Lambda the Ultimate

A typo, but perhaps of the Freudian slip variety? :-)

Basically, you convince me and I add the department. For now, I remain unconvinced that this subject will have enough traffic and readership, but feel free to enlighten me!

My argument would be that Mark Miller's thesis on Robust Composition lays the necessary groundwork by identifying concurrency control and access control. Few people, I believe, at this stage would deny that concurrency control is a pressing issue in software development in general and language design in particular. Coupled with the observation that one doesn't yet hear safe cooperation paradigms discussed in the same way that one hears concurrency paradigms, distributed paradigms, static vs. dynamic typing, etc. discussed, it seems to me the perfect time to put such a stake in the ground. Since security isn't a separable concern, language designs that ignore security are incoherent by definition (more accurately, they will embody an unintentional security design that is statistically unlikely to be coherent). Since the site is about language design, I believe our categories should reflect this state of affairs.

IOW, to address Ehud's concern, the fact that this category will likely remain rather empty of posts in the near future should be taken as a challenge to the language design community? ;)

Exactly!

It may or may not be appropriate to start a department on secure cooperation, but to answer the question of how much traffic this topic might generate, it may be worthwhile to observe how much work is being done in this area. When recently preparing a paper to submit to PLDI on the object-cap language Emily, I was surprised, upon re-reading the related work section, to see how much stuff there is. For those not keeping a scorecard, here is the list of reasonably serious (i.e., not static sandboxes, not clumsy authentication) active secure cooperation projects I know about:

E
Emily
CapPerl
Joe-E (caps for Java)
Oz-E
SCOLL (a spinoff from Oz-E)
Lightweight caps in Haskell
Caps in Python (supported by Guido, I'm pleased to say)

Caps in JavaScript (there is a secret project at one major corporate JavaScript player doing caps for JavaScript, and two others are secretly thinking hard about doing caps for JavaScript, it will be quite a party if they ever tell each other what they are doing)

Typed applets for OCaml (led by Xavier Leroy, not really an object capability system, but close enough so that some of the Emily work seems to solve problems they need solved)

Isolates (the documentation claims they'll use capabilities, can't tell if they're serious, but it is amazing to see the official Java folk use the term after having such a violent immune reaction to dynamic, fluid, fine-grain secure cooperation for all these years)

You are starting to convince me... I urge editors to post on these subjects (and you know how to signup). The dedicated department comes next...

I have been reading E in a Walnut to understand what E has to offer.

For concurrency, if I understand correctly it uses an actor model where objects are either static and copied around or they are dynamic and live in their own, protected thread. The programmer works with future data that gets an actual value when the actor comes around and actually processes the message.

Security is based on facets, which limit the capabilities of the object available to clients with limited trust. The author explains that as having a different set of keys for the different doors in the house, which he opposes to the widespread security model where one has or does not have access to the house.

I am not sure how this is very different from Java where the client need different permissions for different operations; is it that permissions are on a per-object basis as opposed to per-operation type? Does the MacOS X capability system join E in that (though the problem here is that Apple tries to squash all these authentication dialogs for a better user experience)?

"MacOS X capability system"

What "MacOS X capability system"? (Googling this string yielded nothing.)

Insert Scooby Doo "Hruh?" here. Let me gently recommend that folks discussing "capabilities" here check out the voluminous resources available at the E site to gain an adequate understanding of what is, and is not, a capability.

...except that Second Life only gets things half right: they rightly have an exchange between Lindenbucks and real dollars, and rightly allow people to buy and sell things that they create in the world.

This means that their business model really is based on enforceable scarcity. Unfortunately, it's clear from their CTO's comments that they have singularly failed to grasp this—they think that offline appeals to the DMCA are sufficient. Nevermind the difference between online time and real time; nevermind that the DMCA might not be enforceable outside the US; nevermind that the DMCA might be overturned... in short, they make the same security mistakes that most people make: throw up their hands and say that it can't be done. Mark Miller and friends know better.

offtopic, but i felt a lot better seeking after high scores in games like Tempest back then than buying accessories in today's virtual environment thingys. boring stuff... same as the pursue of hyper realistic graphics, which are then used to recreate stupid everyday reality...

If we are sending the 3D model of the item to the Second Life program for display, it can be taken and copied, then presented as original work. No way to work around that limitation. If it can be displayed, it can be copied.

I think the story you mean is "Special Delivery", part of the Venus Equilateral series by George O. Smith written during the early 1940s.

It's a hell of a threat if you have an in-game business making real world money, like one of my partners does. It's worth noting that "virtual estate" to run your own space in costs actual money (this isn't surprising, as it requires physical hardware to run), and many places in SL attempt to recoup part or all of their costs by selling goods and services.

Venus Equilateral does include some stories about replicators, but they don't resemble the plot Anton described (in VE the replicators are universally available and lead, after some initial difficulties involving cloned armies, to a reasonable approximation to utopia). The book Anton has in mind, I'm pretty sure, is A for Anything (a.k.a. The People Maker) by Damon Knight.

The book Anton has in mind, I'm pretty sure, is A for Anything (a.k.a. The People Maker) by Damon Knight.

That's the one, thank you!

It's true that you can't plug the analog hole, but there's more to Second Life than creating your own models, textures, etc. You can actually write code that adds new behavior to the world and make this behavior interact with behaviors you didn't write. It's this pattern of code written by multiple authors, with sometimes cooperating, sometimes competing, goals that needs addressing, and is feasible to address—in particular, this is what E and much of Nick Szabo's work is about: the relationship between property/exchange/use rights and code.

Agreed, but as I understand the CopyBot situation, the controversy is over the "analog hole", or more accurately in this situation, the "TCP/IP hole". It's models and textures that are being copied, not the scripts, as far as I can tell. I do agree that a Second Life-type environment could be much richer and easier to develop for if E or a similar object-cap language were used instead of LSL, but this particular problem would still arise. CopyBot is a program that runs on a user's machine and connects to the SL servers; it isn't written in LSL.

I think we're going to see some interesting stuff revolving around the mutual requirement of Proof-Carrying Code and encrypted computing to help address the worst of the issues here. Still, in the context of this particular incident, you're quite right.

It's true that you can't plug the analog hole

Something like watermarking ought to be reasonably effective in a context such as SL, where data artifacts are only valuable within the program, where they can be checked. You'd need a system in which creators can register watermarks, and legitimate purchasers are recorded.

Of course, an arms race of cracking vs. protecting is likely to ensue, but that's not much different from e.g. counterfeit currency in the real world.

But I believe that the use of the term analog hole is incorrect here.

True, but there's a significant common factor in both cases: protection becomes difficult when a protected artifact is transferred through a device or medium that supports copying, whether it's analog or digital.

In that sense, there's not all that much difference between e.g. an all-digital screen capture and taking a photograph of the screen. Also, in both cases, watermarking is one of the few possible protection mechanisms that has even the slightest hope of helping.

Perhaps the term in both cases should be "the uncontrolled medium hole", with the analog hole being a special case.

I can't think of a plausible way to make any of this on-topic, though. :)

I think you're right. Regarding watermarking: Even though watermarking should work in theory, nobody seems to have come up with a method that can withstand even the simplest of countermeasures -- or maybe there's something "they" aren't telling us :).

For the life of me I can't remember who said I, but I think the following quote is the best summary summary I've seen of the whole content-protection issue (paraphrasing):

It's very hard to protect your data when the legitimate customer and the adversary are the same person.

I had to read a bit in order to be able to remain on-topic. This link helped a bit.

It appears that the problem is the lack of DRM on user generated content. The CopyBot program can log on to the SL servers and download raw content freely. In order to be on-topic, we'd need to discuss what sort of restrictions there must be in place for user generated programs. But, that is not just a safety issue, it's a security issue, too, and goes beyond PLT imho.

(Back to the OT aspect: since there's no DRM, there's no analog hole. If tcp/ip was a "hole" in this sense, slapping DRM on wouldn't help, either, but it will afaics because the hole as defined for the analog hole stands for the condition where DRM'd or watermarked content exists in form A, and it must be converted into a form B that is not exact but acceptable, and there exists a conversion from B back to A. This only leaves taking a photograph of the screen as the possible analog hole (the app had better prevent taking screenshots).)

At a wild guess, this seems related to the electronic money problem, though easier in that anonymity and decentralisation aren't a necessity. And aren't the technical problems of electronic cash largely solved? It would be a bitter irony if the first successful rollout of such a system was to protect the value of MMORPG play-money.

This is about copying items, not money. Copying items does decrease the value of those items as the manufacturer is being undercut, just like those "designer" sunglasses in Times Square cut into the profits of the designer brands, but otherwise it has nothing to do with money.

I was aware that Linden Dollars themselves aren't being duplicated using CopyBot - undermining the value of the things you can trade for with a currency will devalue it just as surely as counterfeiting the currency itself.

But basically you're right and I was wrong, since the CopyBot thing apparently copies the designs of objects - it doesn't let you create something which the system recognises as a pair of Joe's designer sunglasses, as I assumed, but rather something that looks like one to a human.

Still, that suggests that the problem could be fairly self-limiting. If you appear in public with your knock-off goods, humans should be able to notice that it lacks the correct "certificate of authenticity". (And while in the real world you can't walk up to someone and demand to see proof that their sunglasses are genuine, in a 3D game environment it should be possible to silently check on the provenance of anything you can see.) That would leave you vulnerable to social pressure and legal action.

From what I read on this thread, it looks some people on LtU are interested in discussion of (interaction between PLT and) economic behaviors of selfish agents.
The closest field that it reminds of is Algorithmic Mechanism Design (AMD) (an introduction to it). Granted, AMD and its subfield Distributed AMD do not specifically mention PL, but there some problems that are both core to (D)AMD and need domain-specific languages (DSLs) to operate (one or more of the chapters (at least 3rd) of David C. Parkes PhD thesis mentioned very simple DSLs, like XOR language). It may be a nice opportunity for PLT community to see if they can help in this area.

It seems to me that we're talking about access and use control, and are therefore on-topic. Of course, it would be nice to get more specific, and talk about how, e.g. lightweight static capabilities might or might not help, or talk about proof-carrying code baked into language design, or about Nick Szabo's Secure Property Titles with Owner Authority, especially in this context.