On Tue, Jun 15, 2004 at 12:58:46AM -0400, Jonathan Blandford wrote: > Mark McLoughlin <markmc@xxxxxxxxxx> writes: > > > > Given that designing secure applications/systems is all about trade > > offs between the risks to the application and the cost of the possible > > countermeasures, you need some sort of basic framework for making those > > tradeoffs. > > > > Here's the kind of thing I'm thinking of: > > > > * What can go wrong/what are we trying to prevent/risks? > > * Loss of data > > * Disclosure of private data/loss of privacy > > * Denial of service > > * Interruption of work/reduced productivity > > Another possible risk is identity masquerading (eg. sending a bomb > threat from another persons email account.) There's also a ranking of > the severity of these. They're all bad, but the last two are less bad, > as they diminish your experience and don't necessarily cause > irreversible harm. > > We should also add that we are trying to protect the whole ecosystem as > much as possible. That is, it's bad if an attacker gains the ability to > run a process as an unprivileged user on a box even if it takes negligible > resources from that box. On a different but related note, protecting the whole ecosystem entails different types of defenses. Bruce Schneier lists three types: prevention, detection, and response. So, in Jonathan's example above, there are three kinds of questions that the ultimate solution can choose to provide: 1. What does the desktop do to prevent identity masquerading? 2. Once someone has stolen by identity, what does the desktop do to let me know this has happened? 3. Once I figure out it's happened (via my own intuition or by some notification mechanism), how does the desktop help me recover? Another example: I've read that a lot of spam is sent by unwitting Windows users. Microsoft is trying to improve security with efforts such as the firewall in SP2. Something that could also be useful could be something that sensed a lot of SMTP traffic and reported it: "Your desktop is sending a very large quantity of email. This could indicate that your machine has been infected with a malicious program. Go to this URL for more information." > > * What are our goals? > > * Provide a system whereby the user can easily and safely > > get their work done > > * Ensure the privacy and integrity of a user's data Also: Detect any violation of my data integrity/privacy. Recover from violations of my data integrity/privacy. Richard
