 |
Admonition Systems
|
<<Reputation<< Up to Taxonomy
[Admonition Systems are expected to be of more use directly supporting humans, as a memory prosthesis, than within computation. Accordingly, names like Alice, Bob, and Mallet below refer to people, not objects.]
Alice sends Bob a document, asking Bob not to show it to Mallet. If Bob wishes to show it to Mallet anyway, no computer security system in the universe can prevent him--even if Bob is reading on a tamper resistant box, he can always photograph the screen. Also, Alice may not be able to deter Bob from showing it to Mallet, if Bob can trust Mallet not to let Alice know that he revealed her secret. However, Bob may wish to not show the document to Mallet simply because Alice asked him not to. Unfortunately, a month later he ftp's a directory to Mallet that happens to contain the secret document Should Bob have been using an admonition system?
With a hypothetical admonition system, Alice sends Bob the document together with a somewhat machine-understandable admonition not to show it to Mallet. On receiving the document, Bob is asked if he wishes to:
|
Because Bob can neither be prevented nor detered from engaging action #3, it is better to provide option #3 in the user interface. To do otherwise is only to provide Alice with a false sense of security. This is one of the arguments against impediments.
But back to our original scenario. Let's say Bob chooses #1. A month later when forgetful Bob tries to ftp that directory to Mallet, if he's lucky his memory prosthetic reminds him
|
Alice asked you not to show that to Mallet, and you wanted
to abide by that. |
Such admonition systems can lower the probability of such accidents, but probably not to zero. Many otherwise hard to rationalize computer security systems are used for this purpose, such as the sys-admin who normally operates as a regular user to avoid accidentally doing those things he actually could do, but only as root. Plausibly, admonitions are typically not just to people, but about people (as in our example), making the notion of Principal plausible. However, this is a valuable but unforseen use of systems built primarily for different purposes.
What would a system look like that was designed for this purpose? What logic might underlie admonitions that a human and computer might be able to jointly understand well enough to be of help? Bob in this scenario is a confused deputy, confused not by Mallet but by his own forgetfulness. Even though Bob is a person and not an object, might our observations about the confused deputy help here?
Many programming language constructs let a programmer admonish himself to abide by certain restrictions, except for when he says "no I really mean it", such as type declarations in C that can be overridden by a cast. C's type system is an admonition system, Java's is a prevention system. Similarly for lint and compiler warnings.
Never ascribe to malice what can be explained by incompetence.
--Anon
Admonition systems can help lower our incompetence at actions others might ascribe to malice. This area is wide open for productive research, and we have barely scratched the surface
Home
