[s-t] privacy and caution digest #2

[David M Chess]

Michael Turyn:

"whatever we do which might displease the government or a real or fictive
person with power is almost certainly being done at the same time by a lot
of other people."

That's only a statistical comfort, of course.  But then most comfort
probably is.  (Who designed this place, anyway?)

Andrew A. Gill:

>> if anyone knows of a good combined worldview that
>> satisfies both, I'd love to hear about it.

> s/hear about it/torture you until you let me patent it/

Never!  I patent things only in self-defense.  *8)  I'd prefer you shouted
it from the rooftops, so no one could patent it...

Andy Latto:

"Instead, your HTML repair and rendering engine should be on top, and the
security layer should be underneath. When the rendering engine determines
that the HTML, as repaired, instructs it to delete a file, it calls
delete-a-file-if-security-permits, and *then* the security layer gets
involved, deciding whether that particular file system operation (or
network operation, or whatever) should be permitted at that time."

That would be ideal.  Unfortunately on many boxes it's not practical to
slip the security layer in under the rendering layer, because the
rendering layer is in the operating system (and the security layer is
either above that for practical reasons, or in a separate box entirely).
But when you can do it, it's great.  How many operating systems (not
counting the JVM as an operating system) have access controls based on the
network address / email address / PGP credentials of the (effective)
originator of the request?

There are a few places where security models do allow for that.  The JVM
is one (to an extent).  The Execution Control Lists in Lotus Notes are
another (you can tell Notes who you trust to execute what classes of
function, and then email from untrusted people that contains scripts to
format your hard disk won't work), and I think the signed macros in recent
(after I stopped paying close attention) versions of Microsoft Office are
another.  Things like ZoneAlarm and Norton Whatever do a sideways version
of this, by granting network access using the identity of the program
that's asking as the effective 'identity' (this has some interesting
properties).

It'd be cool (if maybe expensive performance-wise?) if some widespread OS
had a sufficiently rich notion of requestor identity (beyond "people with
accounts on this box") to do it down at the filesystem / memory-access /
etc level.  Some Linux version?  (All Unix machines everywhere, using a
facility that I am temporarily ignorant of?  BeOS?)

DC


-----------------------------------------------------------