Show more

Talking out loud here about ocap modules for Racket so I can organize my thoughts.

- All macros and values are *explicitly* and *intentionally* introduced into a module
- The default situation is that macros can exfiltrate surrounding information from even foreign surrounding code. However, we can create one-off code inspectors to prevent this nastiness.
- Currently modules are name-centric; that doesn't map to my needs. But I can create one-off registries and pull in modules from others.

Hurricane Matthew caused the most recent large damage, and it’s generally thought to have been strengthened by .

This beach is a preview…

This forest used to be a mile inland. Now it is eroding away with every high tide and hurricane. The island of Botany Bay is vanishing.

Hey awesome listeners,

No show this week. @cwebber and @emacsen are pretty busy with other projects they can't wait to tell you about!

@freakazoid
We've created a situation where this is a necessity, so a little responsibility and empathy is in order. The principle that "many eyes make bugs shallow" doesn't apply to the threat model that's evolved. People have reasons for making bad decisions. We distance ourselves and fix blame, but we do the same things and we caused this. So that's not fair

Fair is a value served by justice, which means doing the thing in our power to change outcomes
@cwebber

@VyrCossont @cwebber I think the point is that code is internally limited so different libraries can't access data or services they're not supposed to?

So in this case, the library can't exfiltrate data because it can't network.

@VyrCossont @astraluma Ocaps can be seen as a sandboxing mechanism, but rather a paradigm where everything is sandboxed and yet it isn't hell because it resembles the way we pass around arguments in our programs. One advantage that ocaps have over contemporary sandboxes is that they can acquire just-in-time authority also. But that sounds like nonsense without further explaination, which I will have to do at a future time.

I should probably blog explaining this stuff a bit more clearly :)

@VyrCossont @astraluma This is why the just-in-time acquirement of authority in ocaps is really key: in the fixed-set-of-authority model, it's so annoying and rigid that eventually you'd pass in way more authority than you need, rather than being able to acquire the authority you need when you need it.

@VyrCossont @astraluma Here's an example of what I mean by just-in-time-authority. Here are two worlds:

- One where we list what documents you can access up-front. Now you can't access anything you shouldn't be able to, but you can't access *new* documents.
- One where you start with a set of documents you can access, but as the world moves and changes, we can also pass you access to new documents

Imagine the fediverse built with the former. You could never gain new friends!

chemical burn imagery 

@opal "object capabilities". It doesn't really have much to do with "objects" in that it doesn't require object oriented programming, and originally they were just called "capabilities", but "capabilities" got overloaded as a term (eg, what the Linux kernel calls capabilities are nothing like object capabilities). ocap is shorthand, refers to a specific paradigm: your security model isn't who you are, but what references you hold onto.

@liw Here's a good start: mumble.net/~jar/pubs/secureos/

Imagine if instead of (solitaire) running with your full authority, you passed in the authority you need, eg (solitaire get-input write-to-screen read-write-score-file)

Instead of solitaire being able to exfiltrate your private keys and cryptolocker your data, now solitaire doesn't even have network and general file access (only to the one file), you simply didn't pass access to it.

Lambda is your new security model now.

Backdoor discovered in Ruby "strong password" library, takes your "strong passwords" and uploads them into a pastebin nakedsecurity.sophos.com/2019/

Hi, do you believe me when I say we need ocap security yet

Me: "What's the difference between syntax-parse and syntax-rules anyway?"

Matthias: "syntax-rules is so old and outdated I don't know how to spell it anymore. Use syntax-parse."

Show more
Octodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!