Hi,
>
> sajolida:
>
> This week-end I read an interesting UX article by Ka-Ping Yee.
> He describes in it a design strategy he calls "security by designation"
> (page 13) which means using the user interaction and workflow to infer
> the adequate security authorities (for example, the minimal but needed
> permissions to access a given resource).
>
Ping is a smart dude, sans the long Google employment term, and his
insights are to be seriously considered. His personal projects[0] are
sweet, too :)
>
> It made me think a lot of the
> problems we had when introducing AppArmor in Tor Browser and the fact
> that the browser is now limited to access two folders and that's a
> pain.
>
> What would be better in terms of UX (and possibly better in terms of
> security as well) would be to have Tor Browser with strictly no access
> to personal files by default (not even these two folders) and infer
> from
> the user interactions (where to download, what to upload) on which
> files
> or folders to grant read or write permissions.
>
I like the general idea, as it aligns with Tails' Security by Usability
approach. I specifically like the enhanced user control in the example
given. The issue I have is with the increased decision making, at least
in our context.
For example, if setting up Cherry Music or Mail Pile at some point
requires a decision on the destination of all relevant files, no
worries, as that is preferable to the iTunes approach which results in
extra system designated folders. However, if the system (technically)
needs the decision made sooner than the first Tor Browser launch, like
at boot, it adds to the confusion of getting started.
>
> What underlying technical limitations prevent us from doing something
> like this? Would this imply a major change in the way GNOME interacts
> with application regarding browsing file? Would this imply having
> dynamic AppArmor rules? Is that possible at all? See also the image in
> attachment.
>
It isn't clear to me from documentation (on their part) what App Armor
does (there is a verbose account of how it works, though), but it sounds
like it has similar functionality to Privacy Guard [1], just more
complicated, yeah? If so, managing sandbox-like permissions at any
point in the system operation should be no issue (and would make my
above concern unnecessary).
>
> Another example that came to my mind for this strategy would be #10113
> (Greeter option to enable microphone), the microphone should be
> disabled
> until the user asks to use it by raising it's volume from zero. to
> something else. Of course, I'm not taking any technical limitation into
> account here.
>
I am for this. I am even more for a mechanical switch for the
microphone, since removing the electron path is best, though that is up
to the man(ufacturers) :)
Thanks for sharing this!
Wordlife,
Spencer
[0]:
http://zesty.ca/
[1]: privacyguard.png
%20which%20means%20using%20the%20user%20interaction%20and%20workflow%20to%20infer%0A>%20>%20the%20adequate%20security%20authorities%20(for%20example,%20the%20minimal%20but%20needed%0A>%20>%20permissions%20to%20access%20a%20given%20resource).%0A>%20>%20%0A>%20%0A>%20Ping%20is%20a%20smart%20dude,%20sans%20the%20long%20Google%20employment%20term,%20and%20his%20%0A>%20insights%20are%20to%20be%20seriously%20considered.%20His%20personal%20projects%5B0%5D%20are%20%0A>%20sweet,%20too%20:)%0A>%20%0A>%20>%20%0A>%20>%20It%20made%20me%20think%20a%20lot%20of%20the%0A>%20>%20problems%20we%20had%20when%20introducing%20AppArmor%20in%20Tor%20Browser%20and%20the%20fact%0A>%20>%20that%20the%20browser%20is%20now%20limited%20to%20access%20two%20folders%20and%20that's%20a%20%0A>%20>%20pain.%0A>%20>%20%0A>%20>%20What%20would%20be%20better%20in%20terms%20of%20UX%20(and%20possibly%20better%20in%20terms%20of%0A>%20>%20security%20as%20well)%20would%20be%20to%20have%20Tor%20Browser%20with%20strictly%20no%20access%0A>%20>%20to%20personal%20files%20by%20default%20(not%20even%20these%20two%20folders)%20and%20infer%20%0A>%20>%20from%0A>%20>%20the%20user%20interactions%20(where%20to%20download,%20what%20to%20upload)%20on%20which%20%0A>%20>%20files%0A>%20>%20or%20folders%20to%20grant%20read%20or%20write%20permissions.%0A>%20>%20%0A>%20%0A>%20I%20like%20the%20general%20idea,%20as%20it%20aligns%20with%20Tails'%20Security%20by%20Usability%20%0A>%20approach.%20%20I%20specifically%20like%20the%20enhanced%20user%20control%20in%20the%20example%20%0A>%20given.%20The%20issue%20I%20have%20is%20with%20the%20increased%20decision%20making,%20at%20least%20%0A>%20in%20our%20context.%0A>%20%0A>%20For%20example,%20if%20setting%20up%20Cherry%20Music%20or%20Mail%20Pile%20at%20some%20point%20%0A>%20requires%20a%20decision%20on%20the%20destination%20of%20all%20relevant%20files,%20no%20%0A>%20worries,%20as%20that%20is%20preferable%20to%20the%20iTunes%20approach%20which%20results%20in%20%0A>%20extra%20system%20designated%20folders.%20%20However,%20if%20the%20system%20(technically)%20%0A>%20needs%20the%20decision%20made%20sooner%20than%20the%20first%20Tor%20Browser%20launch,%20like%20%0A>%20at%20boot,%20it%20adds%20to%20the%20confusion%20of%20getting%20started.%0A>%20%0A>%20>%20%0A>%20>%20What%20underlying%20technical%20limitations%20prevent%20us%20from%20doing%20something%0A>%20>%20like%20this?%20Would%20this%20imply%20a%20major%20change%20in%20the%20way%20GNOME%20interacts%0A>%20>%20with%20application%20regarding%20browsing%20file?%20Would%20this%20imply%20having%0A>%20>%20dynamic%20AppArmor%20rules?%20Is%20that%20possible%20at%20all?%20See%20also%20the%20image%20in%0A>%20>%20attachment.%0A>%20>%20%0A>%20%0A>%20It%20isn't%20clear%20to%20me%20from%20documentation%20(on%20their%20part)%20what%20App%20Armor%20%0A>%20does%20(there%20is%20a%20verbose%20account%20of%20how%20it%20works,%20though),%20but%20it%20sounds%20%0A>%20like%20it%20has%20similar%20functionality%20to%20Privacy%20Guard%20%5B1%5D,%20just%20more%20%0A>%20complicated,%20yeah?%20%20If%20so,%20managing%20sandbox-like%20permissions%20at%20any%20%0A>%20point%20in%20the%20system%20operation%20should%20be%20no%20issue%20(and%20would%20make%20my%20%0A>%20above%20concern%20unnecessary).%0A>%20%0A>%20>%20%0A>%20>%20Another%20example%20that%20came%20to%20my%20mind%20for%20this%20strategy%20would%20be%20#10113%0A>%20>%20(Greeter%20option%20to%20enable%20microphone),%20the%20microphone%20should%20be%20%0A>%20>%20disabled%0A>%20>%20until%20the%20user%20asks%20to%20use%20it%20by%20raising%20it's%20volume%20from%20zero.%20to%0A>%20>%20something%20else.%20Of%20course,%20I'm%20not%20taking%20any%20technical%20limitation%20into%0A>%20>%20account%20here.%0A>%20>%20%0A>%20%0A>%20I%20am%20for%20this.%20%20I%20am%20even%20more%20for%20a%20mechanical%20switch%20for%20the%20%0A>%20microphone,%20since%20removing%20the%20electron%20path%20is%20best,%20though%20that%20is%20up%20%0A>%20to%20the%20man(ufacturers)%20:)%0A>%20%0A>%20Thanks%20for%20sharing%20this!%0A>%20%0A>%20Wordlife,%0A>%20Spencer%0A>%20%0A>%20%5B0%5D:%20http://zesty.ca/%0A>%20%5B1%5D:%20privacyguard.png%0A>%20 "Reply to this message")