
On VMS, I have an applique which can be used to control completely what can be opened by apps you don't trust. It is perfectly capable of ensuring that nothing you haven't authorized is opened behind your back, mainly by telling you before the open proceeds what is being tried and giving you the ability to prevent it. Forcing use of some other disk (or scratch area) instead is of course also possible, selectively. The problem of things like cookies being left around without explicit permission (or other covert actions) would seem to be that there is no basis for assuming that the app is doing any of this as the agent of the person running the app. With EACF I can completely control this sort of thing; native out-of-the-box VMS has some facilities for partial control as well, which can be adequate. In doing so, they step outside the normal paradigm of assuming the "subject" is the user. I would contend that the "subject" should in fact be considered much more complex than user ID. At minimum, use of a tuple containing userid, program being run, location of user, privileges present, time of day, and identifiers ("group memberships") would seem to be needed for serious efforts, so that "subject" has some relation to what actually happens. The ability to treat certain actions as dynamically altering security or integrity levels is important too. Apps that leave files on your system without telling you are doing covert functions; these should be treated with great suspicion. So where are the critics of this? Does leaving such files constitute unauthorized computer use? I would say so. Anyone see the marshals coming to Netscape or Microsoft to haul anyone off to jail? Leaving files around would seem to deserve INFORMED consent. Do we get it? If your OS isn't as secure as VMS, maybe you want to think about this. ;-) Glenn Everhart@gce.com
participants (1)
-
EVERHARTīŧ Arisia.GCE.Com