[MUSIC] This is one of my favorite principles. It's called Least Astonishment. Basically, what least astonishment says
is that security mechanisms should be designed so that users understand why
the mechanism works the way it does, and it's simple to use. In essence, the person designing
the mechanism needs to get into the user's mental model of how the system works,
and figure out then how to communicate the information and
the needs of security effectively. The idea here is to hide the complexity
that security mechanisms introduce. So as an example, pretty much everyone
nowadays is used to typing the password, that's expected. You go to a web server like
a bank's web server something or you log in to your home system and
it says log in ID and password. But suppose one day it suddenly said
login ID, urine specimen for analysis so we can use your DNA to be sure
you're who you claim to be. That would be astonishment because that
never happens, at least as far as I know, I've never seen it. And so that takes you outside the mental
model that people have of the computers, which is, urine specimen? Really? But a fingerprint would not, because people are used to
touching things with fingers. So that's an example of what
Least Astonishment means. Don't surprise the user
is the bottom line. Obviously, human factors are really
critical here, and in fact, there's a whole science of user security. This speaks to use, but you also have to
think of it in terms of installation. When you're installing something, you
don't want it to suddenly to come up and say, in order to install this I
need your bank account number. Wait a minute,
this is freewareI got off the internet. Why are you asking me for
my bank account number? That would be astonishing because
it's not in our mental model Same with most software you purchase. It doesn't ask for your bank account. Instead, it asks you for a serial
number you get from the purchaser. If it suddenly started asking for your bank account,
it would be quite astonishing. So you want to also think about
the installation procedure, make it as simple as possible. Fortunately, on Macs and Windows, this is
usually quite easy, same with Linux boxes. Now this is the new one, the newest
one that Saltzer and Koshek wrote. The Saltzer and Schroeder principles had something similar
called Psychological Acceptability. But the way that one was phrased was
security mechanisms should not add to the difficulty of accessing a resource. The problem is that's
an idealistic statement. And it's a great one, but
in practice it's infeasible. Because, for example,
a password is a security mechanism. So when you log in, you type your log
in name, and then it asks you for your password and
it violates this principle. It's a very small violation, but in order to keep things clean, that's why
they changed it to Least Astonishment. Least Astonishment accepts that security
mechanisms will add some difficulty. What it says is, minimize that difficulty. Stay in the mental model of the user. Don't make them do things
that are confusing. Now here's a puzzle for you to try to
get at the difference between the two. Suppose the system allows passwords
to be placed on files, and many systems actually do this by the way. So to access a file, you have to
have permission for the access, and supply the correct password. This, by the way, is a perfect
example of separation of privilege. But let's look at it from
the user point of view, from the points of view of Psychological
Acceptability and Least Astonishment. On a batch system, that's one where
you have a program that will run all the way through with no user interaction,
so you have to put the password and
such into our command to run this thing. Does it violate either principle, Psychological Acceptability,
or Least Astonishment? Now suppose it's an interactive system. Would it violate either principle? Again, I'll give you a minute
to think about those. All right, on a batch system,
it doesn't violate either principle, because you know what file
accesses are going to occur, and so you can go ahead and load the
appropriate passwords into the program. And the program that you're running
will run all the way through. You don't have to reenter them, you
just have to put them into the program. But if it's an interactive system, my
opinion is that it violates both of them, because for Least Astonishment,
it would drive you crazy typing in the password every time the program
tries to read a block from the file. You don't expect that, so
it definitely violates Least Astonishment. And, of course, since you're doing something extra it
violates Psychological Acceptability. The first one, I should add, technically
does violate a Psychological Acceptability because the mechanism requires
you to enter the password, but presumably if you're using this
system you're well aware of this. You're only going to be entering it once,
or you'll be putting it in in advance and so you should be fine.