Forgot your password?
typodupeerror
User Journal

FoolishOwl's Journal: I worry about the principle of least privilege and default-deny 4

Journal by FoolishOwl

I'm currently taking a course on network security; the class is, in itself, inane, but it does contribute to my continuing to think about information security over a period of time. It seems to me that issues in information security bring to a head issues that concern me about the social impact of computer and network technology in general.

It's hard to miss that there is a conservative bias in thinking about security -- conservative in more than one sense. There's the obvious political bias, with the prevailing law-and-order rhetoric and exaggerated concern about "terrorists". And there's the approach to computers and networking as problems to bring under control, not as opportunities; creativity is regarded as a threat, sharing as a vulnerability. That both these senses are in play is, I think, no coincidence, but I've been trying to find a succinct way to describe the link.

I was reading a discussion of auditing, which went into checking whether users have appropriate privileges, and reminded us of the principle of least privilege, in which a user or process should be granted no more than the absolute minimum level of privilege needed to perform their assigned tasks. And I thought of the concept of "default-deny", as in one should close all ports by default and only open them as needed.

Here it clicked. The principle of political liberty is "default-accept" -- you don't need permission to do as you will, except in specifically enumerated circumstances. An egalitarian society is a societ of equality of privileges. The model of secure computing is completely at odds with the model of a liberated, egalitarian society.

This should give you pause if you think of Lawrence Lessig's argument in Code 2.0, that software code becomes a form of social legislation, and we need to consider who is writing the code and what its effects will be. And consider the inverse of Conway's Law: if the structure of a computer system reflects the structure of the organization that created it, couldn't the structure of a society shift to reflect the structure of a computer system used throughout that society?

It's seemed to me for some time that much of the structure of Linux and Unix is intrinsically hierarchical and authoritarian: all filesystems are mounted to the root filesystem; all users are subordinate to the root user, with their limited privileges a subset of root's privileges, assigned by root. It's like the Great Chain of Being.

My sense is that the assumption of much of the free software community is that the implicit contradiction between the liberatory project of free software and the authoritarian model of Linux and Unix is that each person gets to be the system administrator of their own computer. But that runs into the classic mistake of hyper-individualist libertarianism, in ignoring the fundamental social character of human existence. Not everyone has the time, energy, or inclination to master their own machines, and even if they did, those machines are bound together in a global computer network. And I forgot to mention: there's the root of the DNS hierarchy, modelled on the Unix file system model.

Obviously, there are real reasons to limit what users can do on a system. If I run a Web server on my desktop computer, I still don't want other people to have access to my bank account. I would rather my nine-year-old talked to me before installing new applications. And so on.

I wonder if we could find a new and better paradigm for operating systems, which matched egalatarian ideals and the project of human liberation implicit in the free software project.

This discussion has been archived. No new comments can be posted.

I worry about the principle of least privilege and default-deny

Comments Filter:
  • I left out a strand of thought that has also concerned me: my ambivalence about Anonymous, and their peculiarly discordant arguments about security. I keep seeing statements, supposedly from hackers associated with Anonymous, that they're publicly shaming institutions for their poor security. For instance, in an interview with an Anonymous hacker on Democracy Now! [democracynow.org], Goodman brought up the issue of Anonymous's release of personal information from a Website for BART riders. The hacker responded,

    Why was that information stored—again, I would ask you, your listeners and this BART fellow, why this information was stored on a server with a security that could have been broken by any 12-year-old script kiddie on the internet. It was for anybody to take. At least somebody took it who cares. At least somebody took it who used it to send a message not only to the world that censorship is wrong and intolerable, but that their information is being held in trust by a government they cannot trust, because they don’t know what they’re doing.

    This has always

  • It's hard to miss that there is a conservative bias in thinking about security -- conservative in more than one sense. There's the obvious political bias, with the prevailing law-and-order rhetoric and exaggerated concern about "terrorists". And there's the approach to computers and networking as problems to bring under control, not as opportunities; creativity is regarded as a threat, sharing as a vulnerability. That both these senses are in play is, I think, no coincidence, but I've been trying to find a succinct way to describe the link.

    Everything you [rightly] blame the conservatives for in the preceding paragraph, you can also blame the progressives. Jane Napolitano is every bit the totalitarian control freak that the worst of Bush's appointees were. The problem isn't conservatives versus progressives, but totalitarians versus libertarians.

    I wonder if we could find a new and better paradigm for operating systems, which matched egalatarian ideals and the project of human liberation implicit in the free software project.

    The answer is "yes." But you have to have a trustworthy user base. Would you leave your home unlocked when you went to work? The answer is "it depends". If I live in a small town where I can trus

    • Political terminology is maddeningly treacherous.

      I had hoped I was clear that I was using "conservative", at least in that paragraph, to mean a particular attitude, rather than a particular political faction; in this case, the attitude that people who challenge order are bad people, regardless of which people and which order.

      Rather than go on an extended tangent about how I typically define and apply various political terms, I'll just say that I don't like the current administration, either.

      With regard to t

  • ...in this case. While many of the issues are political/social in nature, implementation of security models is almost always dependent on other issues (with the exception of the concept of private property). Much of information security is predicated on the idea that data is private property or at least public information held in trust. Freedom consists not just to enable individuals to "...do what you will." but also to ensure freedom *from* invasions of privacy.

    It's pretty commonplace (regardless of id

Two is not equal to three, even for large values of two.

Working...