from maliciously overwriting data at install time is a serious problem (especially on Vista).
The only wrinkle is the application signing, which is ALSO already being done but with a crappy UI as you mentioned.
Application signing, by itself, is not all that useful unless it is automatically applied to determine levels of trust, behind the scenes and without user intervention. Further, it needs very granular levels of trust beyond simple good app or bad app. I might trust some Adobe app enough to run because I have to have it for my job, but at the same time I might not trust it enough to have arbitrary internet access, like connecting to some random site in Europe whenever it starts up (one did this for no reason anyone I found could explain). If that same app shipped with an ACL from Adobe, they would have to choose if that was part of it and explain why it needed that permission. Third party verification companies could easily publish their own ACLs as well, which would stop such unneeded behavior and override the one that shipped with it. To make this clean, an official update mechanism and license/registration service and protocol would need to be established, but since those are also very nice features for end users and developers, it would be easy to push the industry in that direction, especially when you have a monopoly. Sadly, this same sort of security is a lot harder to get widely deployed on Linux, because there is no centralized decision making. MS and maybe Apple could implement this and people would go along with it to the benefit of all. Hopefully some day they will.