1. Beware the justice of Nature.
2. Understand that there can be no successful human economy apart from Nature or in defiance of Nature.
3. Understand that no amount of education can overcome the innate limits of human intelligence and responsibility. We are not smart enough or conscious enough or alert enough to work responsibly on a gigantic scale.
4. In making things always bigger and more centralized, we make them both more vulnerable in themselves and more dangerous to everything else. Learn, therefore, to prefer small-scale elegance and generosity to large-scale greed, crudity, and glamour.
5. Make a home. Help to make a community. Be loyal to what you have made.
6. Put the interest of the community first.
7. Love your neighbors–not the neighbors you pick out, but the ones you have.
8. Love this miraculous world that we did not make, that is a gift to us.
9. As far as you are able make your lives dependent upon your local place, neighborhood, and household–which thrive by care and generosity–and independent of the industrial economy, which thrives by damage.
10. Find work, if you can, that does no damage. Enjoy your work. Work well.

Discovered via Scott Walters.

This happens:

I tried once or twice to press this point when I was serving my brief stint in the security world. Unfortunately I didn’t have much clout with the big names of SELinux, because I’ve never been a “real” security guy. I was more of a product & usability guy, living as a guest in their world. It’s a smart world, too. Hell, I’m lucky enough to count many good friends there, and these are not low-watt bulbs, let me tell you.

But it always made me sad that the community never felt willing to really, really internalize a respect for the user, or to entertain the crazy concept that maybe, maybe security doesn’t have to be quite this hard. Yes, real security exposes the thorny complexity of operating systems, and yes, it’s reasonable to say you need to know something about security to do it right. But with the right tools—and perhaps more importantly the right attitude—I think we could make some real usability improvements in the world of security.

 
P.S.: For the record, I was trying to figure out how to disable the audio on a Wiimote.

I didn’t link to the essay at the time, but I sure as hell am now. Why now? Maybe it was all those idiotic “Terror Tips? Report Suspicious Activity” highway signs I saw this Thanksgiving. Or maybe it was Schneier’s followup post where he describes a man in the UK who “had gone into a diabetic coma on a bus” and therefore “was shot twice with a Taser gun by police who feared he may have been a security threat.” I have a loved one with type 1 diabetes, and that just makes my blood boil. 

This is just f&!king unacceptable, people. Schneier is right: fear is winning. Refuse to be terrorized.

I’ll end this on a positive note. My sister recently sent me a link to the interview with Barack Obama at Google. After watching it, I went and sent the guy some money. I love this guy. He gets it. He gets that a culture of fear is not acceptable. And he gets a lot of other things too. He’s genuine, he’s wicked smart, and he gets my vote.

Elizabeth: Hello?

Phone Scamming Scumbag: [Spoken smoothly and officially.] Hello, we are conducting market research today. Are you over the age of 18?

E: Yes.

PSS: What is your income level: over 15,000 a year, over—

E: —I’m sorry, I don’t feel comfortable telling you my income level. What is the survey for?

PSS: I’m sorry, I don’t feel comfortable telling you what the survey is for.

[click]

Before sending any more email, please consult the following brief checklist:

• Do the recipients of your email have access to your public PGP key?
• Do the recipients of your email give a damn about who wrote your email?

Hint: if you cannot answer yes to at least one of these questions, you should not be signing your email. The degree to which you should not be signing your email is directly proportional to the number of recipients.

Thus, in the following equation,

Large public discussion list + PGP key unavailable even on your website + generic query for which the author is irrelevant anyway = why are you polluting the signal with a PGP hash?

Technology, indiscriminately applied, is unhelpful at best. So stop with the hashes already.

Since Jon doesn’t include a comment form with his posts, and since I reckon he’d rather not become the middle-man for an extended discussion, I wanted to post my additional comments here, where they could be picked apart (or not) without having to bother Jon.

Okay. On to my response:

In an addendum to the original post, Peter da Silva writes:

You’re still using discretionary access control… in a MAC system, you wouldn’t be able to transfer information from the environment with a higher classification to the environment with a lower classification even from the environment with the higher classification.

I think there may be a misunderstanding here. I’m not sure what Peter specifically means by “classification”, but I don’t think this is really addressing the meaning of Mandatory Access Control.

If by “classification” Peter means a “security level” (in the sense of a Multi Level Secure system), then it is true that many security architectures use MAC to ensure that there is no information flow from “high” to “low” levels. This is the much-discussed Bell-LaPadula security model. While this is one common security model (and the one that got the most attention until relatively recently), it is not the only context in which you can find Mandatory Access Control. SELinux, for example, features MAC in its implementation of a different model: type enforcement.

The main point here is that MAC is a lower-level concept than any particular security model or information flow goal. MAC simply ensures that access decisions—however they may be designed—are not granted to the user to make at their own discretion. Neither are they—and this is often more to the point—granted to the program the user runs.

What you’re using is an extreme version of the principle of least privilege. You’re creating an environment that doesn’t have the privilege of writing to any local non-volatile storage.

Well, sure. Although, I was under the impression that many (most?) VMs will at least store state on disk, so I’m not sure that’s the only granted privilege (someone feel free to educate me on this). Aside from that, if this limitation is established in a way that the programs running within the VM have no way of changing, then it is a mandatory control of their access. i.e. MAC used while implementing a particular security goal: least privilege.

I’ll admit to not knowing very much about the deep dark secrets of how virtualization is implemented. Jon mentioned that the XP in the virtual machine can access the XP on the host, which would indeed break the model.

The issue is further muddied by the fact that we’re not looking at a well defined set of access vectors which we can turn on or off individually for the programs in the VM. We get a set of properties that the VM brings along for the ride, and “designing” our security model here mostly means trying to figure out if throwing this hunk of code at our applications will confine them in a meaningful and helpful way. Do we care if the user can copy and paste information in and out of the VM? Maybe, maybe not. Do we care if the program running in the VM can reformat the hard drive of the host? Yup. Definitely.

I mainly just wanted to point out that, presuming that a virtual machine really does abstract away the host hardware and operating system, those applications running within the virtual machine have effectively been confined to a certain set of resources in a mandatory way (modulo an unclean separation between virtual machine and real machine). If the controlled access is both sufficient and mandatory, then you get to relax a bit, knowing that the programs running in the VM do not have free reign.

I don’t want to give the impression that the commonly available commercial VMs really are the solution for serious security concerns. But in this case it sounds like the virtual machines Jon uses provide sufficient confinement for the threat model he is trying to defend against.

It’s also worth pointing out that there are virtual machines designed specifically for security. These systems really do provide the complete separation of resources that those designed with other goals in mind do not provide.

My goal was to sketch out the wider context here, with Jon’s use of virtual machines as a way to highlight the concepts involved. But I should have more explicitly pointed out the places where theory probably doesn’t meet up with reality. My apologies on that.