Cookies etc...

[EVERHART at Arisia.GCE.Com]

On VMS, I have an applique which can be used to control completely what
can be opened by apps you don't trust. It is perfectly capable of
ensuring that nothing you haven't authorized is opened behind your back,
mainly by telling you before the open proceeds what is being tried and
giving you the ability to prevent it. Forcing use of some other disk
(or scratch area) instead is of course also possible, selectively.

The problem of things like cookies being left around without explicit
permission (or other covert actions) would seem to be that there is no
basis for assuming that the app is doing any of this as the agent of
the person running the app. With EACF I can completely control this
sort of thing; native out-of-the-box VMS has some facilities for partial
control as well, which can be adequate. In doing so, they step outside
the normal paradigm of assuming the "subject" is the user.

I would contend that the "subject" should in fact be considered much more
complex than user ID. At minimum, use of a tuple containing userid,
program being run, location of user, privileges present, time of day,
and identifiers ("group memberships") would seem to be needed for 
serious efforts, so that "subject" has some relation to what actually
happens. The ability to treat certain actions as dynamically altering
security or integrity levels is important too.

Apps that leave files on your system without telling you are doing covert
functions; these should be treated with great suspicion.

So where are the critics of this? Does leaving such files constitute
unauthorized computer use? I would say so. Anyone see the marshals
coming to Netscape or Microsoft to haul anyone off to jail? Leaving
files around would seem to deserve INFORMED consent. Do we get it?

If your OS isn't as secure as VMS, maybe you want to think about this. ;-)

Glenn
Everhart at gce.com