Initial commit

2 files changed, 712 insertions, 0 deletions

diff --git a/index.html b/index.html
new file mode 100644
index 0000000..dd596dc
--- /dev/null
+++ b/index.html
@@ -0,0 +1,289 @@
+<!doctype html>
+<html lang="en">
+
+<head>
+
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+
+<title>Spectrum, a step towards usable secure computing</title>
+
+<body>
+
+<h1>Spectrum — a step towards <em>usable</em> secure computing</h1>
+
+<p>
+<a href="mailto:hi@alyssa.is">Alyssa Ross</a>, 2018-2019.
+
+<p>
+You may distribute this work under the terms of either
+the <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC-BY-SA</a>
+license (version 4.0 or later), or
+the <a href="https://www.gnu.org/licenses/gfdl.html">GNU Free
+Documentation License</a> (version 1.2 or later), at your option.
+
+<h2>Motivation</h2>
+
+<p>
+Existing attempts to improve on the security of Unix-like operating
+systems for everyday personal use have been hampered by complexity,
+bugs, and security theatre. The concept of isolating applications by
+giving them what appears to be a dedicated computer to run in is a
+solid one, because it allows virtually all existing software to run
+without modification. However, allowing all these isolated computers
+to persist state leads to large maintenance costs — you now
+have <var>n</var> stateful computers to maintain, not one.
+
+<p>
+By minimizing the persistent state these computers are allowed to
+store to a well-defined absolute minimum required by the software
+running inside them, not only do we improve maintainability by
+minimising side effects and even allowing the computers to be
+regenerated without data loss if required, we also massively reduce
+the avenues to persisting malware.
+
+<p>
+Mutable state across the whole system isolated into two locations on
+the host: a global state store, which is broken down by application
+instance, and a global configuration file defining all configuration
+for the host, and the isolated environments for each application
+instance. Aside from these two locations, the host computer should
+prevent persistent state as much as possible. This means that it is
+possible to restore the host computer, along with all the isolated
+application environments, simply by restoring a copy of the global
+state store and configuration file. After an audit of the global
+configuration, a potentially compromised host could be safely restored
+onto a new computer without risk of the new host inheriting the
+infection from the old one, since the only mutable data affecting the
+host is the global configuration file. (Of course, this does not
+prevent the new host from being compromised shortly afterward through
+the same methods.)
+
+<h3>Existing implementations of security by compartmentalization</h3>
+
+<h4>Qubes OS</h4>
+
+<p>
+Qubes OS is a distribution of the Xen hypervisor that isolates IO and
+user applications inside their own dedicated virtual machines. Many
+people interested in secure computing are aware of Qubes, however they
+are often hampered by usability issues:
+
+<ul>
+
+  <li>
+  Hardware compatibility is extremely limited. People often have
+  to buy a new computer just to use Qubes, and even then it can be a
+  struggle to set up.
+
+  <li>
+  People are reluctant to use Xen on their computer for power
+  management etc. reasons.
+
+  <li>
+  VMs are heavy, and there is no isolation between applications in the
+  same domain (VM).
+
+  <li>
+  GUI applications are buggy, command line tools are mostly
+  undocumented.
+
+  <li>
+  Maintaining many different TemplateVMs with persistent state is
+  difficult. (Qubes can use Salt to mitigate this.)
+
+</ul>
+
+<p>
+However, the Qubes developers have created utilities for using
+compartmentalized environments that could be very useful to other
+implementations. For example, Qubes allows clipboard data to be safely
+shared between isolated environments with explicit user action on both
+ends, and Qubes Split GPG allows one environment to perform operations
+using a GPG key stored in another environment, with permission granted
+on a per-operation basis.
+
+<h4>Subgraph OS</h4>
+
+<p>
+Subgraph only provides isolation to the 22 applications they have
+manually containerized. Any other software is still run as normal. We
+consider this a major security issue.
+
+<p>
+The last release of SubgraphOS was an alpha in 2017.
+
+<h2>Implementation</h2>
+
+<p>
+Because of the explosion of interest in compartmentalized computing in
+recent years, there exists a plethora of existing work that can be
+harnessed to implement these concepts.
+
+<h3>Containers</h3>
+
+<p>
+A container is an isolated computing environment created using a
+variety of features of the Linux kernel. A container can
+be <em>almost</em> entirely isolated from the host system, and those
+components that <em>are</em> shared can likely be made inaccessible to
+isolated applications by denying them root access to their isolated
+environments. Unlike virtual machines, containers share a kernel with
+the host operating system, and do not require specially allocated
+resources (although it is still possible to limit resource use by a
+container). This makes containers able to deliver good performance
+with far looser hardware requirements than virtual machines.
+
+<p>
+In the proof of concept implementation, Docker, a popular
+implementation of containers, is used. However, there is probably
+not any tight coupling to Docker-specific features, and so Docker
+could most likely be easily swapped out for another container
+implementation, or even for virtual machines.
+
+<h4>Containers for personal computing</h4>
+
+<p>
+Containers have mostly been designed for isolating headless server
+applications. Additional challenges present themselves when applying
+container-based application isolation to personal computing.
+
+<h5>Graphical User Interfaces</h5>
+
+<p>
+The X11 protocol provides no isolation between applications
+whatsoever. Any application (including one running on a remote server
+using SSH X forwarding) can capture windows of other applications,
+read from them, and even send events to them freely. The solution to
+this problem is to use a separate X server for each container, and
+then forward them over another protocol (such as VNC) to the window
+manager running either on the host or, preferably, in a dedicated
+container of its own. The pre-existing Xpra software provides this
+capability. Doing this inevitably gives rise to yet more problems,
+mostly around performance, although these should be solvable also:
+
+<ul>
+
+  <li>
+  The current implementation of Xpra window forwarding causes
+  noticeable lag in high frame rate operations such as video playback
+  or gradual window resizing. This implementation uses a Unix socket
+  inside a tmpfs on the host, which is then mounted into the
+  container. However, Xpra also supports communicating over mapped
+  memory, and this should be significantly faster.
+
+  <li>
+  An Xpra server (of which there must be one for every isolated
+  application instance) takes most of a minute to start. This
+  means that the delay before a window appears is extremely long
+  compared to traditional personal computing systems. One promising
+  solution to this takes advantage of the fact that Xpra servers do
+  not require any application specific configuration (at least for
+  most applications), and so while each application instance requires
+  its own Xpra server, the server does not need to have been created
+  specifically for this application. This allows us to create several
+  Xpra servers ahead of time (in containers of themselves), and then
+  assign them to application instances on demand, starting the process
+  of generating the next Xpra server in the background.
+
+</ul>
+
+<p>
+Given the fundamental shortcomings in X, it might seem obvious to use
+Wayland instead. Unlike X, Wayland was designed with security and
+isolation between applications in mind. However, existing Wayland
+implementations have no way of controlling isolation between
+applications. A single Wayland compositor could provide e.g. clipboard
+isolation in a similar way to Qubes or Xpra, but this doesn't exist
+yet. Writing a Wayland compositor is not a simple task, even with a
+library like wlroots that does a lot of heavy lifting, and it would
+also couple a user to a single window manager or desktop
+environment. While Wayland is extremely usable for general-purpose
+desktop computing at this point, until a solution for these issues is
+reached, Wayland is not suitable for a compartmentalized operating
+system.
+
+<h3>NixOS</h3>
+
+<p>
+The proof of concept implementation is built on top of NixOS Linux, an
+operating system which is itself built on Nix, a purely functional
+package manager. Nix provides pure packages (meaning packages will be
+built from identical inputs each time — their outputs will not
+necessarily be byte-identical). NixOS makes it possible to define an
+entire GNU/Linux system in this manner.
+
+<p>
+However, NixOS does not attempt to completely eliminate undeclared
+state — it even allows for imperative package installation, which
+makes a Nix package that has not been defined in the global
+configuration available in the current environment. Responsibility for
+eliminating this sort of mutable state lies with the Spectrum
+implementation.
+
+<p>
+The nixpkgs repository provides functions for generating Docker
+containers from Nix expressions, using existing Nix package
+definitions. These containers are not full NixOS installations — in
+fact, they don't even have Nix or coreutils installed by default. This
+ensures only the minimum software required for the isolated
+application to run is available, reducing attack surface.
+
+<p>
+NixOS provides its own container implementation, based on
+systemd-nspawn however this is not suitable for security by
+compartmentalization. Firstly, it is designed to contain full
+installations of NixOS, rather than single applications. Further, it
+has apparently proven to be unreliable and suffer breakages, and its
+focus is not on providing truly isolated computing environments. By
+contrast, other container implementations (such as, but not
+exclusively, Docker), have reached a point of relative stability, and
+had extensive resources put into making them as isolated as possible
+from the host system.
+
+<h2>Current status</h2>
+
+<p>
+Getting Spectrum to the point it needs to be for other people to be
+able to use it is a large undertaking, that requires my full
+attention. To this end, I am currently actively seeking funding to
+work on Spectrum full time. Once this is completed, I can begin work
+on Spectrum in earnest. Source code repositories and discussion
+channels will be made available immediately, and I will publish
+regular status updates. As soon as funding is sorted out (and I am
+confident it will be), I want it to be as clear as possible that
+Spectrum is not vapourware, and that progress is rapidly being made.
+
+<h2>Changelog</h2>
+
+<h3><time>2019-07-06</time></h3>
+
+<p>
+Add current status section.
+
+<h3><time>2019-05-01</time></h3>
+
+<p>
+Fix typo: "thins" → "this".
+
+<h3><time>2019-03-31</time></h3>
+
+<ul>
+
+  <li>
+  Explain why Wayland isn't (yet) the answer
+
+  <li>
+  Project name updated
+
+  <li>
+  Converted to HTML
+
+  <li>
+  Removed explicit GPLv3 license, because CC-BY-SA 4.0 is
+  GPLv3-compatible
+
+  <li>
+  Minor copy editing
+
+</ul>
diff --git a/nlnet-pet-2019-03.html b/nlnet-pet-2019-03.html
new file mode 100644
index 0000000..0bf02fc
--- /dev/null
+++ b/nlnet-pet-2019-03.html
@@ -0,0 +1,423 @@
+<!doctype html>
+<html lang="en">
+<head>
+
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+
+<title>Spectrum NGI Privacy grant application</title>
+
+<body>
+
+<h1>NGI Privacy grant application</h1>
+
+<h2>Preface</h2>
+
+<p>
+This is an HTML version of the application I made
+to <a href="https://nlnet.nl/">NLNet</a> for
+a <a href="https://nlnet.nl/PET/"><abbr title="Next Generation
+Internet">NGI Zero Privacy and Trust Enhancing Technologies</abbr></a>
+grant.
+
+<p>
+I would like to
+thank <a href="https://mastodon.social/@rysiek">rysiek</a> for telling
+me about the grant and encouraging me to apply,
+and <a href="https://spacekookie.de">Katharina Fey</a> for her help in
+writing the application.
+
+<h2>General project information</h2>
+
+<h3>Project name</h3>
+
+<p>
+Spectrum
+
+<h3>Website / wiki</h3>
+
+<p>
+<a href="https://spectrum-os.org">https://spectrum-os.org</a>
+
+<h3>Abstract</h3>
+
+<blockquote>
+  
+  <p>
+  Can you explain the <strong>whole project</strong> and its expected
+  outcome(s).
+  
+</blockquote>
+
+<p>
+Security through compartmentalization has emerged as the solution to
+the problem that desktop computer users by and large don't have access
+to meaningful security on their systems.
+
+<p>
+The Spectrum system will improve significantly on many problems
+affecting existing compartmentalized desktop OSes. For greater
+hardware compatibility, the base system will run on the Linux kernel
+rather than a server-oriented hypervisor, and there will be multiple
+backends for isolated systems, from containers to virtual
+machines. User data and application state will be managed centrally,
+while remaining isolated, meaning that it can be backed up and managed
+as a whole, rather than mixed up in several dozen VMs. The host system
+and isolated environments will all be managed declaratively and
+reproducibly, saving the user the burden of maintaining many different
+virtual computers, allowing finer-grained resource access controls and
+making it possible to verify the software running across all
+environments.
+
+<p>
+The requested funding should get Spectrum to the point of being a
+usable system that realises these benefits. I am an EU citizen, and
+project infrastructure and evangelism would be primarily Europe-based.
+
+<h3><q>Have you been involved with projects or organisations relevant
+  to this project before? And if so, can you tell us a bit about your
+  contributions?</q></h3>
+
+<p>
+For reasons expanded on in the comparison with existing efforts, being
+built on top of the Nixpkgs package repository is important to the
+success of the project. I am a Nixpkgs committer, and have worked with
+packaging, isolation, and configuration management as part of my work
+with Nixpkgs. Recently, I helped design and implement a system to
+create reproducible container images in Nixpkgs. I envisage that as
+part of my work on Spectrum I will upstream a lot into Nixpkgs,
+benefiting the wider ecosystem beyond this project.
+
+<p>
+I have used QubesOS, the main existing effort in this space, as my
+primary desktop operating system, and I have followed the research
+done by the QubesOS team. This interest, over a period of years, has
+given me a strong understanding of the intricacies of security through
+compartmentalization, and the problems with existing implementations.
+
+<h2>Requested support</h2>
+
+<h3>Requested <strong>amount</strong></h3>
+
+<p>
+€49200
+
+<h3><q>Explain what the requested budget will be used for?</q></h3>
+
+<blockquote>
+
+  <p>
+  Does the project have other funding sources, both past and present?
+
+  <p>
+  Explain costs for hardware, human labor, travel cost to technical
+  meetings, etc.
+
+</blockquote>
+
+<p>
+I expect to use the requested budget something like this. The funding
+should cover one year of development, maintenance, distribution, and
+promotion of the project.
+
+<ul>
+
+  <li>
+  €2000 test and build hardware as required
+
+  <li>
+  €200 for infrastructure (domain names, hosting)
+
+  <li>
+  €2000 for travel for conferences, workshops, etc
+
+  <li>
+  €45000 to fund my full-time development efforts for a year
+
+</ul>
+
+<p>
+I plan to purchase build hardware rather than renting build servers to
+protect against the threat of compromise by a malicious host. This is
+the same strategy that Qubes takes. Bit-for-bit reproducible builds
+would mitigate this attack vector, but the system is unlikely to be
+entirely bit-for-bit reproducible, at least initially, because each
+package would have to be checked for reproducibility, and development
+effort would have to be put into making the non-reproducible packages
+reproducible. This is valuable work, but not required for an initial
+release. There is ongoing effort to make nixpkgs bit-for-bit
+reproducible.
+
+<h3><q><strong>Compare</strong> your own project with existing or
+  historical efforts</q></h3>
+
+<blockquote>
+
+  <p>
+  (e.g. what is new, more thorough or otherwise different)
+    
+</blockquote>
+
+<p>
+The current standard-bearer for this approach to security is
+QubesOS. QubesOS runs Linux and Windows virtual machines on the Xen
+hypervisor, and composites them all together into a single desktop
+environment, with utility programs that allow users to manage their
+complete system and control the interactions between VMs. While Qubes
+has been largely successful in creating a usable system around
+security by compartmentalization, its fundamental technology choices
+leave a lot of room for a new approach. These choices are very deeply
+embedded into Qubes, and it would be next to impossible to build a
+system with the benefits I propose here on top of Qubes.
+
+<p>
+The areas in which I propose to improve over QubesOS are:
+
+<h4>Installation</h4>
+
+<p>
+Qubes is notoriously annoying to install, even on well-supported
+hardware. The installer gives very little useful debugging
+information, and once Qubes has been installed, no information is
+recorded that would help to reinstall it.
+
+<p>
+The installation process of NixOS, upon which Spectrum is based, is
+currently a somewhat manual process — a user must partition their
+disk themselves, then run some shell commands to generate a system
+configuration and install the operating system. It is, however, much
+more reliable than Qubes', and the effort required to make this even
+easier (e.g. by including a partitioning wizard as part of the
+installation process, or providing a graphical tool) would be much
+less than attempting to improve the black box that is Qubes'
+installation process. This is something of general interest to the
+NixOS project, and so it may be that it doesn't have to be developed
+as part of Spectrum. Alternatively, if it was developed for Spectrum,
+it could be upstreamed and benefit the NixOS project as a whole.
+
+<h4>Maintenance</h4>
+
+<p>
+Because a lot of activity on a Qubes system happens inside multiple
+long-lived virtual machines, a Qubes system requires the maintenance
+effort of many computer systems that must all be kept up to date,
+configured, and debugged. Qubes provides some utilities to mitigate
+this effort, such as TemplateVMs and a system-wide backup utility, but
+it still requires a lot of effort to be kept functioning.
+
+<p>
+One of the worst things about maintaining a Qubes system (or indeed
+almost any Unix system, but Qubes is particularly affected due to
+effectively being many Unix systems in one) is that, due to a system
+update or a configuration change, something that had previously been
+configured by the user to work correctly is now broken, and there's no
+way to tell why that is. There's no way to figure out what changed, so
+the user is left forced to restore a working backup (if they have
+one!) and try again. Once a machine has been configured, that
+configuration cannot be reproduced automatically on a reinstall or on
+another computer. It very quickly becomes a black box that is
+difficult to ever modify for fear of breaking it, because breakages
+are catastrophically difficult to recover from. It is extremely
+difficult for OS developers to debug why a user's system isn't
+working, because they have no way to see the whole configuration of
+the system, or why things are configured the way they are — did the
+user choose this? Was it changed automatically by a program? Is it
+just an old default that an operating system upgrade neglected to
+change?
+
+Qubes attempts to solve this problem through Salt, but this is really
+papering over the cracks, because Salt is not fully reproducible. Two
+computers configured using the same Salt configuration can still end
+up being different, if resources such as system packages hosted on the
+internet have changed. Additionally, there's nothing to prevent a
+Salt-configured system being modified outside of Salt, either by a
+user or, worse, by a program on behalf of the user (possibly without
+the user realising).
+
+<h4>Hardware compatibility</h4>
+
+<p>
+Qubes is a distribution of the Xen hypervisor, and as such the Qubes
+system is very tightly coupled to Xen. Xen is designed primarily for
+use of servers, rather than laptops, and therefore compatibility with
+personal computers, especially laptops, is very limited.
+
+<p>
+The aspect of Spectrum most likely to be a subject of heavy discussion
+is that, unlike Qubes, it offers support for container-based isolation
+as well as VMs. While container-based isolation is likely to be
+somewhat easier for an attacker to exploit due to the shared kernel,
+container-based isolation is still valuable for the vast majority of
+personal computers whose only other option is no
+virtualization. Containers are very widely used, and any discovery of
+a vulnerability in a container system is likely to have a huge impact
+on industry and be fixed extremely quickly. A large portion of
+Spectrum users are likely to be people who are uncomfortable that any
+application they run can freely access all of their files, but for
+whom container system zero days are not a part of the threat
+model. Container-based isolation is very well suited to a user of this
+kind who is unwilling or unable to acquire expensive hardware to be
+able to run Qubes.
+
+<h4>Isolation boundaries</h4>
+
+<p>
+The Qubes model encourages the user to create one isolated environment
+for every identity or task they wish to accomplish. There might be a
+"Work" environment and a "Finance" environment. This is a step in the
+right direction, but in most cases it still gives software far more
+access than is necessary for it to be able to do its job, putting more
+data than necessary at risk in the event of any application being
+compromised. There is no reason that a word processor in the "Work"
+environment should be able to access the user's work mail, but Qubes
+lacks the fine-grained permissions to be able to describe
+this. Instead, the user must create two virtual machines, one for work
+document editing, and one for work mail. To work on a word processing
+document received via mail, the user must copy it to their document
+editing virtual machine. The user who rightly tries to apply the
+principle of least access to the applications they use is left with an
+enormous list of environments for each application in each context, to
+the point that there are so many environments that they are
+unmanageable. Since data is stored per-environment, it becomes
+virtually impossible to keep track of which environment has the
+up-to-date version of the file one is looking for.
+
+<p>
+In Spectrum, data is stored in a single directory hierarchy, so there
+is a single source of truth, rather than data being scattered across
+virtual machines. A user defines isolated environments for a single
+application<a href="#def-application">*</a> at a time, so
+there is no reason for an application to end up with far more access
+than it needs. At the same time, it's not enough to be able to say
+"LibreOffice should be able to access my work documents", because then
+a malicious document that is available to the "Personal" workspace but
+isolated from the "Work" workspace would be able to use the instance
+of LibreOffice it's running in to be able to cross the security
+boundary. Instead, Spectrum configuration is based around "instances"
+of applications. There can be a "Work" instance of LibreOffice and a
+"Personal" instance of LibreOffice. Both of those can have separate
+state and have different data available, and neither of them are able
+to access the user's mail.
+
+<p id="def-application">
+* an application in this sense is not necessarily a single
+program. For graphical applications, this is likely to be the case,
+but, for example, a terminal emulator is only useful if it has
+programs available for the user to run. It would be more technically
+correct to say that environments are configured for Nix expressions,
+but "application" is easier to understand, and in most cases the user
+shouldn't need to be aware of the distinction.
+
+<h4>Trusted computing base</h4>
+
+<p>
+One area in which Qubes is superior to Spectrum is in the size of its
+trusted computing base — the software that must be assumed to be
+secure for the whole system to be secure. Qubes focuses heavily in
+using as small a TCB as possible. This gives a potential attacker
+fewer entry points in which they could find a vulnerability. Spectrum,
+on the other hand, chooses a larger TCB for better hardware support
+and ease of development, giving many more people the opportunity to
+use a compartmentalized operating system.
+
+<hr>
+
+<p>
+Aside from Qubes, the only other attempt of which I am aware to create
+a compartmentalized desktop operating system is SubgraphOS, a
+container-based system. The developers of the system manually create
+containers for common desktop applications (around 20). However, there
+are significant flaws with the Subgraph approach. It has no support
+for multiple security domains or identities, and it provides no
+additional security when using any application other than the 20 or so
+which have been chosen to be manually containerized. I don't believe
+that any approach which requires manual containerization can ever
+succeed, because the security model falls apart as soon as the user
+needs to use any slightly uncommon software. Finally, SubgraphOS has
+not seen a release since an alpha version in 2017, so I don't consider
+it to be a serious contender for a secure desktop operating system.
+
+<h3><q>What are significant technical challenges you expect to solve
+  during the project, if any?</q></h3>
+
+<p>
+The major challenge in developing the system is creating an
+understandable solution for configuring a Spectrum system. The model
+is more complex than creating virtual machines, because there are more
+concepts to understand — applications, application instances, and
+state, and hardware devices. Even coming up with and implementing an
+easy-to-use text-based configuration system for this is likely to be a
+challenging task, and I would like there to be some sort of graphical
+system as well so that the majority of users could configure the
+system for their needs without having to learn Nix. Making these
+concepts understandable and usable is by no means out of reach, but it
+will require a novel approach.
+
+<p>
+At a lower level, to provide support for multiple isolation backends
+(VMs, container runtimes, etc.), a Nix-based abstraction layer must be
+developed. Which isolation system is in use should be completely
+transparent to the configuration, so that it can be changed without
+requiring a whole system to be reconfigured.
+
+<p>
+While these challenges are significant, I think the rest of the core
+functionality will be reasonably straightforward to implement. A lot
+of features required for a compartmentalized system — for example
+displaying windows from many isolated systems on a single desktop with
+unspoofable window decorations identifying which isolated system they
+are running in — are solved problems now, and there are preexisting
+solutions that can be easily integrated into a new system. When Qubes
+was developed, this was not the case. Therefore, a year should be
+ample time to integrate these existing solutions, and solve the new
+problems identified above.
+
+<h3><q>Describe the ecosystem of the project, and how you will engage
+  with relevant actors and promote the outcomes?</q></h3>
+
+<blockquote>
+
+  <p>
+  E.g. which actors will you involve? Who should run or deploy your
+  solution to make it a success?
+
+</blockquote>
+
+<p>
+I expect to work closely with the Nixpkgs project, with which I am
+already heavily involved, to promote as much work that comes out of
+Spectrum as possible and to allow all users of Nix to share in some of
+its benefits, without having to use a different system. There is a
+sizable community around Nix already, and so it presents a good
+opportunity to make people aware of Spectrum, and invite interested
+people to get involved in using or developing the system early on.
+
+<p>
+The other obvious project to engage with is Qubes. I expect this to be
+more challenging, because the forums for general discussion of secure
+desktop operating systems, such as the secure-desktop mailing list
+started by the Qubes project, no longer appear to be active. I think
+that there is a lot of potential for collaboration between the
+projects, though, especially with regards to discussion about security
+considerations that are shared between the two systems. I plan to try
+to engage with Qubes developers and users through project discussion
+channels, and also through discussions at conferences and similar
+events.
+
+<p>
+Finally, what Spectrum ultimately needs to succeed is users. The
+people who are likely to use a system like Spectrum in its infancy are
+people who already know about security through compartmentalization,
+and already know about Qubes. I will reach these people by publishing
+regular writings about Spectrum, its development progress, and its
+advantages, and sharing this work online where people with these
+interests are likely to see it. I will give talks about Spectrum at
+relevant conferences. Longer term, I expect a userbase from this core
+audience will spread awareness of the system, to the point where it
+will be mentioned in any discussion of secure desktop operating
+systems. This will make it easy to find for anybody who realises that
+they need a secure desktop OS. The next thing to do is spread
+awareness of secure desktop operating systems to the general public,
+but I consider that to be beyond the scope of this proposal — before
+we can spread awareness of secure desktop computing, we must first
+ensure that the tools are available to actually do it.