From 51ad79f8004917fc4714d774087d0a1c9ba205b8 Mon Sep 17 00:00:00 2001 From: Christopher Lemmer Webber Date: Tue, 30 Jul 2019 15:47:48 -0400 Subject: [PATCH] Add section on accountability --- README.org | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/README.org b/README.org index 1df173b..31a0402 100644 --- a/README.org +++ b/README.org @@ -1342,6 +1342,54 @@ now both refuse to forward messages. **** Accountability +Both Ben and Lem contact Alyssa and insist neither of them made those +edits to the document. +Couldn't they please get access again to write to the file? + +That evening, Alyssa thinks about it and decides that yes, she could, +if next time she could hold whoever did it accountable so she could +prevent the problem from happening again and know who violated her +trust. + +Alyssa makes two new capabilities, but these ones are a little bit +different than before: while both allow writing to the file, this time +she associates each one with the name of the person she is handing it +out to. +Now if Bob writes to the file, it's logged that Bob made this change, +and if Lem writes to the file, it's logged that Lem made this change. +Alyssa hands out these new write-capable-but-logging ocaps to Bob and +Lem and logs off for the evening. + +The next morning, the file is defaced again. +But the logger picks it up: Lem made all these changes! +Alyssa revokes the capability she gave to Lem and gives him a call +on the phone. + +Lem swears, he really didn't make these changes! +Alyssa shows him her proof, and Lem thinks about it. +Well... Lem is really sure that he didn't make those changes, but +he knows that Mallet wanted access to the file. +It could be that Mallet asked him for it when they went out +drinking and Lem was intoxicated... or it could be that Mallet used +that opportunity to insert a backdoor into his device. +Lem really isn't sure, but insists that /he/ is not the one that did +it. + +Alyssa trusts Lem enough as a person (but not as a person who +practices good security hygeine), and distrusts Mallet enough, that +she finds this story plausible. +Still she considers with satisfaction that placing the blame "on the +capability she gave to Lem", whether or not it was Lem that did it, +was what she really needed to get to the bottom of the situation. +"For now, you can email me suggestions," Alyssa tells Lem. +"But the next time you want to collaborate on a document, make sure +you're more careful with your authority. +And if you're not sure whether Mallet might have a backdoor in your +system or not, maybe it's time to do a thorough exorcism of your +computer." +Lem apologizes and agrees... he plans to try to audit his computer +tonight. + **** Composition # add backup of file example; alice's composed capability should