Re: Changing from L4 to something else...

[Marcus Brinkmann]

At Sat, 29 Oct 2005 04:01:03 +0200,
"Yoshinori K. Okuji" <address@hidden> wrote:
> On Friday 28 October 2005 06:36 pm, Marcus Brinkmann wrote:
> > You put in another disk, and bill it to the customer.
> I guess you are kidding. When things are really urgent, such a slow operation 
> is not allowed.

Ok.  So I pull a hard drive out of the spare-parts room.  Or take it from one 
of the old computers lieing around.

Or are you saying the same company that has such an urgent contract
doesn't have spare parts in reserve?

> > You subdivide the user's resources into "important data" and "scratch
> > space".  Thus, you give the user two resource capabilities (two
> > different "banks"). You promise your users that the "important data"
> > will not be revoked quickly.  You don't make the same promise for the
> > scratch space.
> 
> It works only for people who are familiar with computer and have a lot of 
> time. It is not acceptable for busy people to consume precious time to decide 
> if each piece of data is important or not. Probably they would just insert 
> all data to "important data".

Are these "busy people" the same who put their home video collection
on the companies file server?

Really, I don't try to mock you.  I try to understand your example.
At least the examples you give should make sense.

If your point is that you can create a hypothetical situation where no
matter what you do, you lose, then, well, your point is taken.
Nothing we can ever do can change that.

> > I revoke the network capability for her session.
> 
> This is too violent. What if she does not want to hide everything? For 
> example, if she wants to check a note from an internet cafe?

I thought she forgot her password.  How can she access her account at
all then?

Some extrapolation is required here.  Your examples were hypothetical
and incomplete.  So were my answers.  We can go round and round, but
don't you agree that the answers were at least reasonable in a
subspace of the possible problem space?  And that they can be adjusted
arbitrarily for different circumstances?

As a counter example, we can try to pose similar problems for Unix
administrators.  What if I hide my movies on the companies filesystem
encrypted in files like these:

VERY_IMPORTANT_CONTRACTS_ONLY_COPY_DONT_TOUCH.tgz.crypt

> > But here is the important thing: Of course you _could_ also implement
> > backdoors for the administrator into the user sessions.  This option
> > is there.  You can always make a system less secure by introducing
> > more capabilities.
> >
> > The important thing is that you can also not do it, and choose the
> > "paranoid" scenario.  The reverse is not possible.  An insecure system
> > is insecure is insecure.
> 
> I know. What I meant was that a supervisor is required or too useful to be 
> disabled in many situations. I can think of many more examples (e.g. 
> system-wide backup), so I bet that nearly all users would choose to have a 
> supervisor with exchange of a certain amount of security. This is one reason 
> why I feel that security paranoia is too expensive, because very little 
> people use such an extreme configuration.

If your point is that balance is good, then we all agree.  ;)

Thanks,
Marcus