| ▲ | nostrademons 4 days ago | |||||||||||||||||||||||||||||||||||||||||||
I'm hoping, but not particularly optimistic. The dynamic that led to the Principle of Least Privilege failing in the market is that new technological innovations tend to succeed only when they enter new virgin territory that isn't already computerized, not when they're an incremental improvement over existing computer systems. And which markets will be successful tends to be very unpredictable. When you have those conditions, where new markets exist but are hard to find, the easiest way to expand into them is to let your software platforms do the greatest variety of things, and then expose that functionality to the widest array of developers possible in hopes that some of them will see a use you didn't think of. In other words, the opposite of the Principle of Least Privilege. This dynamic hasn't really changed with AI. If anything, it's accelerated. The AI boom kicked off when Sam Altman decided to just release ChatGPT to the general public without knowing exactly what it was for or building a fully-baked idea. There's going to be a lot of security misses in the process, some possibly catastrophic. IMHO the best shot that any capability-based software system has for success is to build out simplified versions of the most common consumer use-cases, and then wait for society to collapse. Because there's a fairly high likelihood of that, where the security vulnerabilities in existing software just allow a catastrophic compromise of the institutions of modern life, and a wholly new infrastructure becomes needed, and at that point you can point out exactly how we got this point and how to ensure it never happens again. On a small scale, there's historical precedence for this: a lot of the reason webapps took off in the early 2000s was because there was just a huge proliferation of worms and viruses targeting MS OSes in the late 90s and early 2000s, and it got to the point where consumers would only use webapps because they couldn't be confident that random software downloaded off the Internet wouldn't steal their credit card numbers. | ||||||||||||||||||||||||||||||||||||||||||||
| ▲ | black_knight 3 days ago | parent [-] | |||||||||||||||||||||||||||||||||||||||||||
Sometimes better ideas can be around for a really long time before they gain any mainstream traction. Some ideas which come to mind are anonymous functions and sum types with pattern matching, which are only recently finding their way into mainstream languages, despite having been around for ages. What it might take is a dedicated effort over time by a group of believers, to keep the ideas alive and create new attempts, new projects regularly. So that when there is a mainstream opening, there is the knownhow to implement them. I always include a lecture or two in my software security course (150 students per year), on capability based security. I am also on the lookout for projects which could use the ideas, but so far I have only vague ideas that they could be combined with algebraic effects in some way in functional programming. | ||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||