Comment by extraisland
1 month ago
> At the limit, sure, maybe there are tradeoffs between freedom and security. But there's lots of technical solutions that we could build right now that give a lot more safety without losing any freedom at all.
Everything you have suggested in this post takes away freedom. There is no solution that doesn't take away freedom / your control. There is always a trade off.
> Like sandboxing applications by default. Applications should by default run on my computer with the same permissions as a browser tab. Occasionally applications need more access than that. But that should require explicit privilege escalation rather than being granted to all programs by default. (Why do I need to trust that spotify and davinci resolve won't install keyloggers on my computer? Our computers are so insecure!)
This already exists on Linux.
I run Discord/Slack in Flatpak. Out of the box the folders and clipboard permissions are restricted. Only the ~/Downloads folder on my PC is accessible to Discord/Slack. You can't drag and drop things into these apps. Which makes sharing content a PITA.
If you don't want to worry about things like keyloggers, you should run an open source OS and use open source programs where you can verify that there are no key loggers. You should also make sure you find out what firmware your keyboard is using (many keyboards themselves have complex micro controllers on them that can be programmed).
> Everything you have suggested in this post takes away freedom. There is no solution that doesn't take away freedom / your control. There is always a trade off.
Huh? In what way does application sandboxing take away my freedom? What can I do today that I can't do with a sandbox-everything-by-default model?
In my mind, it gives me (the user) more freedom because I can run any program I want without fear.
> I run Discord/Slack in Flatpak. Out of the box the folders and clipboard permissions are restricted. Only the ~/Downloads folder on my PC is accessible to Discord/Slack. You can't drag and drop things into these apps. Which makes sharing content a PITA.
Cool! Yeah this is the sort of thing I want to see more of. The drag & drop problem is technically solvable - it just sounds like they haven't solved it yet. (Capabilities would be a great solution for this.. just sayin!)
> Huh? In what way does application sandboxing take away my freedom? What can I do today that I can't do with a sandbox-everything-by-default model?
I've just explained that sand-boxing causes issues with file access, clipboard sharing etc.
Every hoop you add in makes it more difficult for the user to gain back control, even if that is modifying permissions yourself. Most people will just remove permissions out of annoyance.
If you remove control, you remove people's freedom.
> In my mind, it gives me (the user) more freedom because I can run any program I want without fear.
Any security mechanism has a weakness or it will be bypassed by other means. So all this will give you a false sense of security.
The moment you think you are safe. Is when you are most unsafe.
> Cool! Yeah this is the sort of thing I want to see more of. The drag & drop problem is technically solvable - it just sounds like they haven't solved it yet. (Capabilities would be a great solution for this.. just sayin!)
I don't. It is a PITA. Eventually people just turn it off. I did.
The reality is that if you want ultimate security you have to make a trade offs. Pretending you can make some theoretical system where those trade off don't exists just isn't realistic.
> I've just explained that sand-boxing causes issues with file access, clipboard sharing etc.
You've explained that flatpak has issues with file access and clipboard sharing. My iphone does sandboxing too, but the clipboard works just fine on my phone.
I don't think "failing clipboards" is a problem specific to sandboxing. I think its a problem specific to flatpak. (And maybe X11 and so on.)
> If you remove control, you remove people's freedom.
Sandboxing gives users more control. Not less. Even if they use that control to turn off sandboxing, they still have more freedom because they get to decide if sandboxing is enabled or disabled.
Maybe you're trying to say that security often comes with the tradeoff of accessibility? I think thats true! Security often makes things less convenient - for example, password prompts, confirmation dialogue boxes, and so on. But I think the sweet spot for inconvenience is somewhere around the iphone. On the desktop, I want to get asked the first time a program tries to mess with the data of another program. Most programs shouldn't be allowed to do that by default.
> Pretending you can make some theoretical system where those trade off don't exists just isn't realistic.
I think you might be arguing with a strawman. I totally agree with you. I don't think a perfect system exists either. Of course there are tradeoffs - especially at the limit.
But there's still often ways to make things better than they are today. For example, before rust existed, lots of people said you had to make a tradeoff between memory safety and performance. Well, rust showed that by making a really complex language & compiler, you could have memory safety and great performance at the same time. SeL4 shows you can have a high performance microkernel based OS. V8 shows you can have decent performance in a dynamically typed language like JS.
Those are the improvements I'm interested in. Give me capabilities and sandboxing. A lot more security in exchange for maybe a little inconvenience? I'd take that deal.
1 reply →
You seem to be arguing that adding complexity reduces freedom, but I don't think that's true in a reasonable interpretation of the word.
Your argument would suggest that virtual memory takes away user freedom, because it's now much harder to access hardware or share data between programs, but that sounds ridiculous from a modern perspective. I think it's better to keep freedom and complexity separate, and speak about loss of freedom only when something becomes practically impossible, not just a bit more complex.
12 replies →
> Any security mechanism has a weakness or it will be bypassed by other means. So all this will give you a false sense of security.
> The moment you think you are safe. Is when you are most unsafe.
This is demonstrably false. Qubes OS has the lowest number of CVEs, even less than that of Xen. Last VM escape in it was found in 2006 by the Qubes founder (it's called "Blue Pill").
Also: https://news.ycombinator.com/item?id=27897975
2 replies →