[Noisebridge-discuss] Ring-based trust/security model
jim
jim at systemateka.com
Thu Feb 16 16:39:42 UTC 2012
good analysis.
tends to require some maintenance (a bad thing
because of entropy and neglect).
How to reduce the maintenance load?
On Wed, 2012-02-15 at 18:26 -0800, Jonathan Toomim wrote:
> TL;DR: Let's use a trust ring security model, with levels for Members,
> Friends, Guests, and Everyone Else. Most privileges are reserved for
> Guests and above. People who demonstrate hack fu become Friends, and
> get a key and 24/7 unsupervised access. Guests need to have a Member
> or Friend sponsor them while they're there; complaints about a Guest's
> behavior or odor can be passed on to their sponsor, who will likely be
> more approachable than the Guest.
>
> On 2/15/2012 4:51 PM, Jonathan Toomim wrote:
> > I think we need to redesign and make more explicit the security
> > model we use when dealing with users of NB. I think a ring-based
> > model would be better for us, since a capability-based model would
> > be too complicated and difficult to track. It also seems to be what
> > we are implicitly using right now.
> >
> > http://en.wikipedia.org/wiki/Ring_(computer_security)
> >
> > Currently, it seems we have these rings:
> >
> > Ring levels:
> > 0: Members
> > 1: Non-members with keys
> > 2: Everyone else
> > 3: https://noisebridge.net/wiki/85.5 (asked to leave once)
> > 4: https://noisebridge.net/wiki/86
> >
> > The requirements for entry into these rings are:
> > 0: Paying money; https://www.noisebridge.net/wiki/Membership
> > 1: Being deemed a hacker, and/or being around at the right time
> > 2: [default]
> > 3: Being lame
> > 4: Being evil
> >
> > Currently, the privileges contained within each ring appear to be as
> > follows:
> > 0: Member shelves; participating in consensus decisions
> > 1: Not needing to use the buzzer
> > 2: Using the space 24/7; using the kitchen; using the
> > refrigerator; reserving use of the kitchen; using the bathrooms;
> > attending classes; conducting classes or meetings in the classrooms;
> > hanging out in the classrooms and not conducting classes; hacking;
> > not hacking; hanging around in the library; discussing the politics
> > of homelessness; using the computers to play Runescape; using the
> > NES to play Wizards and Warriors; buzzing people in; inviting people
> > in; using the laser cutter; using the 3D printers...
> > 3. Coming to Tuesday member meetings to discuss their status
> > 4. [empty set]
> >
> > I don't know about you, but I think that this model is about as
> > secure as Windows XP. Sure, we can keep patching Internet Explorer's
> > security holes as we find them, but as long as we give so many
> > privileges to our regular applications we're gonna have problems. I
> > think we can do better.
> >
> > Here is what I propose:
> >
> > Ring levels:
> > 0: Members
> > 1: Friends of NB
> > 2: Guests of NB
> > 3. Class attendees
> > 4. General public
> > 5. Tempban
> > 6. Permaban
> >
> > Requirements for being in each ring:
> > 0: Paying money; https://www.noisebridge.net/wiki/Membership
> > 1: Vouched for by 1 Member as being sane and competent in hack fu
> > 2: Sponsored by a Friend for up to 4 hours, or a Member; must
> > wear a label with the sponsor's name and expiration time
> > 3: Being in the right place at the right time
> > 4: [default]
> > 5: Being deemed a jerk by 1 Member or 3 Friends, or being deemed
> > dangerous by anyone
> > 6: Being deemed dangerous by 1 Member, or being deemed
> > undesirable by a consensus meeting
> >
> > Privileges within each ring:
> > 0: Member shelves; consensus decisions; beFriending; unFriending;
> > sponsoring guest-lectures and classes run by non-Friends; unlimited
> > sponsorship of Guests while present; right to arbitrarily boot
> > anyone in ring 1 or above (unless opposed by another Member); right
> > to arbitrarily tempban anyone in ring 2 or above
> > 1: Key/access code; unsupervised 24/7 access to the space;
> > unsupervised use of expensive tools (e.g. laser cutter); running
> > classes; reserving the kitchen or classrooms; right to create "do
> > not hack" labels (e.g. in refrigerator); booting or tempbanning of
> > ring 2 and above with 2 other supporting Friends; sponsorship of 1
> > Guest at a time for no more than 4 consecutive hours per Guest;
> > unilaterally booting one's own Guest; buzzing people in (but must
> > check that person's status before letting them roam around the
> > space)
> > 2: Access to space while a sponsor is present; supervised use of
> > expensive tools; unsupervised use of everything else (including
> > kitchen and computers)
> > 3: Attending classes; using the bathrooms; limited kitchen access
> > (no cooking or refrigerator access)
> > 4: Same rights as Guest during Open Hacking hours (e.g. M-F
> > 0900-1700, plus one night a week); otherwise, must be actively
> > supervised by a Member or Friend
> > 5: Coming to Tuesday meetings to discuss their status
> > 6: [empty set]
> >
> > This would put most non-hackers in ring 2 or above. Sponsorship is
> > intended to be casually given; being someone's sponsor is
> > acknowledging responsibility to mediate any disputes that might
> > arise. For example, if Friend Fred sponsored skeezy Guest Scooter,
> > and good Guest Gwen didn't like Scooter, she could take a look at
> > Scooter's nametag, see that he was sponsored by Fred, and talk to
> > Fred about Scooter's status and behavior. Fred then has the option
> > of either mediating the dispute and trying to get Scooter's
> > skeeziness under control, explicitly booting Scooter, ignoring
> > Gwen's complaint, or simply revoking his Guest sponsorship and
> > letting him either find another sponsor or leave.
> >
> > For becoming a Friend, the "competent in hack fu" requirement was
> > chosen over "interested in learning hack fu" because it's easier to
> > verify actual hack fu than simple interest, and true interest
> > usually results in at least some degree of competence if it is
> > sustained (unless the person is just dumb, but I suspect we won't
> > want dumb Friends anyway).
> >
> > -------
> >
> > Whatcha think? I don't know if I'll be able to make it to the
> > Thursday discussion group (might be returning to LA before then), so
> > one of you might have to adopt the advocacy of this plan if you like
> > it.
> >
> > Jonathan
> >
> >
> > _______________________________________________
> > Noisebridge-discuss mailing list
> > Noisebridge-discuss at lists.noisebridge.net
> > https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
More information about the Noisebridge-discuss
mailing list