In an era of instant online worldwide connectivity, protecting users from themselves is a lot harder than it used to be. For one thing, full trust can't be trusted. And then there are all those dancing bunnies to contend with:
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2005/07/the-dancing-bunnies-problem.html
Poke the Bunny is pretty good, though. That’s all I’m saying.
This is the liberal approach in which the government protects citizens from themselves. How about the conservative approach where citizens can poke the bunny if they feel like it and if it bites them, so be it?
I think sometimes as application designers we take protecting users from themselves too far. Like you point out in the end it can’t be done anyway. Far better to design simple clean applications that discourage bunny poking BY ACCIDENT, but if the user decides they want to poke the bunny well so be it.
How about the conservative approach where citizens can poke the bunny if they feel like it and if it bites them, so be it?
Well, the problem is that everyone gets bitten. Once a machine is hijaacked, it becomes a zombie that is under total control of the hacker. It is then used to send out spam, perform distributed denial of service attacks, and other nefarious things.
So it’s really about protecting the public good.
The same argument applies to motorcycle helmet laws. If some jackass decides he wants to ride without a helmet, that’s fine until he has an accident, becomes severely brain damaged, and racks up a multi-million dollar insurance bill that the rest of us then have to foot through increased healthcare insurance premiums.
Like you point out in the end it can’t be done anyway
I think it can be done if everything is virtualized all the time. The upcoming hardware hooks for faster virtualization (Pacifica, and Vanderpool) make this at least feasible.
Well, I’m delighted to say that when I went to poke the bunny Mozilla told me I was missing a plugin and I didn’t install the plugin just to be able to poke the bunny. Har-har. Nonetheless, a true fact.
problem in that case is the way insurance works, not the way motorcycles work
Actually it’s a problem in the way people work, because they optimize for themselves, eg, the Tragedy of the Commons. I don’t like insurance either but it is compatible with realistic modes of observed human behavior.
There will still be a way for people to harm themselves
I disagree. Can you harm yourself in a Virtual PC image? If you get in trouble you just shut it down and undo the last set of changes. Or, instantly spin up a new one from any “restore point” in the last few months or years. Poof. Problem solved. Apps / viruses cannot escape from Virtual PC!
Education is always good of course, but to argue that we can ONLY fix this through education and shouldn’t bother with the technical hurdles is a little irresponsible.
Jeff, I have to disagree.
(I disagree about motorcycle helmets, too. If someone wants to kill themselves, they should do it. The problem in that case is the way insurance works, not the way motorcycles work. But I digress.)
Virtualizing hardware isn’t going to protect you from dancing bunnies. There will still be a way for people to harm themselves.
(Same point about managed code protecting you from memory leaks. Sure, you don’t have to remember to delete objects, but you do have to remember to NULL points, so what’s the difference? And it is just as hard to track down a bogus reference count as it is to track down a leaked object. But I digress again.)
I really think education is the best you can do, not some global mechanism of “protecting the public good”.
Virtualisation brings one BIG broblem - if user indeed does something stupid, you still have to distinguish between whats right and wrong, because all user data, documents are still product of a program running in VM, and you cant trash them.
“Can you harm yourself in a Virtual PC image?” You can - very easily, just see a dancing bunny, create some important content, and then try undoing dancing bunny… See?
because all user data, documents
create some important content
Most users aren’t creating any content or documents. And for the few that are, their content/document is often lightweight enough for them to use server-based solutions (eg, Writely, Tadalist, Hotmail, del.icio.us etc).
For the tiny, tiny minority that are creating a lot of heavyweight content using heavy client tools, they need to pull that content through the VM-- maybe in a shared folder.
I tried to see the Dancing Bunny. I even clicked to install the plug-in. But god-damn it, I’m running as a non-Administrator and couldn’t do it! Time to runas… Administrator and try again!
“Of course the problem then is that people aren’t going to start up a new virtual machine just to see the dancing bunny”
No problem, just automate: Isolate all external communication (disk drives, e-mails, web pages) into its own “Quarantine” VPC automatically. Only shift Word Documents etc into that VPC, never out.
That way, if you click the bunny, you’ll only lose important data that’s been Quarantined. Every ‘x’ days, you could move the Quarantined data to a third VPC, so if you bunnied, you could retrieve anything ‘x’ days old. ‘x’ is defined by the time it would take for a virus to have been detected elsewhere.
Of course, a user could be persuaded to move all their documents into the Quarantine area, but that’s time consuming. And easily overcome by storing a backup copy of the data when you move it into Quarantine.
The conservative method is to pray to god to smite the virus then tax the operator who downloaded the virus, the operator who attempts to run it, and the owner of the computer for allowing operators to be stupid.
Nothing is foolproof fools are too ingenious.
You overestimate the insulating power of the virtual machine. It only insulates if you start up a separate VM for each task. But that keeps apps from being able to benefit from other apps (ever import a spreadsheet into a text document or paste values from a document into an email message?). Part of the value of the OS is that it preserves state and grows with you. Remembering to automatically check all the boxes I want (proper defaults) is called “streamlining” (not “reckless”). People just do not want to burden of running every task in isolation. Hence, the VM is not a practical Silver Bullet for daily use. Effective, yes. But too much for every application.
i think you mean the ‘dancing pigs problem’ you’re not the first to get it wrong, but dancing pigs was the original name for the problem, not dancing bunnies, not even if dancing bunnies are more successful at propagating.
Ah sayed, put the bunny…back…in the box
Cameron Poe (Nicholas Cage) from ConAir
What if the dancing bunnies find out they’re in a sandbox and won’t play together because of it? In the end viewers will still find out ways of getting them out of the box in order to see them dancing.
There was one, and the concept worked quite well. I have no idea how well it worked in production.
google bought them though, and I don’t know what happened to the technology.