headers
Rob Meijer | 13 May 2012 00:54
Picon
Picon
Favicon

Re: Second is Webkeys or Passwords: Which is More Secure?

On Sun, April 22, 2012 20:53, Jed Donnelley wrote:
> On 3/14/2012 4:53 PM, Marc Stiegler wrote:
>> Second is Webkeys or Passwords: Which is More Secure?
>> http://www.youtube.com/watch?v=C7Pt9PGs4C4
>
> Ha!  Delightfully Stieglerian!
>

One thing that worries me about web-keys are legal aspects.
There could be a need for an extra column in the matrix regarding
if the attacker is actually braking any law by either using someone's
web-key or password. You are much more likely to be attacked if the
attacker knows he/she would not actually be braking a law by attacking
you.
Permalink | Reply | 4 comments |
headers
Karp, Alan H | 14 May 2012 18:20
Picon
Favicon

Re: Second is Webkeys or Passwords: Which is More Secure?

Rob Meijer wrote:
> 
> One thing that worries me about web-keys are legal aspects.
> There could be a need for an extra column in the matrix regarding
> if the attacker is actually braking any law by either using someone's
> web-key or password. You are much more likely to be attacked if the
> attacker knows he/she would not actually be braking a law by attacking
> you.
>
I don't see any difference in legality between guessing/stealing a password versus guessing/stealing a
webkey.  The applicable law, at least in the US, is unauthorized use of a computer system, regardless of how
access is gained.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
Permalink | Reply | 2 comments |
headers
Marc Stiegler | 15 May 2012 00:16

Re: Second is Webkeys or Passwords: Which is More Secure?

There are a bunch of columns that should be added for a serious
analysis -- too many to be assessed in a video format. Ben Laurie
published the link to a document with many relevant criteria a while
ago, I can find it if someone needs it (of course, you could just look
in the captalk archives too :-)

But IMHO the youtubed comparison serves its purpose adequately,
namely, to raise the awareness for people who choose passwords
"because that's what everyone does", allowing the thoughtful ones a
justification to think twice, and seriously consider the security
consequences of their actions.

--marcs

On Sat, May 12, 2012 at 3:54 PM, Rob Meijer <capibara@...> wrote:
> On Sun, April 22, 2012 20:53, Jed Donnelley wrote:
>> On 3/14/2012 4:53 PM, Marc Stiegler wrote:
>>> Second is Webkeys or Passwords: Which is More Secure?
>>> http://www.youtube.com/watch?v=C7Pt9PGs4C4
>>
>> Ha!  Delightfully Stieglerian!
>>
>
> One thing that worries me about web-keys are legal aspects.
> There could be a need for an extra column in the matrix regarding
> if the attacker is actually braking any law by either using someone's
> web-key or password. You are much more likely to be attacked if the
> attacker knows he/she would not actually be braking a law by attacking
> you.
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Rob Meijer | 16 May 2012 13:37
Picon
Picon
Favicon

Re: Second is Webkeys or Passwords: Which is More Secure?

Feels like there could a large difference between 'using' someone else's
username and password to falsely assume that other person's identity and
'using' a token of (extremely) attenuated authority that was explicitly
designed to allow and enable sharing and delegation. Legal rules are often
quite (to much often) specific about what constitutes an offence to just
assume a shift in technology like this would have no impact.

On Mon, May 14, 2012 18:20, Karp, Alan H wrote:
> Rob Meijer wrote:
>>
>> One thing that worries me about web-keys are legal aspects.
>> There could be a need for an extra column in the matrix regarding
>> if the attacker is actually braking any law by either using someone's
>> web-key or password. You are much more likely to be attacked if the
>> attacker knows he/she would not actually be braking a law by attacking
>> you.
>>
> I don't see any difference in legality between guessing/stealing a
> password versus guessing/stealing a webkey.  The applicable law, at least
> in the US, is unauthorized use of a computer system, regardless of how
> access is gained.
>
> ________________________
> Alan Karp
> Principal Scientist
> Virus Safe Computing Initiative
> Hewlett-Packard Laboratories
> 1501 Page Mill Road
> Palo Alto, CA 94304
> (650) 857-3967, fax (650) 857-7029
(Continue reading)

Permalink | Reply | 1 comment |
headers
Karp, Alan H | 16 May 2012 18:53
Picon
Favicon

Re: Second is Webkeys or Passwords: Which is More Secure?

Rob Meijer wrote:
> 
> Feels like there could a large difference between 'using' someone else's
> username and password to falsely assume that other person's identity and
> 'using' a token of (extremely) attenuated authority that was explicitly
> designed to allow and enable sharing and delegation. Legal rules are often
> quite (to much often) specific about what constitutes an offence to just
> assume a shift in technology like this would have no impact.
>
The issue is intent.  There is no crime if I intended to share with you, whether it's a password or a webkey.  You
might argue that it's more likely that I shared an attenuated authority with you rather than a password,
but whether or not your use of it is a crime is up to the jury.  Just last year someone was convicted of
unauthorized use of a computer because she sat down at someone else's logged in computer and sent some
nasty emails under that person's name.   The same conclusion would undoubtedly have been reached had she
stolen a password or a webkey. 

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
Permalink | Reply | 0 comments |
headers
David Nicol | 17 May 2012 19:14
Picon
Gravatar

Re: Reference count based garbage collection seen as flawed


On Tue, Jan 3, 2012 at 12:22 AM, Bill Frantz <frantz-gNnuX2t9IJCEogu45VfRew@public.gmane.org> wrote:
KeyKOS did not have any form of garbage collection. Instead, it
had the ability to delete objects and automatically null all
references to them. This approach had pluses and minuses.

On the plus side: The entity responsible for the space used by
the object could always recover that space and stop paying for
it. This feature seems attractive for systems supporting mutual suspicion.

On the minus side: You had no idea what havoc might be wrought
by deleting an object. It could be anything from nothing -- no
outstanding references, to destroying an entire application and
all its data, which is very scary.

In theory, one could examine the system's object graph and
determine what objects would be directly affected by a deletion.
In practice, that kind of examination would be a violation of
POLA, and have significant problems in identifying these objects
to a human user.

Being able to recover a reference to a deleted object, as Jed
has suggested, would have the POLA problem. Suppose the object
held data the storage owner shouldn't be able to access. And
they you would have to be able to repair the application using
the new reference.
 
I view space recovery in these systems as an unsolved problem.

Cheers - Bill


Am I missing something? Done right, mark and sweep shouldn't have any POLA violation problems.

Objects may not be erased, but references can be dropped, resulting in
unreferenced records not getting marked, and thereby swept the next time through. As all exported references go through a membrane, one may effect an apparent deletion by dropping the wet reference. The dry user still has a reference to their now-useless lightweight access proxy, but has no way to get in any further than that. As useless references still count against the user's reference allowance, users are motivated to drop them from their lexicons.

how does mark and sweep not solve this space recovery problem?

The frequently encountered arguments (aside from ain't-broke-don't-fix) for reference counting over mark-and-sweep as I understand them are

   (1) reference counted systems never have to pause for GC
   (2) reference counted systems use slightly less memory / are faster, because they don't have to waste resources on marking and sweeping
   (3) M&S is broken because it does not guarantee time or ordering of destruction.

M&S answers are

   (1) with robust threads,  GC can happen in a continuing thread, thereby avoiding jitter
   (2) that's a lie and even if was true it wouldn't matter; besides, M&S systems don't have to waste resources counting references.
   (3) you don't really care about time and order of space recovery, and if you think you do you have simply become spoiled by the immediacy of destruction following going-out-of-scope provided by reference counting . In a M&S system, when you really need to know when a resource is no longer accessible, like to support the "resource acquisition is locking" pattern, you must instead either explicitly close or implicitly trap goes-out-of-scope instead of destruction,  and have the shared resouce manage its own reference count concerned with the lock, instead of abusing the GC reference count for non-GC purposes. In theory, this approach to RAIL may release locks very slightly earlier.

Hmm.Should the referent get informed (if it cares) when a reference to it is dropped?

Also, using lightweight access proxies solves the identified flaw, regardless of GC model. Without that crucial piece, M&S would have it worse.
 
--
"Oblige a man to rise at four in the morning, and it is more than probable he will go willingly to bed at eight in the evening; and, having had eight hours sleep, he will rise more willingly at four in the morning following." -- Benjamin Franklin

_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
Permalink | Reply | 5 comments |
headers
Charles Forsyth | 17 May 2012 22:53
Picon

Re: Reference count based garbage collection seen as flawed

It's a bit like being spoilt by having regular food and shelter. Every so often I write programs in languages

where every resource must explicitly be deallocated in frequent explicit exception handlers or recovery blocks.
It's like going camping and foraging! Secretly, it's nice to be back in civilisation, though.

On 17 May 2012 18:14, David Nicol <davidnicol-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
if you think you do you have simply become spoiled by the immediacy of destruction following going-out-of-scope provided by reference counti

_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
Permalink | Reply | 0 comments |
headers
Norman Hardy | 18 May 2012 01:37

Re: Reference count based garbage collection seen as flawed


On 2012 May 17, at 10:14 , David Nicol wrote:


Am I missing something? Done right, mark and sweep shouldn't have any POLA violation problems.

What do you do when GC fails to produce space—how do you debug space leaks—how do you put the onus of fixing the bug on the agency responsible for and with access to the code with the bug?
Keykos is for situations with mutually suspicious applications.
Keykos is also for mission critical apps sharing a machine with non critical decision support apps which may have memory leaks.
Granted that the critical apps cannot afford to have memory leaks.
There may be GC schemes that address these problems but I have not heard of them.

Objects may not be erased, but references can be dropped, resulting in
unreferenced records not getting marked, and thereby swept the next time through. As all exported references go through a membrane, one may effect an apparent deletion by dropping the wet reference. The dry user still has a reference to their now-useless lightweight access proxy, but has no way to get in any further than that. As useless references still count against the user's reference allowance, users are motivated to drop them from their lexicons.

how does mark and sweep not solve this space recovery problem?

The frequently encountered arguments (aside from ain't-broke-don't-fix) for reference counting over mark-and-sweep as I understand them are

   (1) reference counted systems never have to pause for GC
   (2) reference counted systems use slightly less memory / are faster, because they don't have to waste resources on marking and sweeping
   (3) M&S is broken because it does not guarantee time or ordering of destruction. 

M&S answers are

   (1) with robust threads,  GC can happen in a continuing thread, thereby avoiding jitter
   (2) that's a lie and even if was true it wouldn't matter; besides, M&S systems don't have to waste resources counting references.
   (3) you don't really care about time and order of space recovery, and if you think you do you have simply become spoiled by the immediacy of destruction following going-out-of-scope provided by reference counting . In a M&S system, when you really need to know when a resource is no longer accessible, like to support the "resource acquisition is locking" pattern, you must instead either explicitly close or implicitly trap goes-out-of-scope instead of destruction,  and have the shared resouce manage its own reference count concerned with the lock, instead of abusing the GC reference count for non-GC purposes. In theory, this approach to RAIL may release locks very slightly earlier.

Hmm.Should the referent get informed (if it cares) when a reference to it is dropped?

Also, using lightweight access proxies solves the identified flaw, regardless of GC model. Without that crucial piece, M&S would have it worse.
 
-- 
"Oblige a man to rise at four in the morning, and it is more than probable he will go willingly to bed at eight in the evening; and, having had eight hours sleep, he will rise more willingly at four in the morning following." -- Benjamin Franklin


_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
Permalink | Reply | 2 comments |
headers
Norman Hardy | 18 May 2012 01:40

Re: Reference count based garbage collection seen as flawed


On 2012 May 17, at 10:14 , David Nicol wrote:

Am I missing something? Done right, mark and sweep shouldn't have any POLA violation problems.

_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
Permalink | Reply | 0 comments |
headers
David Nicol | 18 May 2012 03:33
Picon
Gravatar

Re: Reference count based garbage collection seen as flawed

On Thu, May 17, 2012 at 6:37 PM, Norman Hardy <norm <at> cap-lore.com> wrote:

> What do you do when GC fails to produce space—how do you debug space
> leaks—how do you put the onus of fixing the bug on the agency responsible
> for and with access to the code with the bug?
> Keykos is for situations with mutually suspicious applications.
> Keykos is also for mission critical apps sharing a machine with non critical
> decision support apps which may have memory leaks.
> Granted that the critical apps cannot afford to have memory leaks.
> There may be GC schemes that address these problems but I have not heard of
> them.

debugging leaks is not a garbage collection problem; reserving memory
and enforcing usage limits are how that's done. Also overprovisioning.

_______________________________________________
cap-talk mailing list
cap-talk <at> mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
Permalink | Reply | 1 comment |

Gmane