Cory Doctorow: "security model that treats the computer's user as an attacker is doomed"

Posted on: Mon, 11/30/2015 - 13:02 By: Tom Swiss

The idea that we should treat ideas as property isn't just an abstract ontological confusion, it has very real consequences. As we become more reliant on computers, one of the most dangerous of those consequences is treating the owners of computers as attackers to be restricted, rather than users to be empowered.

I Can't Let You Do That, Dave (cacm.acm.org)

As ACM members doubtlessly appreciate, preventing the owner of a computer from executing the code of their choice is an impossible task. No matter how cleverly the operating system and its services monitor the user and hide the keys necessary to unlock files without permission, users will eventually find a flaw in the defenders' code and use it to jailbreak the system, allowing arbitrary code execution. Even if you stipulate that locking computer users out of their own computers is a legitimate objective, it is still a technological nonsense. A security model that treats the computer's user as an attacker is doomed. We cannot hide keys in devices we give to attackers for the same reason we cannot keep safes—no matter how well designed—in bank-robbers' living rooms.

The DMCA tries to address this by threatening people who publish code or information that would help remove a lock with severe penalties: five years in prison and $500,000 in fines for a first offense.

But information about flaws in a computer is not just useful to people who want to add functionality to their computers: it also provides opportunities for malware to seize control over the system. By criminalizing disclosure of flaws, the DMCA ensures systems covered by its measures become reservoirs of long-lived digital pathogens.