No general-purpose computer, or everything under surveillance?

[dwheeler at ida.org (David A. Wheeler)]

Dan Geer said:
"The general-purpose computer must die or we must put everything under 
surveillance. Either option is ugly, but 'all of the above' would be 
lights-out for people like me, people like you, people like us. We're 
playing for keeps now." 
http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=436

I completely disagree with the way that people will likely interpret 
this quote.  We do NOT need to throw away our general-purpose computers, 
nor do we need to submit to Orwellian total population surveillance (by 
governments or by corporations).

What particularly worries me is that some large companies would benefit 
from approaches that eliminated competition in the name of security. 
"You have to standardize on product X, and lock things down so that no 
nasty alternative products are executed!".  Yet that is a primary part 
of the problem.  In our current world, many people believe they CANNOT 
pick a more secure product, because it's not compatible with what 
"everyone else is using".  At least in some cases, people WILL pick a 
product because it has better security (see the rise of Firefox, and how 
it finally caused Microsoft to wake up and start fixing Internet 
Explorer)... but look how hard it has been for a freely-available 
program, implementing mostly-documented standards, to compete.

If you interpret the definition of these terms of "general purpose" and 
"surveillance" differently, i.e., "limit applications to least 
privilege, and locally monitor their behavior", then I'd agree.  But 
this is another way of saying "we need to implement least privilege and 
local monitoring", which are well-established security principles.  And 
it's already happening, e.g.:
* Development is already moving away from general-purpose tools.  Most 
desktop and server software development should NOT be done in C or C++; 
they're too low-level and provide inadequate protection against 
mistakes.  Instead, they should voluntarily use languages that aren't 
QUITE as general-purpose, because they automatically prevent many 
mistakes from turning into security problems (e.g., through automatic 
memory management).  People are already moving towards such languages; 
we need to back in more assurance into them, but the opportunity is there.
* Deployment is already moving away from general-purpose privileges. 
SELinux lets people define very fine-grained privileges, so that a 
program does NOT have arbitrary rights.  OLPC goes even further; its 
security model is remarkable and worth learning from.
* Observing behavior (and making decisions based on them) is ALREADY 
what some systems and network systems do.

But the difference is who is in final control.  In the end, the users of 
computers should be in final control, not their makers, or we have given 
up essential liberty.  We can develop systems which provide suites of 
more specialized privileges to particular functions, without giving up 
essential liberty.  We have a long way to go in actually DOING this, but 
the opportunity is there.

I do not think we need to give up our liberty just to "obtain" some 
security. Benjamin Franklin already explained what happens to such people.

--- David A. Wheeler