Page 4 of 6

Re: which do you think is better user experience?

Posted: Sun Feb 26, 2017 2:01 pm
by Brendan
Hi,
Gigasoft wrote:
If your OS assumes it has access without explicit permission despite clear proof that access was intended to be restricted, then your OS is a tool intended for malicious purposes (bypassing the security of other OSs).
My OS can't possibly know what the "users" on another system are supposed to represent. The very concepts of "users" and "access control" only makes sense within a particular environment. A specific user ID may represent a person, which may be me, or another person. Who knows? Or it could represent a particular service, such as a web server, which is managed by whoever is tasked with maintaining the web server.
This is why the OS has to assume either "no access because permission was not granted" or "full access even though permissions was not granted".
Gigasoft wrote:All my OS knows is that I possess a hard drive, which means I am most likely the owner/administrator of whatever that hard drive belongs to.
No. All the OS knows is that it can access a hard drive. I doesn't know if anything about possession (and if it did, possession doesn't imply ownership or authority anyway).
Gigasoft wrote:For an USB stick or CD it gets especially silly, since no one in the world would ever think of using permission bits to protect data from other people on such media. They create files with default permissions and may not remember to change them.
That's a separate problem caused by an OS sucking in a different way (allowing files to be copied to removable media without permissions being discarded). Note that for secure systems, shifting/copying a restricted file to a untrusted device (USB flash) would be prohibited by the OS (e.g. the "*-property" of the Bell–LaPadula model).
Gigasoft wrote:
Legally; the owner of the data is the one to decides who will have access to their data. If a company leases computers and pays an employee to create the data, then the owner of the data (and therefore the only entity legally able to decide who will have access) is the company. The computer owner is not the owner of the data; and neither is the employee that was paid to create it nor any root/administrator (these people merely have the ability to act on behalf of the data's owner).
Fine, then replace "computer owner" with whoever owns the operating system instance.
You mean Microsoft or Amazon (or some other cloud service provider)?

You are still making potentially false assumptions by equating "ownership of the data" with "ownership of something that is not the data" (the computer, the storage device, the OS instance, ...).
Gigasoft wrote:
In this analogy the cab driver is like a USB flash stick or network cable. They are not responsible for your actions. You are responsible for complying with the policy of the road owner.
Or an operating system. Like the cab driver, it is not the job of an operating system to distrust the legality of its user's actions.
Nonsense. Every modern OS distrusts the legality of its user's actions. It's why file systems have permissions in the first place.
Gigasoft wrote:
Let's try the opposite. If you were able to write code that allows your OS to decrypt file systems that were encrypted by Windows or Linux (in addition to being able to bypass file system permissions that were created by Windows or Linux); would you insist that your OS should bypass encryption created by other OSs (in the same way that you are insisting that your OS should bypass permissions created by other OSs)?
No, because now you are talking about implementing a whole new feature. I assume that you are talking about having a function to break the encryption without having the key. Of course no one expects an operating system to have this as a built in feature.
So it's fine to assume you have access without explicit permission when another system has obviously attempted to restrict access (via. file system permissions) and it's also not fine to assume you have access without explicit permission when another system has obviously attempted to restrict access (via. encryption).

That doesn't seem hypocritical to you?
Gigasoft wrote:On the other hand, I regard any attempt at interpreting permissions created by another OS and somehow translating them to permissions for local users without being told how, as a silly bug.
At least you agree with one of the things I originally said (that it's impractical for one OS to understand a different OS's permissions).


Cheers,

Brendan

Re: which do you think is better user experience?

Posted: Sun Feb 26, 2017 2:12 pm
by Solar
Brendan wrote:If your OS assumes it has access without explicit permission despite clear proof that access was intended to be restricted, then your OS is a tool intended for malicious purposes (bypassing the security of other OSs).
This one has been debunked in court.

A tool is malicious if it by purpose bypasses effective security.

A user ID and some specification documents is not security. It's policy. Highly context-dependent policy as well -- how do you know that I, user ID XYZ, do not happen to be allowed access to the data of user 123 on your OS' partition? (Because I am him, I am his supervisor, I am his system administrator, or whatever?)

Hence, I may or may not adhere to that policy. If you want security, encrypt.

Re: which do you think is better user experience?

Posted: Sun Feb 26, 2017 2:24 pm
by Brendan
Hi,
Solar wrote:
Brendan wrote:If your OS assumes it has access without explicit permission despite clear proof that access was intended to be restricted, then your OS is a tool intended for malicious purposes (bypassing the security of other OSs).
This one has been debunked in court.

A tool is malicious if it by purpose bypasses effective security.
Then it's impossible for any tool to be malicious because as soon as any tool is able to bypass security the security is no longer effective.

Note that a court only gives an "in the eyes of the law" opinion - morality and legality aren't equivalent.


Cheers,

Brendan

Re: which do you think is better user experience?

Posted: Sun Feb 26, 2017 4:21 pm
by MichaelFarthing
Brendan wrote: Note that a court only gives an "in the eyes of the law" opinion - morality and legality aren't equivalent.
Precisely. Which is why it is moral and proper for you to adhere to the principles you have stated because that is what you believe to be right.

It is also right and proper for me to do the opposite because my morals are quite other than yours in this regard.

Law applies to everyone submitting themselves to a jurisdiction. Morals are determined by each individual: there are no absolute standards. Some individuals base their decision on some particular higher authority (frequently called God) but in the end it remains their individual decision.

To give a concrete example of a situation where breach of an OS security is in my view both ethical and legitimate: I had a computer with two hard drives, both controlled by the same operating sytem. One drive failed and it contained the user database. The data on the other drive became inaccessible as a result. Violating that security is in my view perfectly OK.

Re: which do you think is better user experience?

Posted: Sun Feb 26, 2017 8:02 pm
by Sik
Brendan wrote:That's a separate problem caused by an OS sucking in a different way (allowing files to be copied to removable media without permissions being discarded).
The most common use I have for removable media is either as back-up for my own files or to transfer files between my own systems. Keeping permissions would be nice.


The real problem is that computers are awful at making it easy to assign who can check each file. How it goes is that person A asks person B if they can get a file, and B tells "sure" to A, and of course the computer can't even know, yet they'll expect it to work. Gets even worse when a hierarchy is involved like in a company. Users should be setting the permissions on the file before giving them away, but chances are they won't 99.99% of the time, if they even know they can do it.

I'm using Ubuntu and it defaults to writeable by owner and readable by everybody (of course you can override this as usual). That tends to cover most common cases, but of course it's far from perfect. But I can't think of any real way to work around this, except maybe to explicitly altering the permissions when transferring (e.g. automatically give the destination user access). And that sounds feasible only when sending files over a network, not on removable media where the computer can't know who the destination is.

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 1:03 am
by Solar
Brendan wrote:Then it's impossible for any tool to be malicious because as soon as any tool is able to bypass security the security is no longer effective.
Pretty much, yes. You nailed it. Tools are not malicious, only the purpose of what they're used for can be.

Permissions are not an effective security mechanism as soon as the OS defining the permission policies isn't the one controlling the access anymore. Perhaps not even when it is the OS in control. Demanding "ethical" behaviour won't change that.

You want security, you have to enforce it.

----

To return to your "unlocked house" metaphor.

If your house is unlocked, you don't have security. You are relying on ethical behaviour, and perhaps fear of punishment.

If your house is locked, you still don't have security. You are still relying on ethical behaviour and fear of punishment, because breaking & entering is dead easy.

If you want security, you need reinforced doors, unbreakable glass, and sturdy walls. Basically, the effort of breaking and entering must exceed the value of anything within your house to the criminal.

Have a look at those three examples, and how they relate to file permissions vs. encryption.

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 3:25 am
by rdos
Schol-R-LEA wrote: Want to use a file system for some other OS on the same computer? Install that OS as a separate v-machine and go to town, just don't expect to be able to use that to access data that a) is all automatically encrypted with multiple, varying keys and algorithms chosen by the system according to user-configurable settings, and b) isn't organized into files. Want to use the WWW or most other Internet services? Yeah, those all get their own sandbox v-macs, ones which don't get to play with the disk at all except for some scratch/swap space of their very own - they can talk to the desktop manager (which is a separate v-mac as well), but unless things go really sideways, nothing they do should be able to affect anything in the permanent secondary storage.
Yes, that is a healthy attitude to security. It's just silly that web-browsers, email clients and alike have access to your personal data. This is just a bad design decision based on too much trust in the user account mechanism. If web-apps or email clients couldn't change your system, then no viruses would ever come from that source. Instead, the OS should provide safe mechanisms to transfer content between those to domains that are always literally approved by the user.

Also, if you want your data to be safe on a disc, don't rely on user rights. Use encryption instead.

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 12:32 pm
by Brendan
Hi,
Solar wrote:To return to your "unlocked house" metaphor.

If your house is unlocked, you don't have security. You are relying on ethical behaviour, and perhaps fear of punishment.

If your house is locked, you still don't have security. You are still relying on ethical behaviour and fear of punishment, because breaking & entering is dead easy.

If you want security, you need reinforced doors, unbreakable glass, and sturdy walls. Basically, the effort of breaking and entering must exceed the value of anything within your house to the criminal.

Have a look at those three examples, and how they relate to file permissions vs. encryption.
If the doors are wide open then it's probably a public place (e.g. a shop where they want you to enter) and even if it isn't there's no way to tell that it isn't; and therefore it's fine to enter.

If there's an extremely weak/ineffective attempt to control access (which could just be a sign saying "no entry" and nothing else) then it's easy to enter but unethical to do so without permission. If there's extremely strong security (reinforced doors, unbreakable glass, alarm system, armed guards) but you are able to work around it all somehow then it's hard to enter and still unethical to do so.

If an attempt to restrict access exists, then "access without permission" is unethical; and this has nothing to do with your ability (or lack of ability) to gain access and nothing to do with the strength of the security. The strength of the security has nothing to do with ethical behaviour and only determines how easy or hard it is to do something unethical.


Cheers,

Brendan

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 2:07 pm
by LtG
"If there's an extremely weak/ineffective attempt to control access (which could just be a sign saying "no entry" and nothing else) then it's easy to enter but unethical to do so without permission."

- What about failed attempts? It's still an attempt. Or suppose the sign falls off and is eaten by rodents. Am I expected to honor it even though I have no practical way of knowing about it? Even if I had prior knowledge of it, I have no way of knowing if it's been removed on purpose.

- Maybe just bad wording, but aren't emergency personnel (police, firefighters, etc) entering without permission? Is it unethical?


"The strength of the security has nothing to do with ethical behaviour"

- The strength may convey intention, so it certainly has something to do with ethics. Suppose there are cabins in the woods with closed doors (but not locked, or very simple "locks" that don't require keys). The intent of the door and possible simple "lock" is to keep animals out, but not people. If these cabins are clearly intended for people to use at will then it can't be unethical, can it?

So all in all, I think it's more than the simple existence of security that defines the line between ethical vs. unethical. Maybe the intent of the security? But also expectations. If the FS has no security then I don't think it's unethical for the software to allow access to it, it would be upon the person to do the ethical thing and not access something they're not supposed to. Also, I think it's unfair to demand "ethics" from software that will to some extent cripple that software when 1001 other software already exist that can bypass it, so in effect any "security" that simple ACL based FS have it's already lost anyway.

Note, I think that even Linux can't honor the "security" of ext2. Suppose the FS is corrupted and you re-install the OS and the passwd file is also lost. Does that mean that all the files should now be thrown out? And if even Linux can't honor the security then there can't really be an expectation for you to do it with your OS can there?

So I think it's limiting for software at that level to impose "ethics" and thus must let it be taken care of at a higher level, by people. As a final thought, if you have an encrypted container, just happen to guess the correct key is it ethical or unethical for your OS to allow access? Just because you guessed the key doesn't mean you should have access, but the OS doesn't really have any way of knowing that you guessed it.. I'm not saying that because there's no perfect security that security doesn't exist at all, rather that if there's no way for the OS to know if something is ethical or unethical it must rely on the user being ethical or for the "owner" to put up proper defenses. The OS is wrong entity to try to enforce ethics in this instance, though it can certainly do it for those FS's where it knows the answer, but foreign filesystems that have no mapping to your security "domain" (for example user to user mappings) then it can't simply assume the user is unethical. As an added bonus it only means that people will use some other OS to unethically access the files, "convert" them to some other format (like your FS image) so that your system will accept them. So it's mostly a pointless battle..

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 2:30 pm
by Gigasoft
No. All the OS knows is that it can access a hard drive. I doesn't know if anything about possession (and if it did, possession doesn't imply ownership or authority anyway).
If I am the administrator, then it doesn't matter - it should just do whatever I tell it to.

If I am not the administrator, then the administrator will have configured the system so that it knows about every external port where local users can connect their own devices. If someone plugs a device into such a port, it is fair to assume that such a device is in the possession of the user who is currently logged on locally with their screen unlocked, and he should be given access to its contents. Any other device, such as internal hard disks, are of course off limits unless access was specifically granted by the administrator. And of course, remotely logged in users should not have access to plugged in devices either.

If there exist situations where possession does not imply authorization, then the administrator is free to create rules that specify the details. Perhaps they want to only allow specially approved drives, and maybe assign some custom meaning to the permission information, for example, by setting up a translation table that converts Posix UIDs or Windows SIDs to local user identities. But, this should be optional. In a well secured workplace, hard drives with sensitive data shouldn't just be lying around in unlocked rooms, so we can indeed assume that possession implies authorization. (If this is not enforced, then it is possible for someone to take sensitive data home and read it with their own computer anyway.)
You mean Microsoft or Amazon (or some other cloud service provider)?
Yes, that includes cloud services. In this case, the data access policy should be whatever the customer specifies. Otherwise, they are providing a broken service. Again, it is up to the service provider to take responsibility for adhering to its own contract.
Nonsense. Every modern OS distrusts the legality of its user's actions. It's why file systems have permissions in the first place.
File system permissions only tell you whether an access is conformant to a given access policy. This has of course nothing to do with "legality" according to the law of whatever country one is in. Only a human can be the judge of that. An OS should enforce the access policy decided on by the administrator, not some random imagined access policy which may or may not have been in effect at some other place at some point in time.

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 5:35 pm
by Brendan
Hi,
LtG wrote:"If there's an extremely weak/ineffective attempt to control access (which could just be a sign saying "no entry" and nothing else) then it's easy to enter but unethical to do so without permission."

- What about failed attempts? It's still an attempt. Or suppose the sign falls off and is eaten by rodents. Am I expected to honor it even though I have no practical way of knowing about it? Even if I had prior knowledge of it, I have no way of knowing if it's been removed on purpose.
The intent is what matters, not the outcome. If you design an OS that tries to bypass another OS's security, then the OS design is unethical regardless of whether it succeeds or fails to bypass another OS's security (in the same way that attempting murder is unethical even if you don't succeed).
LtG wrote:- Maybe just bad wording, but aren't emergency personnel (police, firefighters, etc) entering without permission? Is it unethical?
If I hire you to do a job (e.g. protect my house from fire) then permission is implied; and if you use a flimsy excuse ("I don't know if I have permission") to avoid doing the job that I'm paying you to do then that would be extremely unethical.

If an entire community of people collaborate (via. forming a government, etc) to hire people (and pay them via. a system of taxes) to do a job (e.g. protect all the houses from fire), then permission (e.g. "in case of fire and only in case of fire, you have permission to put that fire out") is implied; and if emergency service personnel use a flimsy excuse ("I don't know if I have permission") to avoid doing the job that they're paid to do then that would be extremely unethical.

In the context of operating systems and files; an OS is not like an emergency service (e.g. fire department) - its reason to exist is not "to rescue files belonging to other OSs" and there is no "permission to access files for the purpose of rescuing them" implied. Something like a data recovery specialist that tries to recover the data off of the dead hard drive (usually for a large fee) would be like an emergency service (and would have implied permission to recover the files) but that is not an OS.
LtG wrote:"The strength of the security has nothing to do with ethical behaviour"

- The strength may convey intention, so it certainly has something to do with ethics. Suppose there are cabins in the woods with closed doors (but not locked, or very simple "locks" that don't require keys). The intent of the door and possible simple "lock" is to keep animals out, but not people. If these cabins are clearly intended for people to use at will then it can't be unethical, can it?
If another OS's file system is designed to prevent animals from accessing files but allow all people access to those same files; then, if and only if your OS prevents animals from accessing the files, it'd be fine if your OS allows people to access the files (because your OS is honouring the file system permissions).
LtG wrote:So all in all, I think it's more than the simple existence of security that defines the line between ethical vs. unethical. Maybe the intent of the security? But also expectations. If the FS has no security then I don't think it's unethical for the software to allow access to it, it would be upon the person to do the ethical thing and not access something they're not supposed to. Also, I think it's unfair to demand "ethics" from software that will to some extent cripple that software when 1001 other software already exist that can bypass it, so in effect any "security" that simple ACL based FS have it's already lost anyway.
The problem is that you have no practical way of knowing who does/doesn't have permission or what the intent of some other OS may be. If there's evidence of an attempt to restrict some people's access (e.g. a permission system) then you can't assume that there's no attempt to restrict some people's access.

Note that for some file systems there are clear/unambiguous "anyone can access" permissions (e.g. the S_IROTH, S_IWOTH and S_IXOTH flags in ext2 inodes); and it might or might not be unethical for your OS to (e.g.) allow read access to file/s that are clearly marked as "anyone can read" by another OS. However (at least in theory), the other OS might (e.g.) use a log of "who accessed what" (for security audits, etc) stored elsewhere and not stored in that file system; so you might still be bypassing (part of) the other OS's security by reading from an "anyone can read" file without updating a log stored elsewhere. Note: Linux does support this kind of logging.
LtG wrote:Note, I think that even Linux can't honor the "security" of ext2. Suppose the FS is corrupted and you re-install the OS and the passwd file is also lost. Does that mean that all the files should now be thrown out? And if even Linux can't honor the security then there can't really be an expectation for you to do it with your OS can there?
If a user of my OS has problems with a different OS (either because the other OS is crap or they didn't have backups or whatever) I might feel sorry for them (and I might laugh in their face), but it is not my problem and not something my OS should care about. My OS should care about ensuring that it can never happen to users of my OS (possibly by ensuring redundancy/backups? Not sure).
LtG wrote:So I think it's limiting for software at that level to impose "ethics" and thus must let it be taken care of at a higher level, by people. As a final thought, if you have an encrypted container, just happen to guess the correct key is it ethical or unethical for your OS to allow access?
It's unethical for an OS to allow an encrypted container to be accessed if that container does not belong to the OS. It makes no difference if the key is correct or not (and therefore makes no difference if the correct key was guessed or not).

If the encrypted container does belong to the OS, then the OS shouldn't have any reason to ask any user what the key is (e.g. it should generated by the OS and then stored in some form of sealed storage, which is how most modern disk encryption schemes work).
LtG wrote:The OS is wrong entity to try to enforce ethics in this instance, though it can certainly do it for those FS's where it knows the answer, but foreign filesystems that have no mapping to your security "domain" (for example user to user mappings) then it can't simply assume the user is unethical.
Nonsense. An OS designer must (intentionally or unintentionally) choose between enforcing or bypassing the security policies of other OSs; and the OS is the only entity able to enforce the ethics (or lack of ethics) involved in that choice.

Note that I doubt you (or others) truly believe that bypassing the security policies of other OSs is ethical; I think you are only trying to defend tradition and/or convenience.
LtG wrote:As an added bonus it only means that people will use some other OS to unethically access the files, "convert" them to some other format (like your FS image) so that your system will accept them. So it's mostly a pointless battle..
"Your OS should kill people, because if it doesn't users will just find a different way to kill people" :roll:


Cheers,

Brendan

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 6:41 pm
by Brendan
Hi,
Gigasoft wrote:
No. All the OS knows is that it can access a hard drive. I doesn't know if anything about possession (and if it did, possession doesn't imply ownership or authority anyway).
If I am the administrator, then it doesn't matter - it should just do whatever I tell it to.
If there are 2 operating systems on a computer, you are the administrator of one OS and I am the administrator of the other OS; then you should be ignored whenever I want to access data on your OS regardless of how hard you try to use file system permissions to explicitly deny my access to your OS's files?

Note that (in my opinion) "admin" is just a glorified janitor and should not have access to (e.g.) file's owned by the head of accounting, even when those files are on the same OS that "admin" is responsible for maintaining.
Gigasoft wrote:If I am not the administrator, then the administrator will have configured the system so that it knows about every external port where local users can connect their own devices. If someone plugs a device into such a port, it is fair to assume that such a device is in the possession of the user who is currently logged on locally with their screen unlocked, and he should be given access to its contents. Any other device, such as internal hard disks, are of course off limits unless access was specifically granted by the administrator. And of course, remotely logged in users should not have access to plugged in devices either.
You are an OS developer, not an administrator; and you have no possible way of guessing what any of the thousands of different administrators have actually done with a variety of different OSs that have nothing to do with you on a huge number of different computers that you will never see. Does your OS make random assumptions about things that you can't possibly know in a lame attempt to justify poor OS design?
Gigasoft wrote:If there exist situations where possession does not imply authorization, then the administrator is free to create rules that specify the details. Perhaps they want to only allow specially approved drives, and maybe assign some custom meaning to the permission information, for example, by setting up a translation table that converts Posix UIDs or Windows SIDs to local user identities. But, this should be optional. In a well secured workplace, hard drives with sensitive data shouldn't just be lying around in unlocked rooms, so we can indeed assume that possession implies authorization. (If this is not enforced, then it is possible for someone to take sensitive data home and read it with their own computer anyway.)
A 12 year old steals your Mother's laptop containing her online banking details. They plug her hard drive into their computer which is running your OS, and your OS trusts a 12 year old thief with your Mother's online banking passwords simply because they happen to be the "head janitor" for that computer. When you find out that your Mother's bank accounts have all been emptied and that your Mother has been living as a homeless person for the last 2 weeks (evicted for not being able to pay rent), you tell yourself "Isn't it nice that my OS allowed this!".
Gigasoft wrote:
Nonsense. Every modern OS distrusts the legality of its user's actions. It's why file systems have permissions in the first place.
File system permissions only tell you whether an access is conformant to a given access policy. This has of course nothing to do with "legality" according to the law of whatever country one is in. Only a human can be the judge of that.
Obviously I meant "legal in the eyes of the OS's security policy" and not "legal in the eyes of the law".
Gigasoft wrote:An OS should enforce the access policy decided on by the administrator, not some random imagined access policy which may or may not have been in effect at some other place at some point in time.
An OS should enforce the access policy decided on by the owner of the data, even if the owner of the data delegates responsibility for security settings to an administrator, and even if the OS has no idea what the access policy is because it's some other OS's access policy.


Cheers,

Brendan

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 7:28 pm
by Sik
Brendan wrote:In the context of operating systems and files; an OS is not like an emergency service (e.g. fire department) - its reason to exist is not "to rescue files belonging to other OSs" and there is no "permission to access files for the purpose of rescuing them" implied. Something like a data recovery specialist that tries to recover the data off of the dead hard drive (usually for a large fee) would be like an emergency service (and would have implied permission to recover the files) but that is not an OS.
Not necessarily. It could be that some other part of the hardware was rendered unusable but the hard disk with the files you want still works just fine. Or any other drive that was written by a now non-working OS install, really. Going to some data recovery service when the filesystem is perfectly intact is completely stupid unless you want to force people to give away a ton of money (which is arguably more directly unethical, as said money may be better spent on other things).

Of course you could argue about back-up services, but if I have my old drive perfectly working, why shouldn't I be able to use it simply because I changed to a new OS install?
Brendan wrote:Note that for some file systems there are clear/unambiguous "anyone can access" permissions (e.g. the S_IROTH, S_IWOTH and S_IXOTH flags in ext2 inodes); and it might or might not be unethical for your OS to (e.g.) allow read access to file/s that are clearly marked as "anyone can read" by another OS. However (at least in theory), the other OS might (e.g.) use a log of "who accessed what" (for security audits, etc) stored elsewhere and not stored in that file system; so you might still be bypassing (part of) the other OS's security by reading from an "anyone can read" file without updating a log stored elsewhere. Note: Linux does support this kind of logging.
In this case shouldn't you just consider access to any external filesystem as unethical, even if the OS knows exactly how the permissions map to its own users? And then instead just require the other OS to explicitly transfer files (which honestly would also avoid a lot of the other problems). Though you'd also need to ensure the other OS should be allowed to access said filesystem...
Brendan wrote:It's unethical for an OS to allow an encrypted container to be accessed if that container does not belong to the OS. It makes no difference if the key is correct or not (and therefore makes no difference if the correct key was guessed or not).
Somebody who has the correct key is more likely to be the real owner than somebody marked as such by permissions (if you can guess the decryption key, chances are you can forge the permissions with far less effort than that). Which probably just brings us back to what I responded in the quote above (simply forbid access to any external filesystems at all since you can't trust them).

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 9:14 pm
by Brendan
Hi,
Sik wrote:
Brendan wrote:In the context of operating systems and files; an OS is not like an emergency service (e.g. fire department) - its reason to exist is not "to rescue files belonging to other OSs" and there is no "permission to access files for the purpose of rescuing them" implied. Something like a data recovery specialist that tries to recover the data off of the dead hard drive (usually for a large fee) would be like an emergency service (and would have implied permission to recover the files) but that is not an OS.
Not necessarily. It could be that some other part of the hardware was rendered unusable but the hard disk with the files you want still works just fine. Or any other drive that was written by a now non-working OS install, really. Going to some data recovery service when the filesystem is perfectly intact is completely stupid unless you want to force people to give away a ton of money (which is arguably more directly unethical, as said money may be better spent on other things).

Of course you could argue about back-up services, but if I have my old drive perfectly working, why shouldn't I be able to use it simply because I changed to a new OS install?
Look, this issue extremely simple: The OS doesn't know if access is permitted by the owner of the data; and therefore must either allow access knowing that doing so may be against the owner's wishes (unethical), or deny access to ensure that the owner's wishes have not been disregarded (ethical).

Unless you are able to show that doing something against the owner's wishes is ethical; then it's an irrelevant distraction. Ethics is not about convenience, it's about doing what is right (even when it's inconvenient).

It could be that some other part of the hardware was rendered unusable or that the OS needed to access the files was intentionally removed; and the hard disk or file system with the files you want still works just fine. Maybe an OS should create a recovery disk as part of installing the OS (and optionally at any time after). Maybe the user should've used RAID, or should buy a new drive and restore the OS from backup. Maybe the owner of the data deliberately removed the OS or deliberately destroyed the hard drive to make sure nobody could access files (but did create a copy of the OS so that they could recover the files later). None of it matters; you don't know who the owner of the data was or if they gave permission so you can't assume permission was granted.
Sik wrote:
Brendan wrote:Note that for some file systems there are clear/unambiguous "anyone can access" permissions (e.g. the S_IROTH, S_IWOTH and S_IXOTH flags in ext2 inodes); and it might or might not be unethical for your OS to (e.g.) allow read access to file/s that are clearly marked as "anyone can read" by another OS. However (at least in theory), the other OS might (e.g.) use a log of "who accessed what" (for security audits, etc) stored elsewhere and not stored in that file system; so you might still be bypassing (part of) the other OS's security by reading from an "anyone can read" file without updating a log stored elsewhere. Note: Linux does support this kind of logging.
In this case shouldn't you just consider access to any external filesystem as unethical, even if the OS knows exactly how the permissions map to its own users? And then instead just require the other OS to explicitly transfer files (which honestly would also avoid a lot of the other problems). Though you'd also need to ensure the other OS should be allowed to access said filesystem...
How would you restore data from a backup if you refuse to access any external file system? What about external file systems that are intended for transferring data between systems (e.g. how would you copy files stored on a digital camera's CompactFlash card onto your computer)?
Sik wrote:
Brendan wrote:It's unethical for an OS to allow an encrypted container to be accessed if that container does not belong to the OS. It makes no difference if the key is correct or not (and therefore makes no difference if the correct key was guessed or not).
Somebody who has the correct key is more likely to be the real owner than somebody marked as such by permissions (if you can guess the decryption key, chances are you can forge the permissions with far less effort than that). Which probably just brings us back to what I responded in the quote above (simply forbid access to any external filesystems at all since you can't trust them).
If someone has the correct key (even though no human was supposed to ever see or obtain the correct key) then you can assume security has been compromised and should erase all the data as soon as possible in an attempt to protect any confidentiality that hasn't already been lost.


Cheers,

Brendan

Re: which do you think is better user experience?

Posted: Mon Feb 27, 2017 11:15 pm
by Sik
Brendan wrote:Look, this issue extremely simple: The OS doesn't know if access is permitted by the owner of the data; and therefore must either allow access knowing that doing so may be against the owner's wishes (unethical), or deny access to ensure that the owner's wishes have not been disregarded (ethical).

Unless you are able to show that doing something against the owner's wishes is ethical; then it's an irrelevant distraction. Ethics is not about convenience, it's about doing what is right (even when it's inconvenient).
You're completely ignoring my point which is that your idea can lock out the owners themselves from their own data, simply because they weren't using whatever your specific OS instance wants everywhere (which is guaranteed to happen the moment they deal with multiple systems at any time in their lives).

Oh, and on top of that I could just take your data to another system, modify it there carefully and change any permissions without your OS ever suspecting anything (assuming any traces are correct, possibly generating fake logs if needed). So your method isn't even foolproof.

Your idea doesn't bring in any real good whatsoever and instead has the potential to cause a lot of harm, and not to strangers but to the people who actually are meant to own those files in the first place (let alone anybody they want to share those files with). Please explain me how is that any more ethical than all those arbitrary restrictions.

If you're going to insist on it then at least drop the façade and don't allow direct access to any files at all so users don't end up with wrong impressions of what they're allowed to do.
Brendan wrote:How would you restore data from a backup if you refuse to access any external file system?
Send the data to a trusted system that holds the back-up, and when you need it back you request the data back from said system (which would be explicitly granting you the permissions you need). You aren't touching the filesystems directly at all, you're transferring files between two systems.

This does mean that probably removable media is out of the question, simply because they normally won't tell you whether you should be allowed to touch the files in them. But then ask yourself if allowing that would be ethical.
Brendan wrote:What about external file systems that are intended for transferring data between systems (e.g. how would you copy files stored on a digital camera's CompactFlash card onto your computer)?
How can you be sure that the original owner of said data has given you permission to access that data? Just because the filesystem has removed the permissions it doesn't mean the owner has opened it free for everyone, but that the filesystem is lacking an important feature instead. If anything, this should be a bigger alert than anything else, given what you insist should be ethical.

Case in point, what if I take a camera (or its memory) from somebody else without their permission and then load it in my computer? How is that any better from me trying to access data from a partition in another OS in one of my own drives? (where I presumably would own most or all of the data there)
Brendan wrote:If someone has the correct key (even though no human was supposed to ever see or obtain the correct key) then you can assume security has been compromised and should erase all the data as soon as possible in an attempt to protect any confidentiality that hasn't already been lost.
How are you sure I wasn't the source of the key? (e.g. by entering a password that feeds the encryption algorithm, or by generating a file with the key instead of a password) The original key must have come from somewhere after all.

The assumption you're making is that once encrypted it shouldn't be decryptable ever anymore since whoever created the key can't be the valid source of it. That completely defeats the point of encryption, may as well just delete the data directly instead of encrypting it.


Honestly I think that what ticks me off the most though is how data that is more likely for the user to be allowed to touch (what's in their own systems) gets a lot more of restrictions than data that has absolutely no indications of whether anybody is allowed to touch it (removable media without file permissions). That's completely backwards. Either restrict all or restrict none. Or at least provide an override for when the OS assumption turns out to be wrong.

The problem with doing things the "ideal way" is that often it's ideal only in specific circumstances. That doesn't work when the possible range of situations is huge, as would be the case for the usual OS.