Hacker News new | past | comments | ask | show | jobs | submit login

The constant issue of computer security is perhaps that software can only inspect actions, not intent.

And any action taken can be either legitimate or nefarious, given the context of intent.




At some point, infosec lies on user education. No arguing about this. But the exact point is open to argument.

Software need an interfaces that reflect intent - if your browser dumps stuff from unrelated places at the same folder, and then the OS uses those unrelated stuff as if it was related, there's a completely failure from the software data to reflect the user intent. This is a blatant fault of the software stack (but of no party in particular).


The classic way of mitigating the issue of intent, of course, is capability-based security. Standard ambient authority models basically leave the door wide open by decontextualizing all action, such that merely riding on someone's session from their end is sufficient.


That finds me thinking that a issue is perhaps that with modern personal computing, the system/kernel view of state (or some such), and the user view of state, are not lined up.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: