Cryptosmith

I’ve been working on tutorial material to explain file permission settings in general. This seems to be a topic that most textbook authors avoid like the plague.

Today, I was googling about file permissions and I found this blog entry at Jaanus.com about the sad usability state of file permission setting functions in Windows and OS X. The author mentions some research at CMU on the usability of file permissions, and highlights several of the pitfalls in the Windows XP interface.

I’ve reviewed just about every “major” textbook on information security, and I’ve looked at more than a few “certification” textbooks. A typical book covers file access control with a page or two of text.”Traditional” security authors like Matt Bishop, Chuck Pfleeger, or Bill Stallings may spend a chapter on access control in the abstract and only a page or two, if that, describing typical real-world implementations of file permissions.

Even if the interfaces are bad, they deserve to be discussed in more depth. File permissions implement access control in a way that students can actually work with – we can create assignments in which they experiment with the different access modes and see the results of different permission settings. A lot of security is too abstract: we can say that a technique fails to protect something, but that’s different than really showing that the technique fails to protect. With file permissions, students can see first-hand what happens if the protection is present or not.

Moreover, students need to understand file permissions before they get to other security issues. What is a Trojan horse? Why is it dangerous to routinely log in as an administrator? Questions like this make a lot more sense if file permissions make sense.

Posted under Security & Tech Teaching | No Comments »