[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Changing from L4 to something else...
|
From: |
Yoshinori K. Okuji |
|
Subject: |
Re: Changing from L4 to something else... |
|
Date: |
Sat, 29 Oct 2005 04:01:03 +0200 |
|
User-agent: |
KMail/1.7.2 |
On Friday 28 October 2005 06:36 pm, Marcus Brinkmann wrote:
> You put in another disk, and bill it to the customer.
I guess you are kidding. When things are really urgent, such a slow operation
is not allowed.
> You subdivide the user's resources into "important data" and "scratch
> space". Thus, you give the user two resource capabilities (two
> different "banks"). You promise your users that the "important data"
> will not be revoked quickly. You don't make the same promise for the
> scratch space.
It works only for people who are familiar with computer and have a lot of
time. It is not acceptable for busy people to consume precious time to decide
if each piece of data is important or not. Probably they would just insert
all data to "important data".
> I revoke the network capability for her session.
This is too violent. What if she does not want to hide everything? For
example, if she wants to check a note from an internet cafe?
> If she doesn't remember her password later-on, you will have to kill
> the session anyway.
She might be able to remind herself of the password when she comes back and
sits down in front of the computer. This is called "associated memory".
> But here is the important thing: Of course you _could_ also implement
> backdoors for the administrator into the user sessions. This option
> is there. You can always make a system less secure by introducing
> more capabilities.
>
> The important thing is that you can also not do it, and choose the
> "paranoid" scenario. The reverse is not possible. An insecure system
> is insecure is insecure.
I know. What I meant was that a supervisor is required or too useful to be
disabled in many situations. I can think of many more examples (e.g.
system-wide backup), so I bet that nearly all users would choose to have a
supervisor with exchange of a certain amount of security. This is one reason
why I feel that security paranoia is too expensive, because very little
people use such an extreme configuration.
Okuji
- Re: Changing from L4 to something else..., (continued)
- Request for pointers, Jonathan S. Shapiro, 2005/10/30
- Re: Changing from L4 to something else..., Alfred M\. Szmidt, 2005/10/28
- Re: Changing from L4 to something else..., Marcus Brinkmann, 2005/10/28
- Re: Changing from L4 to something else..., Yoshinori K. Okuji, 2005/10/28
- Re: Changing from L4 to something else..., Marcus Brinkmann, 2005/10/28
- Re: Changing from L4 to something else..., Alfred M\. Szmidt, 2005/10/28
- Re: Changing from L4 to something else..., Yoshinori K. Okuji, 2005/10/28
- Re: Changing from L4 to something else..., Marcus Brinkmann, 2005/10/28
- Re: Changing from L4 to something else...,
Yoshinori K. Okuji <=
- Re: Changing from L4 to something else..., Bas Wijnen, 2005/10/30
- Re: Changing from L4 to something else..., Marcus Brinkmann, 2005/10/30
- Re: Changing from L4 to something else..., William Grim, 2005/10/31
- Re: Changing from L4 to something else..., Jonathan S. Shapiro, 2005/10/31
- Re: Changing from L4 to something else..., Jonathan S. Shapiro, 2005/10/28
- Re: Changing from L4 to something else..., Jonathan S. Shapiro, 2005/10/28
- Re: Changing from L4 to something else..., Bas Wijnen, 2005/10/28
- Re: Changing from L4 to something else..., Yoshinori K. Okuji, 2005/10/28
- Re: Changing from L4 to something else..., Bas Wijnen, 2005/10/30
Re: Changing from L4 to something else..., Marcus Brinkmann, 2005/10/27