←back to thread

Some users have noticed settings that let Meta analyze and retain phone photos

(www.zdnet.com)
530 points mdhb | 1 comments | 29 Aug 25 12:01 UTC | HN request time: 0.203s | source
Show context
mikewarot ◴[29 Aug 25 15:32 UTC] No.45065438[source]
A gentle reminder to the readers here at HN that it doesn't have to be this way. Computer Security is a solved problem[1], and has been so since the 1980s[2].

It's my strong opinion that the only methods you've seen to this point[3-7] were deliberately chosen to be ones that don't work, and make things worse in the long run.

It's my hope that things will change for the better, but when I think about what group could lead that change, there's No Such Agency.

[1] https://en.wikipedia.org/wiki/Capability-based_security

[2] https://en.wikipedia.org/wiki/Capability-based_operating_sys...

[3] https://en.wikipedia.org/wiki/User_Account_Control

[4] https://en.wikipedia.org/wiki/AppArmor

[5] https://en.wikipedia.org/wiki/Security-Enhanced_Linux

[6] https://en.wikipedia.org/wiki/Application_permissions

[7] https://en.wikipedia.org/wiki/Trusted_Platform_Module

replies(1): >>45070082 #
1. 7373737373 ◴[29 Aug 25 22:22 UTC] No.45070082[source]
THIS, a billion times, for every insecure device, every popular operating system running today, and every popular programming language.

NONE of these systems were conceived or built with capability security in mind, none of them are even appreciably moving in this direction. None of them provide their developers or users user friendly interfaces for fine grained control and oversight of file system, networking, computing and memory resource usage.

They don't allow developers to hollow out the attack surface of their programs by compartmentalization and reifying rights as objects as CapSec prescribes; they cannot, due to their fundamentally broken architectures, provide powerful guarantees such as: "this part of the code cannot access any other resources and is restricted to pure computation, its only effect will be the result it returns".

That no one is seeing this, listening and learning, is a disgrace, a collective, civilization-scale failure to apply this knowledge. The exploits will continue until we learn. And until user agents and their creators are forced, by choice and by law, to truly act to the best of their ability in the best interest of their user.

https://en.wikipedia.org/wiki/Principle_of_least_privilege