which do you think is better user experience?

Discussions on more advanced topics such as monolithic vs micro-kernels, transactional memory models, and paging vs segmentation should go here. Use this forum to expand and improve the wiki!
User avatar
Solar
Member
Member
Posts: 7615
Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:

Re: which do you think is better user experience?

Post by Solar »

Brendan wrote:Essentially; if a user on one OS creates a file and configures that file's permissions as "only readable by me", then a different user on a different OS should not be able to read that file.
I disagree.

File permissions are there to avoid negligent or malicious tampering while the OS in question is running. No more, no less. I cannot, indeed I must not expect someone having physical access to my storage to be "ethical" about accessing the data. If I need that data "secure", I need to encrypt it. (Turning the key / password used for the encryption into the "permission".) If I don't encrypt it, I am obviously OK with others being able to read my volume if they are physically able to mount it.

This includes any 'root' user.

Point in case, tools for repartitioning, or bulk backup & restore. Those need to interpret file systems while the "mother" OS is not in control, and they need to disregard file access permissions (just preserve them as they are).
Every good solution is obvious once you've found it.
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:

Re: which do you think is better user experience?

Post by Brendan »

Hi,
Solar wrote:
Brendan wrote:Essentially; if a user on one OS creates a file and configures that file's permissions as "only readable by me", then a different user on a different OS should not be able to read that file.
I disagree.

File permissions are there to avoid negligent or malicious tampering while the OS in question is running. No more, no less. I cannot, indeed I must not expect someone having physical access to my storage to be "ethical" about accessing the data.
And this is (another reason) why most OSs suck - they don't even try to protect against attackers with physical access, even though the world is full of disgruntled employees, stolen laptop/smartphone systems, etc. Back when dinosaurs (e.g. PDP 11) roamed the earth there wasn't much chance of someone quietly slipping your computer into their pocket, the world has changed significantly since, and attitudes towards file system security and physical access have failed to keep up.
Solar wrote:If I need that data "secure", I need to encrypt it. (Turning the key / password used for the encryption into the "permission".) If I don't encrypt it, I am obviously OK with others being able to read my volume if they are physically able to mount it.

This includes any 'root' user.
If I accidentally left my house unlocked, would you decide that it's fine to take everything in my house that isn't nailed down (and come back the next day with tools to take everything that is nailed down)?

Most people don't use encryption because they don't know about it, it's not implemented (or not implemented well), it's too hard to setup, it's too slow, or it's too fragile; and not because they trust everyone that could gain physical access by any legal or illegal method. Because there are multiple reasons why data might not be encrypted, "not encrypted" can not imply "access granted". The only way to explicitly allow access is to use a file system with no permission system (FAT, ISO9660) or to use the permission system to allow anonymous access.
Solar wrote:Point in case, tools for repartitioning, or bulk backup & restore. Those need to interpret file systems while the "mother" OS is not in control, and they need to disregard file access permissions (just preserve them as they are).
Tools for creating and deleting partitions don't need to interpret file systems and neither does "whole partition backup". For everything else you can use the "mother OS" (unless the "mother OS" disallows access because you're unauthorised).


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Octocontrabass
Member
Member
Posts: 5568
Joined: Mon Mar 25, 2013 7:01 pm

Re: which do you think is better user experience?

Post by Octocontrabass »

Brendan wrote:And this is (another reason) why most OSs suck - they don't even try to protect against attackers with physical access, even though the world is full of disgruntled employees, stolen laptop/smartphone systems, etc.
I don't see how "OS A refuses to mount a filesystem created in another instance of OS A" provides any security when anyone interested in stealing data (rather than the hardware itself) can simply use "OS B" to access the data instead. It would make a nice roadblock for disaster recovery, though.
Brendan wrote:If I accidentally left my house unlocked, would you decide that it's fine to take everything in my house that isn't nailed down (and come back the next day with tools to take everything that is nailed down)?
"Most people are not thieves" is not the same as "all people are not thieves". The few who are interested in robbing you will gladly take advantage of an unlocked door (assuming they notice it before they break a window).
Brendan wrote:Most people don't use encryption because they don't know about it, it's not implemented (or not implemented well), it's too hard to setup, it's too slow, or it's too fragile; and not because they trust everyone that could gain physical access by any legal or illegal method.
You forgot one other possibility: most people don't have access to data that a thief would consider valuable.
Brendan wrote:Tools for creating and deleting partitions don't need to interpret file systems and neither does "whole partition backup".
"Whole partition backup" goes a lot faster when you can skip the unused parts of the disk.
User avatar
Solar
Member
Member
Posts: 7615
Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:

Re: which do you think is better user experience?

Post by Solar »

Brendan wrote:And this is (another reason) why most OSs suck - they don't even try to protect against attackers with physical access...
There is no (software) way to protect against an attacker with physical access. That is more or less an axiom of system security.

(I take your computer, smash the case, rip out the hard drive, hook it up to my own controller, and "cat /dev/sdb > dump.bin". What's keeping me from interpreting your file system, disregarding your OS's file protection? Nothing.)

You have to deny physical access, if that is the level of security you are aiming for, and that is beyond the realm of operating systems. They can assist specific hardware - intrusion detection, or other on-board security features, for example, that ensure hardware integrity -- or do full volume encryption. But you'll still be prone to key loggers etc.

But we weren't talking about "protection" anyway, we were talking about the "ethics" of reading a foreign filesystem with or without regard to its permissions.
Brendan wrote:If I accidentally left my house unlocked, would you decide that it's fine to take everything in my house that isn't nailed down (and come back the next day with tools to take everything that is nailed down)?
No, it would not be "OK". But that's not what I was talking about, and neither what you were talking about, so why do you bring it up? Trying to ridicule?

A more fitting metaphor is that there are good reasons to have doors and windows in your house. I might come for a visit. I might smash in a window and rescue your kids when the house is on fire and you are away. I might help your next of kin get your stuff after you passed away. If you live in a walled-off bunker, none of this is possible. That doesn't mean you shouldn't keep your valuables locked away, it just means that your front door is not the place for the high-security time lock -- your safe is.
Brendan wrote:Most people don't use encryption because they don't know about it, it's not implemented (or not implemented well), it's too hard to setup, it's too slow, or it's too fragile...
All those reasons are in the realm of OS design to alleviate. I can still hook up a key logger to your keyboard, sniff out your encryption password, and then take your computer, smash the case, rip out the hard drive...
Brendan wrote:..."not encrypted" can not imply "access granted".
It implies "access not denied". It also does on your OS, if you rely on "ethical" behaviour by other operating systems (because Mallory isn't "ethical" by definition, so any "ethical" behaviour is depending on the ethics of the user to begin with, not the ethics of any OS as he can just choose another).
Brendan wrote:Tools for creating and deleting partitions don't need to interpret file systems...
Tools that resize partitions do.
Brendan wrote:...and neither does "whole partition backup".
If you are willing to waste tons of backup space on archiving all the junk on unused sectors, go right ahead. Proper backup means backing up the data, which means interpreting the file system as to which sectors are data, which data, and which are unused. And honestly, when looking for a backup recovery, do you really want a recovery software that basically needs a partition of the exact size and layout of the lost one, and then can only recover the whole partition? Personally I prefer backup tools that allow me to recover specific content.
Every good solution is obvious once you've found it.
Korona
Member
Member
Posts: 1000
Joined: Thu May 17, 2007 1:27 pm
Contact:

Re: which do you think is better user experience?

Post by Korona »

Octocontrabass wrote:
Brendan wrote:Most people don't use encryption because they don't know about it, it's not implemented (or not implemented well), it's too hard to setup, it's too slow, or it's too fragile; and not because they trust everyone that could gain physical access by any legal or illegal method.
You forgot one other possibility: most people don't have access to data that a thief would consider valuable.
I think that is an important point: Brendan makes it sound like data theft from stray laptops constitutes an important threat model that could be mitigated by better software. That could not be farther off: Not only is data theft not a threat that most people have to fear. But it is also almost always a targeted attack so that having to use "special" software (which in this case only consists of a live CD / USB flash drive with any mainstream OS installed) is not a barrier that mitigates it.
Brendan wrote:
Korona wrote:Linux tries not to stuff policy into the kernel; it delegates those things to distros. The location (e.g. path name) of kernel modules is seen as policy and thus handled by user space. I do think that this actually makes sense: In particular if you're writing a microkernel there is no other way to do it.
While it's common for micro-kernels; for monolithic "no policy in the kernel" is just plain broken (and the Linux kernel does contain a huge amount of "policy"). It is not a case of "no policy in kernel" and is purely a case of "we're too incompetent to have effective standards".
I'm not particularly interested in Linux development but I'm quite confident that Linux developers would disagree with that statement vehemently.

EDIT: Another fleeting thought: Note that NFS pre-v4 has absolutely no security whatsoever. Any user that has physical access (i.e. an Ethernet link) has root access on non-Kerberized NFS. Protecting against physical access is the only security mechanism in NFS.
Last edited by Korona on Fri Feb 24, 2017 10:21 am, edited 2 times in total.
managarm: Microkernel-based OS capable of running a Wayland desktop (Discord: https://discord.gg/7WB6Ur3). My OS-dev projects: [mlibc: Portable C library for managarm, qword, Linux, Sigma, ...] [LAI: AML interpreter] [xbstrap: Build system for OS distributions].
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:

Re: which do you think is better user experience?

Post by Brendan »

Hi,
Solar wrote:
Brendan wrote:And this is (another reason) why most OSs suck - they don't even try to protect against attackers with physical access...
There is no (software) way to protect against an attacker with physical access. That is more or less an axiom of system security. You have to deny physical access, if that is the level of security you are aiming for, and that is beyond the realm of operating systems. They can assist specific hardware - intrusion detection, or TLP, for example -- or do full volume encryption, but you'll still be prone to key loggers etc.
For all security systems that have ever existed or will ever exist; "100% secure" is impossible and is never the goal. The goal is only to make it harder for attackers (ideally, to make it harder than alternative methods, because anything more secure than that isn't strictly necessary at all).

Now; imagine a company with 50 office workers (accountants, secretaries, etc). How do you deny these people physical access to computers that they must use to do their job (but do not own and are not given admin access to)?

You can not insist on denying physical access and expect to be taken seriously; therefore you need to at least try to make it harder for attackers with physical access (even though "100% secure" is impossible).
Solar wrote:But we weren't talking about "protection" anyway, we were talking about the "ethics" of reading a foreign filesystem with or without regard to its permissions.
We were only talking about the ethics of reading a foreign filesystem without regard to its permissions.

Reading a foreign filesystem with regard to its permissions was explicitly excluded from the beginning, here (emphasis added):
Brendan wrote:In my opinion; an OS should not support any other OS's file system unless either:
  • the file system has no security/permissions (e.g. FAT, ISO9660); or
  • the OS honours the other OS's security/permission system, including the other OS's user authentication (e.g. the other OS's "/etc/passwd" file)
Solar wrote:
Brendan wrote:If I accidentally left my house unlocked, would you decide that it's fine to take everything in my house that isn't nailed down (and come back the next day with tools to take everything that is nailed down)?
No, it would not be "OK". But that's not what I was talking about, and neither what you were talking about, so why do you bring it up? Trying to ridicule?
I'm trying to highlight a double standard. If nothing prevents access, then it's unethical for people to assume they have permission (almost everything) and also unethical for people to assume they have permission (files).
Solar wrote:A more fitting metaphor is that there are good reasons to have doors and windows in your house. I might come for a visit. I might smash in a window and rescue your kids when the house is on fire. I might help your next of kin get your stuff after you passed away. If you live in a walled-off bunker, none of this is possible. That doesn't mean you shouldn't keep your valuables locked away, it just means that your front door is not the place for the high-security time lock -- your safe is.
And if I forget to lock my safe?

You're arguing about how much permission should be explicitly given (in extreme cases) and not if permission should be explicitly given. In cases where denying "foreign access" to files causes a risk to human life, "foreign access" to those files should be explicitly given.
Solar wrote:
Brendan wrote:Most people don't use encryption because they don't know about it, it's not implemented (or not implemented well), it's too hard to setup, it's too slow, or it's too fragile...
All those reasons are in the realm of OS design to alleviate.
How do I change the design of existing installed versions of Windows, Linux, .... ; so that my OS can know that all existing OSs are designed to suit your ridiculous "let's just assume we have permission when there's no encryption" assumption?
Solar wrote:
Brendan wrote:..."not encrypted" can not imply "access granted".
It implies "access not denied". It also does on your OS, if you rely on "ethical" behaviour by other operating systems.
Nonsense. "Not encrypted" implies nothing; and the existence of a permission system implies an intent to restrict access in some way.
Solar wrote:
Brendan wrote:Tools for creating and deleting partitions don't need to interpret file systems...
Tools that resize partitions do.
And? It's not like I'm suggesting that these tools shouldn't be able to be used from the "mother OS".
Solar wrote:
Brendan wrote:...and neither does "whole partition backup".
If you are willing to waste tons of backup space on archiving all the junk on unused sectors, go right ahead. Proper backup means backing up the data, which means interpreting the file system as to which sectors are data, which data, and which are unused. And honestly, when looking for a backup recovery, do you really want a recovery software that basically needs a partition of the exact size and layout of the lost one, and then can only recover the whole partition? Personally I prefer backup tools that allow me to recover specific content.
And? It's not like I'm suggesting that these tools shouldn't be able to be used from the "mother OS".

Note that it would be possible to compress raw sector data while creating a backup, and it would be possible for a file system to fill sectors with zeros when freeing them (to assist compression and security); and there are many utilities that do support "raw sector copying" for various purposes (including backup and recovery).


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Korona
Member
Member
Posts: 1000
Joined: Thu May 17, 2007 1:27 pm
Contact:

Re: which do you think is better user experience?

Post by Korona »

Brendan wrote:For all security systems that have ever existed or will ever exist; "100% secure" is impossible and is never the goal. The goal is only to make it harder for attackers (ideally, to make it harder than alternative methods, because anything more secure than that isn't strictly necessary at all).
The goal of security is to determine attack scenarios and to take measures that defend against these scenarios until the expenses required for better defenses exceed the expected damage. Untargeted data theft from random people (that is carried out by amateurs who don't know to boot from a flash drive) is absolutely irrelevant as an attack scenario.
Brendan wrote:Now; imagine a company with 50 office workers (accountants, secretaries, etc). How do you deny these people physical access to computers that they must use to do their job (but do not own and are not given admin access to)?

You can not insist on denying physical access and expect to be taken seriously; therefore you need to at least try to make it harder for attackers with physical access (even though "100% secure" is impossible).
You install guidelines that disallow harmful physical access (e.g. booting from USB flash drives) and if one of your employees violates those guidelines you sue them. And if you're dealing with sensitive data then denying physical access (+ setting up some audit trail) is exactly what you do. I'm pretty sure if I tried to plug some USB drive into one of our servers I'd be facing consequences pretty soon.
managarm: Microkernel-based OS capable of running a Wayland desktop (Discord: https://discord.gg/7WB6Ur3). My OS-dev projects: [mlibc: Portable C library for managarm, qword, Linux, Sigma, ...] [LAI: AML interpreter] [xbstrap: Build system for OS distributions].
Antti
Member
Member
Posts: 923
Joined: Thu Jul 05, 2012 5:12 am
Location: Finland

Re: which do you think is better user experience?

Post by Antti »

This makes sense for computers that have multiple OSs installed on them. Normal home/office users, no attackers or stolen laptops, i.e. the most important use case. If the OSs cooperate with each other, sensitive files (not top-secret files) would be still "safe" like unopened letters in real life. Cooperation could mean supporting the privilege system or always denying access to those "unknown" files.
User avatar
Schol-R-LEA
Member
Member
Posts: 1925
Joined: Fri Oct 27, 2006 9:42 am
Location: Athens, GA, USA

Re: which do you think is better user experience?

Post by Schol-R-LEA »

Brendan wrote: Note that if you look at the most successful OSs/distros that use the Linux kernel; you'll notice that most of them involve some kind of cooperate governance/structure (Google/Andriod, Redhat/Redhat, Canonical/Ubuntu) that mitigates at least some of (and in Google's case, most of) the "herding headless chickens" problem.
Note also that one needs to separate the Linux kernel from the various GNU utilities and scaffolding used to make it a working OS, and those in turn from the tools, conventions, and in some cases, shovelware, added on top of that by various distro developers. No matter what you might think of the kernel - and there is plenty about it to criticize - Linus Torvalds has for the most part kept a very tight rein on it as the (not-at-all-)Benevolent Dictator for Life of the project, and he is infamous for just how ruthlessly he attacks anything he sees as a bad addition to the code base. When it comes to the kernel, it is no bazaar, it is the Cathedral of Torvalds and he makes everyone working on it know it.

In other words, the chaos is mostly in the tools that make Linux usable (to the degree any OS today is usable at all). Now, many of those tools have their own BDFL running the show, or a committee managing them, but the majority of them don't, and more to the point, there is no one at the top who coordinates between them - Linus appears to want as little to do with userland as possible, and seems to dislike even talking to other groups working kernel-space element such as drivers and loadable kernel modules (and when he does, it is usually in the form of an obscenity-filled screed about how they are ruining it for him, Blue Velvet style), while Stallman is busy being the politician he insists he really isn't, and Raymond is similarly occupied (when he isn't busy building his own cult-of-personality). The problem isn't that the individual projects are mismanaged (though they often are), but that they don't communicate with each other, and there is no one with the clout to make them do so, or at least no one who is willing to take that role.

But that's not even relevant, because the problems in question mostly predate GNU, never mind Linux; most of the issues Brendan is talking about are with tools and conventions which are direct imitations - often bug-for-bug recreations, as can be seen with continued requirement for leading tabs in make - of tools that were casually hacked together back when Unix was little more than the hobby project of a a few Bell Labs workers. This is what set the tone of later development at Berkeley and elsewhere; the lack of standards came about because no one saw a need for them when they were being written, and while some attempts have been made to retro-fit some on them later (e.g., the 'standard' of using '-h' for the help menu, the addition of things like optget for people to use when re-writing the tools), most of those efforts are hamstrung by decisions made by some guy who came back to the Labs at 3 AM to get some work done after a night of drinking.

Is starting over an option? Well, you can take the Linux kernel and use a completely different set of tools on top of it; it isn't as if that hasn't been tried a dozen or more times before, with Android being the most prominent example. However, Android could get away with it because it had to work in an environment where neither Bash nor X Window System were practical, and the project was being run by a major corporation who were only using Linux to avoid reinventing the wheel for the parts that weren't user-facing - it may use the Linux kernel, but calling it Linux is a stretch. Other projects that have tried it have run aground on the problem of replacing all those tools with equivalent ones, and then getting people to use those unfamiliar tools rather than ones which they know so well that they run them more through muscle memory than by cognitive decision-making.

This is already a problem Linux has, because (to use the allegory P. J. Plauger came up with long and long ago when discussing text editors, back before CUA was near-universal) no duckling who is already imprinted on Windows or MacOS is going to want to go follow Mama Linux into a strange new world of unfamiliar usage models, bizarre thought processes, and criminally short utility names without good reason. Programmers and system admins often have reasons to make that leap, and FOSS enthusiasts might try to, but the average user wouldn't leave Microsoft for a new OS even if it gave them a telepathic user interface, no administrative problems, perfect security, free gold, and frequent sex with their ideal lover, because different is scary. Without the existing user base of Unix ducklings, a new OS built on the Linux kernel but throwing away all the things that make Unix Unix is quite unlikely to catch on, no matter how much better it is.

(Here, too, Android was an exception, as they were looking at a market where most of the ducklings hadn't imprinted yet; while a handful of the people trying it out had used an iPhone or Blackberry already, most of the customers buying smartphones had never set their hands on a computer interface more complex than that of a microwave oven or a DVR before they started using Android - hell, I have heard that in places like Lagos, São Paulo, Manila, Cuidad Juarez, and Flint, Michigan :roll: , it is easier to find a smartphone for sale than a bottle of clean water. They had nothing to unlearn, so Google had free rein in making them addicted to their particular flavor of cyber-crack.)
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.
rdos
Member
Member
Posts: 3297
Joined: Wed Oct 01, 2008 1:55 pm

Re: which do you think is better user experience?

Post by rdos »

I make it a priority to not honor any kind of privileges that other OSes enforces in various file-systems. Thus, if I do an ext2/3/4 driver, I will let everything be accessible, and the same would apply if I do an NTFS driver. For FAT, I don't honor read-only either. :-)
User avatar
Sik
Member
Member
Posts: 251
Joined: Wed Aug 17, 2016 4:55 am

Re: which do you think is better user experience?

Post by Sik »

Schol-R-LEA wrote:often bug-for-bug recreations, as can be seen with continued requirement for leading tabs in make
Oh god this one, it hadn't even been a month and the author of make already wanted to replace tabs with something else since they were blatantly awful, but the tool was already spread around enough that it'd break a significant bunch of projects and their authors were not always likely to just adapt their makefiles to the new format (or worse, they may make their own backwards compatible fork or clone). To add insult to the injury, if I recall correctly make's author hadn't even considered releasing it until a friend asked him, so it still was in the "anything goes" and "let's quickly hack this up before we have something proper" stages when it got set in stone.

That's the big problem with software interfaces: you better get them right in the first try, because if you don't you'll be completely screwed as there will be no way back (without causing a massive amount of headaches and probably backfiring in some way, at least).
User avatar
Schol-R-LEA
Member
Member
Posts: 1925
Joined: Fri Oct 27, 2006 9:42 am
Location: Athens, GA, USA

Re: which do you think is better user experience?

Post by Schol-R-LEA »

rdos wrote:I make it a priority to not honor any kind of privileges that other OSes enforces in various file-systems. Thus, if I do an ext2/3/4 driver, I will let everything be accessible, and the same would apply if I do an NTFS driver. For FAT, I don't honor read-only either. :-)
Mind you, I intend to solve the problem by disallowing it entirely - my 'file system' isn't one, and its own management features pretty much disallow data that isn't originated on the system itself or transmitted to it from a source of known provenance (which mostly means another system of the same type). So how will a system running my OS interact with other OSes, you ask? It won't - or at least, the v-machines that manage the document system won't.

Want to use a file system for some other OS on the same computer? Install that OS as a separate v-machine and go to town, just don't expect to be able to use that to access data that a) is all automatically encrypted with multiple, varying keys and algorithms chosen by the system according to user-configurable settings, and b) isn't organized into files. Want to use the WWW or most other Internet services? Yeah, those all get their own sandbox v-macs, ones which don't get to play with the disk at all except for some scratch/swap space of their very own - they can talk to the desktop manager (which is a separate v-mac as well), but unless things go really sideways, nothing they do should be able to affect anything in the permanent secondary storage.

Oh, yeah: permanent. That's part of it too: long-term storage is all write-once. No backsies, ever, short of damaging the medium, and did I mention that the system will require offsite mirroring of permanent data, and all installations will be required to set aside space for distributed mirroring? Well, required is a bit much... let's just say that any stored data fragment will have a unique virtual address, and any copies of it - including the local one - are either mirrors or temporary cached versions of the Platonic Essence of that particular data element. To understand this, go read what Ted Nelson has to say, or consult your pineal gland.

If you really need to transfer data to the system, there will be ways to do it, but... well, in doing so, you are asserting proprietary ownership of that data, or at least a known provenance, and while a variety of ways of distributing capabilities for your data are possible, including public domain, anonymous (to the system) ownership is verboten - you can hide your identity from the other users, but a given user only has a single account, across all systems running that OS, and there won't be any easy ways to delete that (encryption again, this time of the 'links' - I really need to come up with a better name, or several; while the original Xanadu team had several things they called links, none of them resembled WWW hyperlinks very much - or rather, WWW hyperlinks are only a pale shadow of them - and most of them were more about things like publication status and transformations of data views than linking things).

The point is, putting new data into such a system from somewhere else would be legally binding by the TOS, and not something you want to do lightly. Not sure how I want to handle things like traditional song lyrics, anonymous or pseudonymous books, unattributed photos, etc. But then, as I have said many times, this is an experiment; those are some of the things I am trying to find solutions for, and hopefully do so in a way others can apply to real systems.

Besides, there's no reason to think I will ever actually get anywhere with any of this. I am indeed ambitious, but I also know that those ambitions exceed my reach, never mind my grasp. Still, for the foreseeable future, I mean to continue to plod along with the speed, if not the fineness, of a divine millstone.
Last edited by Schol-R-LEA on Sun Feb 26, 2017 8:42 am, edited 2 times in total.
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.
Gigasoft
Member
Member
Posts: 856
Joined: Sat Nov 21, 2009 5:11 pm

Re: which do you think is better user experience?

Post by Gigasoft »

It is beyond silly for an OS to try to enforce file permissions stored on user provided media unless explicitly asked. These permissions are meaningless and irrelevant without someone to assign a meaning to them.

The owner of a computer system is the one to decide who will have access to what data through the use of that computer system, regardless of where that data originated from. Any OS vendor who thinks otherwise, and implements whatever he fancies to be "ethical" as a mandatory policy, is going to see their customers take their business elsewhere. If I am trying to copy some files off an USB stick onto a company computer, only to realize that they are owned by "root" and are unreadable for everyone else, it is not funny to have to walk all the way to a computer on a different floor in the other end of the building which I do have the root password to, just to fix the permissions.
If I accidentally left my house unlocked, would you decide that it's fine to take everything in my house that isn't nailed down (and come back the next day with tools to take everything that is nailed down)?
This analogy doesn't hold. Your house isn't yours merely because you intend it to be your house. Your house is part of your property which became yours after you paid for it with your money, with the property's exact borders and current owner being registered with your country's authorities. A more fitting analogy would be this: Suppose I come home to find a nice wooden plaque glued on my door that says, "Brendan lives here - unauthorized entry prohibited" (perhaps because I just purchased my house from you). Naturally, I ignore it, throw it in the trash, and think no further of it. Or, suppose I am invited to come over to a friend's party, and let's say they live in a cabin in the middle of the woods. So I call a cab and declare my destination. When we get to the woods, there is a sign that says "Private road". Should the driver stop, and proclaim that he can go no further? Perhaps he should demand to see some proof that I am indeed on the guest list? I, for one, would find that pretty weird and would not use that cab company again.
Because there are multiple reasons why data might not be encrypted, "not encrypted" can not imply "access granted".
No, but being the one who produces said data certainly does. If my boss hands me a disk with some reports owned by some Dave, Kathy and Bill I don't know, and asks me to compile a summary, I am definitely not going to bother to find out who the heck Dave, Kathy and Bill are, and phone them all to ask if it's okay for me to read their reports, because that is not part of my job description.
If nothing prevents access, then it's unethical for people to assume they have permission (almost everything) and also unethical for people to assume they have permission (files).
That would be said people's problem, not the operating system vendor's. The operating system does not have to assume anything, since it will be configured by the computer's owner regarding what permissions to grant.
Now; imagine a company with 50 office workers (accountants, secretaries, etc). How do you deny these people physical access to computers that they must use to do their job (but do not own and are not given admin access to)?
If the computers store sensitive unencrypted data, then those offices should be locked, with only people authorized to access said data having access. Or, the hard disks should be removed when the computers are not in use, and placed in a safe. Often, data can be stored on a company server instead, which must be placed in a locked room. Having an OS installed on each workstation which does not permit reading files from external hard drives unless the user IDs happen to match up, on the other hand, is not a solution and provides zero security value.
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:

Re: which do you think is better user experience?

Post by Brendan »

Hi,
Gigasoft wrote:It is beyond silly for an OS to try to enforce file permissions stored on user provided media unless explicitly asked. These permissions are meaningless and irrelevant without someone to assign a meaning to them.
If your OS assumes it has access without explicit permission despite clear proof that access was intended to be restricted, then your OS is a tool intended for malicious purposes (bypassing the security of other OSs).
Gigasoft wrote:The owner of a computer system is the one to decide who will have access to what data through the use of that computer system, regardless of where that data originated from.
Wrong. Legally; the owner of the data is the one to decides who will have access to their data. If a company leases computers and pays an employee to create the data, then the owner of the data (and therefore the only entity legally able to decide who will have access) is the company. The computer owner is not the owner of the data; and neither is the employee that was paid to create it nor any root/administrator (these people merely have the ability to act on behalf of the data's owner).
Gigasoft wrote:Any OS vendor who thinks otherwise, and implements whatever he fancies to be "ethical" as a mandatory policy, is going to see their customers take their business elsewhere. If I am trying to copy some files off an USB stick onto a company computer, only to realize that they are owned by "root" and are unreadable for everyone else, it is not funny to have to walk all the way to a computer on a different floor in the other end of the building which I do have the root password to, just to fix the permissions.
Sure; if you're a malicious attacker it's not fun to have to find a different method of stealing someone else's data; and I will lose all the money I would've made from criminals because they'll have to use an OS that is designed to condone data theft.
Gigasoft wrote:
If I accidentally left my house unlocked, would you decide that it's fine to take everything in my house that isn't nailed down (and come back the next day with tools to take everything that is nailed down)?
This analogy doesn't hold. Your house isn't yours merely because you intend it to be your house. Your house is part of your property which became yours after you paid for it with your money, with the property's exact borders and current owner being registered with your country's authorities. A more fitting analogy would be this: Suppose I come home to find a nice wooden plaque glued on my door that says, "Brendan lives here - unauthorized entry prohibited" (perhaps because I just purchased my house from you). Naturally, I ignore it, throw it in the trash, and think no further of it.
That's a bad analogy - you are not unauthorised, you were given explicit permission by virtue of becoming the legal owner of the house. What you are advocating is that everyone should be allowed to glue a sign on your door without permission from the owner or occupier of the house simply because they feel like assuming they can. You are advocating unlawful access.
Gigasoft wrote:Or, suppose I am invited to come over to a friend's party, and let's say they live in a cabin in the middle of the woods. So I call a cab and declare my destination. When we get to the woods, there is a sign that says "Private road". Should the driver stop, and proclaim that he can go no further? Perhaps he should demand to see some proof that I am indeed on the guest list? I, for one, would find that pretty weird and would not use that cab company again.
In this analogy the cab driver is like a USB flash stick or network cable. They are not responsible for your actions. You are responsible for complying with the policy of the road owner.
Gigasoft wrote:
Because there are multiple reasons why data might not be encrypted, "not encrypted" can not imply "access granted".
No, but being the one who produces said data certainly does.
No, the owner of the data is not necessarily the person who produced the data.
Gigasoft wrote:If my boss hands me a disk with some reports owned by some Dave, Kathy and Bill I don't know, and asks me to compile a summary, I am definitely not going to bother to find out who the heck Dave, Kathy and Bill are, and phone them all to ask if it's okay for me to read their reports, because that is not part of my job description.
In this case there's no attempt at protecting the data; and therefore you can assume you have access (in the same way an OS can assume it has access to files on ISO9660 or FAT where there aren't any permissions).

If your boss asks you to take mail from Dave's mailbox and copy it; would you break federal law and steal Dave's mail because Dave doesn't have a secure lock on his mailbox?
Gigasoft wrote:
Now; imagine a company with 50 office workers (accountants, secretaries, etc). How do you deny these people physical access to computers that they must use to do their job (but do not own and are not given admin access to)?
If the computers store sensitive unencrypted data, then those offices should be locked, with only people authorized to access said data having access. Or, the hard disks should be removed when the computers are not in use, and placed in a safe. Often, data can be stored on a company server instead, which must be placed in a locked room. Having an OS installed on each workstation which does not permit reading files from external hard drives unless the user IDs happen to match up, on the other hand, is not a solution and provides zero security value.
It's not about "security value"; it's about allowing your OS to be used to violate or bypass the (lack of) security in systems that are beyond your control.

Let's try the opposite. If you were able to write code that allows your OS to decrypt file systems that were encrypted by Windows or Linux (in addition to being able to bypass file system permissions that were created by Windows or Linux); would you insist that your OS should bypass encryption created by other OSs (in the same way that you are insisting that your OS should bypass permissions created by other OSs)?


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Gigasoft
Member
Member
Posts: 856
Joined: Sat Nov 21, 2009 5:11 pm

Re: which do you think is better user experience?

Post by Gigasoft »

If your OS assumes it has access without explicit permission despite clear proof that access was intended to be restricted, then your OS is a tool intended for malicious purposes (bypassing the security of other OSs).
My OS can't possibly know what the "users" on another system are supposed to represent. The very concepts of "users" and "access control" only makes sense within a particular environment. A specific user ID may represent a person, which may be me, or another person. Who knows? Or it could represent a particular service, such as a web server, which is managed by whoever is tasked with maintaining the web server. All my OS knows is that I possess a hard drive, which means I am most likely the owner/administrator of whatever that hard drive belongs to. For an USB stick or CD it gets especially silly, since no one in the world would ever think of using permission bits to protect data from other people on such media. They create files with default permissions and may not remember to change them.
Legally; the owner of the data is the one to decides who will have access to their data. If a company leases computers and pays an employee to create the data, then the owner of the data (and therefore the only entity legally able to decide who will have access) is the company. The computer owner is not the owner of the data; and neither is the employee that was paid to create it nor any root/administrator (these people merely have the ability to act on behalf of the data's owner).
Fine, then replace "computer owner" with whoever owns the operating system instance. From the operating system's point of view, this is established during installation by setting up an administrator account, and that is all it has to care about. Should there ever be a dispute between the system administrator and another party regarding who is entitled to access someone's data, well then that is a matter between those two parties. The operating system vendor is not part of that dispute, and couldn't care less.
Sure; if you're a malicious attacker it's not fun to have to find a different method of stealing someone else's data; and I will lose all the money I would've made from criminals because they'll have to use an OS that is designed to condone data theft.
The multi billion dollar criminal enterprise I work at requires stealing from itself as part of its daily routines. Or, put in another way, transferring data from laptops where we are known as "root" to the company network via our office computers where we log on with our Active Directory credentials. And no, we are not going to install our Active Directory database onto each of those laptops and sync them whenever someone changes their password, just so we can convince YourOS that the person trying to read data off the stick is the same person who put it there.
That's a bad analogy - you are not unauthorised, you were given explicit permission by virtue of becoming the legal owner of the house. What you are advocating is that everyone should be allowed to glue a sign on your door without permission from the owner or occupier of the house simply because they feel like assuming they can.
The sign could have been there when I bought the house, left over from its previous owner. And yes, of course I know that I am the legal owner of my house, in the same way that I know that I am the owner of my hard disks and whatever is on them. My computer, on the other hand, can not know whether the hard disk I am plugging in is my own, or if it was stolen from a random person's trash can. However, my computer can't go to prison, only I can, so it doesn't have to care.
In this analogy the cab driver is like a USB flash stick or network cable. They are not responsible for your actions. You are responsible for complying with the policy of the road owner.
Or an operating system. Like the cab driver, it is not the job of an operating system to distrust the legality of its user's actions.
Let's try the opposite. If you were able to write code that allows your OS to decrypt file systems that were encrypted by Windows or Linux (in addition to being able to bypass file system permissions that were created by Windows or Linux); would you insist that your OS should bypass encryption created by other OSs (in the same way that you are insisting that your OS should bypass permissions created by other OSs)?
No, because now you are talking about implementing a whole new feature. I assume that you are talking about having a function to break the encryption without having the key. Of course no one expects an operating system to have this as a built in feature. On the other hand, I regard any attempt at interpreting permissions created by another OS and somehow translating them to permissions for local users without being told how, as a silly bug.
Post Reply