20 April 2005

LUA and the One Hand Rule

LUA stands for Lowest User Access (rights), and is the concept that in a world full of rampant malware, we should cower in a basement panic room rather than stride masterfully about the house with a vast array of weapons and power tools to hand.

Personally, I'd rather live in a "Home", i.e. a physical location where safety is assured. In the real world, I live in a house with thick walls, barred windows, and clearly-defined doorways that are locked. In the infosphere, I live in a "network client" that takes candy from strangers, so LUA has its charms until we can get the Home Operating System to "grow up".

Put it this way; if you were forced to live in the middle of an open football field, would you carry weapons and power tools with you at all times? Would you be able to fend off those who would use these against you, 24 hours a day? If not, you'd probably want to lock those valuable, dangerous things somewhere safe until you need them - and that's what LUA is about.

But there's a user acceptance problem; no-one wants to be less powerful, so we like the idea of can-do-anything administrator user account rights. Frankly, when it's out own home computer, we feel we should accept nothing less; we should be safe in our own homes.

The One Hand Rule

Folks who work with big electricity for a living know this safety dictum, and that is; at any given moment, you don't have both hands touching sparky metal stuff at the same time. A veteran electrician may instinctively put his left hand in his pocket as he reaches with the right, in deference to this rule.

The Internet is not a network, because it excludes none. If you like to think of it as a network because it is built out of networking technologies, then consider it the mother of all infected networks that can never be cleaned. Also, try not to think of furniture as trees, just because both are made of wood!

So the "One Hand Rule" for computers is; never have one hand in the Internet while the other has a power tool or destructive weapon in it. This is the key to breaking the "Everyone Loves Admin" deadlock; make the administrator account a drab workplace where no fun abounds and only administrative work can be done. After all, Safe Mode lets you do "more stuff", yet you don't see users wanting to run in Safe Mode all the time. A game that would only run in Safe Mode wouldn't sell, yet most games that require admin rights sell just fine.

The Janitor Account

I'd combine a malware-safer Safe Mode with strong admin rights, as the only place where strong admin rights can be applied. Just as we expect weilders of power tools to be clear-sighted, sober, and knowledgeable, so we should expect the Janitor account user to be undistracted by dangerous fluff such as rich media, and up to speed with a no-frills user interface that shows things as they are; no self-defined icons, persistent handlers, custom screen savers, hiding of dangerous files and so on.

The reason is not simply to punish the user for being in the Janitor account - it has to do with safety. Hiding file name extensions, files and paths hides risk-relevant information that a wielder of power tools needs to know. Normally, you don't care where the mains wiring runs within the walls; you'd rather look at the wallpaper. But if you are drilling holes in the walls, then you need full access to that risk-relevant information.

The other safety aspect is that whenever the system "reaches ahead" of the user, dipping into files to show you custom icons or do other persisntent handler stuff, it exposes a potentially-exploitable risk surface to that material - material that you have as yet indicated no intention to handle or assume safe. I might choose to list files that I know are dangerous, in order to delete them; I do not want the system running content within these files before I can do so, as a misguided "service" to me.

For the same reason, the Janitor account wouldn't run custon screen savers or offer any other automated running of arbitrary software. You don't want arbitrary software running with strong administration rights, and while we remain blinkered into thinking of such rights as applying to everything a user does during that login, these things have to go when such rights are in effect.

2 comments:

kurt wismer said...

if i'm not mistaken, your "lowest user access" is more commonly known as "the principle of least privilege" and it's for more than just protecting you from malware, it's also for protecting you from your own mistakes... it's harder to accidentally delete critical system files if you rarely have the permissions to do so, for example...

user error isn't going to go away anytime soon so even if you could be 'safe in your own home operating system' you should still be applying the principle of least privilege because there is no way an OS can possibly know that you (as an administrator) didn't want to do X... even if operating systems could read minds you could still make mistakes by intending to do X and not understanding the consequences of your actions...

Chris Quirke said...

Yes, that's what LUA is; for some reason some folks have taken to using LUA as a TLA for "least privilege", and I had difficulty in deriving the original words behind LUA :-)

LUA as newbie-proofing is a bit controversial, though it makes sense for some users (especially those using someone else's computer).

I'm a bit old-school in that I think the owner should be treated with respect and be offered the information needed to build skills.

So I don't hide system files and so on; I prefer Explorer on truth serum!

But yes, I do take your point. For example, if a child wants to play a game, they shouldn't be in a position to stumble into formatting the hard drive, etc.

Then again, a decent UI would help there. Why are "do these frequently" tools such as backup, check for errors and defrag buried under Properties, Tools, while Format is stuck right there on the context menu? Because the HD is "just a disk", from the old pre-286 mindset?

What I was thinking of, is how mis-directed much of our "security" is, when it comes to malware.

Malware doesn't generally run because the user wants to damage, and it doesn't run by impersonating a user's identity. It runs because the user accepted an apparently small risk, but in practice took a larger one.

So at least in consumer space, I'd forget about proving that Fred is really Fred, and look at ensuring that what Fred does is really what Fred intended to do, and no more.

Safety, not security as such!