Certainly you can imagine an unlimited number of ways to restrict permission — time of day, byte offsets within the file, read and write bandwidth limits, etc. — but you don’t need to go that far to make some progress. The perfect is the enemy of the good!

Would file selection become an operating system responsibility, with a secure way of informing the user what permissions would be granted? (Like “select a file for reading”) That’s possible, but putting security in the user interface is hard too — phishing has certainly shown us that.

And there’s *so many* levels of permission, more than the user can probably understand. I could spend hours talking about the possibilities with a user, and that’s human-to-human communication. Computers are hardly going to be better at it. An important problem, to be sure, but there’s no magic bullet. It’s not even an AI-complete problem — it’s harder than that, because we can’t do it for ourselves.

For example, every time you choose a file from a file dialog box, you are specifying a limited transfer of file access authority, and it’s a pretty common operation.

I agree that when the software uses wide-ranging network access you’re dealing with a more difficult case. The bandwidth limit is easy — just drag a slider — but if you’re talking about something that prefetches, you’d have to give out access to your complete browsing trail.

[ essay writing service ]

Iranian blogger Mojtaba Saminejad has declared a hunger strike to protest his imprisonment. The Committee to Protect Bloggers has asked that we observe a media fast next Thursday, May 26th and not blog. There are also email addresses to…

This stems in part from past experience. With many products security features are added as an afterthought or included as an optional component. This compounds the problem of thinking of usability and security as complementary because cobbling security ON TOP of a usable system usually means adding prompts and passwords and other hindrances to using the existing them insecurely. Then there are full products that serve this sort of “security band-aid” purpose, such as anti-virus and firewall applications.

Unfortunately most people do not think of security solutions that involve redesigning the system. From a business perspective it seems too costly and too impractical, so we are left with cobbled constructs. And, sadly, in software there seems to be only limited cross-pollination - people do not seem to be inclined to learn from mistakes of the past unless they were MAJOR and FLASHY mistakes.

Of course, redesigning the system, or designing with HCISEC in mind in the first place, would avoid many of these problems. But…there are hurdles here; in particular that there are to my knowledge NO consumer oriented references available on secure HCI design. Why is this? I believe it is highly that the field is still finding its footing and there are too many open questions to nail down firm guidelines. Thankfully, the field seems to be moving in the right direction, and hopefully guidance will be forthcoming.

For instance, consider the lowly “download optimizer”. It’s a plausible piece of software. The user might want it. It doesn’t break their data. But it does take up their bandwidth. How much bandwidth is okay? How much confirmation from the user is necessary? What are the privacy implications? Is there any way at all to audit how it is preserving privacy from the outside? This is the subtle boundary between a helpful program and a trojan, and one that is crossed regularly these days.