My question to Apple, Microsoft, and the Linux kernel maintainers is this: Why is this even possible? Why is it possible for a running application to read information stored by so many other applications which are not related to the program in question?
Why is isolation between applications not in place by default? Backwards compatibility is not more important than this. Operating systems are supposed to get in the way of things like this and help us run our programs securely. Operating systems are not supposed to freely allow this to happen without user intervention which explicitly allows this to happen.
Why are we even remotely happy with our current operating systems when things like this, and ransomware, are possible by default?
>Why is it possible for a running application to read information stored by so many other applications which are not related to the program in question?
This question has been answered a million times, and thousands of times on HN alone.
Because in a desktop operating system the vast majority of people using their computer want to open files, they do that so applications can share information.
>Why is isolation between applications not in place by default?
This is mostly how phones work. The thing is the phone OS makes for a sucky platform for getting things done.
> Operating systems are supposed to get in the way
Operating systems that get in the way get one of two things. All their security settings disabled by the user (See Windows Vista) or not used by users.
Security and usage are at odds with each other. You have locks on your house right? Do you have locks on each of your cabinets? Your refrigerator? Your sock drawer?
Again, phones are one of the non-legacy places where there is far more security and files are kept in applications for the most part, bug they make terrible development platforms.
Are you suggesting that it's impossible to have a system that is secure by default and be usable by normal people? Because I'm saying that's very possible and I'm starting to get angry that it hasn't happened.
Plan 9 did this and that kernel is 50k lines of code. and I can bind any part of any attached filesystem I want into a location that any running application has access to, so if any program only has access to a single folder of its own by default, I can still access files from other applications, but I have to opt into that by making those files available via mounting them into the folder of the application I want to be able to access them.
I am not saying that Plan9 is usable by normal people, but I am saying that it's possible to have a system which is secure, usable, not a phone, and easy to develop on (as everything a developer needs can be set up easily by that developer.)
>as everything a developer needs can be set up easily by that developer.
So yea, developers are the worst when it comes to security. You put up a few walls and the next thing you know the developer is settings access to ., I know, I make a living cleaning up their messes.
I mean, people leave their cars unlocked and their keys in them FFS. Thinking we're going to suddenly teach more than a handful of security experts operating system security abstractions just has not been what has been occurring. Our lazy monkey brains reach for the easy button first unless someone is pointing a gun at us.
yes, I know, but that doesn't render the entire idea moot. I'm a developer, but I have knowledge of infosec, and I don't do those things. but because some developers do, it shouldn't be done? what kind of logic is that?
everyone who is NOT a developer is now protected by the operating system in a situation like this, and developers that are not, are unprotected by their own hand, instead of being unprotected via the decision of an OS vendor.
By the way, the entire "not protected" situation that you claim developers would put themselves in, is the exact situation that everyone is in today, with very little choice to opt out of that situation.
I want people to opt in to the insecure situation, and opt out of the secure situation, not the reverse, which is the case today. Ransomware can encrypt an entire disk because the OS has no notion that full disk access is bad, or that self-escalation to privileged access should not be granted automatically. MacOS kinda does these things, but not to the point I want to see them done. Not at all.
an OS that isolates everything renders containers completely moot. everything a container does should be provided by default by the operating system, and operating systems that don't provide this should be considered too immature to be useful in any production setting, either by business or by consumers. isolation by default should be table stakes for any OS to even come up for consideration by anyone for any reason.
And you're saying that this shouldn't happen because some developers who don't understand security will make their system look just like wide-open systems today? Come on.
>And you're saying that this shouldn't happen because
You have a strange reversal of causality here.
I'm not saying what should or shouldn't happen.
I am describing what has or has not happened.
I am saying that 'insecure' operating systems dominate the market and can be found everywhere.
I need you to explain to me why secure operating systems are somehow going to get users to move from what they are on to your magical platform?
There is no security police that is writing this secure operating system you're talking about, no one to point guns at them and make people use it. No long line of volunteers open sourcing code to make this secure operating system either.
You're describing an OUGHT, I'm describing an IS.
> You have a strange reversal of causality here.
I do? You're apparently saying that this shouldn't happen because some people will undermine it. Yes, some people will undermine it. Why would you mention that if not to counter my point that security should be the default? Are you now claiming that it's an unrelated fact?
me: Operating systems should be secure, and I'm mad that they're not.
you: people are going to turn that security off
me: so what? it's still more secure than the state of things today
you: hey, i'm just stating a fact, all of the burden is on you, not me. you're wishing and i'm saying facts, which is why you're wrong and i'm right in all things, past, present, and future. things are the way they are and nothing can ever change them because the people who want change can't describe the entire exact path the change will take before making the first step.
me: you are not arguing with logic, therefore i am done talking to you.
You have to balance security with utility, so you find obviously safe compromises. You shouldn't allow applications to share completely different file formats. Your text editor doesn't need to be able to open an mp3 file. Even when it's convenient for an application to open a file, as long as it can't execute the file it can't do too much damage. Be sure to consider that interpreting complex file formats is dangerous, since parsers can and are exploited regularly. So be careful about trusting anything but dead-simple text files.
Oh, and by the way, now we'd like to make all written text treated as executable instructions by a tool that needs access to pretty much everything in order to perform its function.
> Even when it's convenient for an application to open a file, as long as it can't execute the file it can't do too much damage.
Ransomware and `rm` would like to argue with you. lots of damage can be done to a file without the ability to execute that file.
There is no reason that a system can't be created which has it all. That's the beauty of software, you can create your own reality. The solution just needs to be found, and it will never be found by looking for ways to adapt our current operating systems. This needs to be something new, and it needs to look unlike what operating systems look like today. That doesn't mean it can't exist, it just means that it hasn't been invented, yet.
In Plan 9, everything is exposed as files and every process gets its own namespace. The namespace thing is important, because you can easily launch a new window, configure its namespace to remove or add arbitrary filesystem paths from or to it, lock that namespace to prevent changes, then launch programs which inherit that namespace. Those programs can then only see what you gave them permission to see. So you can completely control what parts of the hardware and filesystem that the namespace can see and use.
The only thing it lacks is per-namespace memory isolation; it currently only has per-user memory isolation, so programs running as me can read the RAM of other programs running as me if I don't opt out of that.
Something like this could be made a little more user friendly and we'd have a secure-by-default operating system. It could even run existing programs if we wanted it to do that.
But in this case, isn't the whole pitch that the agent has access to all your data (and the network!) so it can fluidly perform any task you ask of it?
Either the agent needs to be a superuser, with all the attendant risks... or you go the Windows Vista route and constantly prompt users to approve every single access need, which we've all seen how that turns out.
MacOS has some isolation by default nowadays, but in practice when the box pops up asking if you want to let VibecodedBullshit.app access Documents or whatever, everyone just reflexively hits 'yes'.
>Operating systems are supposed to get in the way of things like this
debbie from accounting will say "darn thing wont let me do my job", and get frustrated from all of the prompts and approvals she doesnt understand. she is just going to click yes on every single prompt, not reading it. no meaningful security increase occurs.
debbies boss is going to get annoyed that debbies productivity has fallen 15% because she doesnt understand what her computer is asking for and she is having to stop what she is doing to hit some stupid prompt every 10 minutes. no meaningful security increase occurs.
tier 1 tech support will quit their jobs because now they arent just resetting hundreds of passwords each day, they have to listen to people yelling at them about their computer prompting for permissions every 10 minutes. "just hit yes whenever it shows up", they say. no meaningful security increase occurs.
neckbeard mcneckbeard on HN will screech "mIcRoSlOp thinks they know how to secure my computer better than me!! screeeeeee walled garden screeeeeeeeee if i bought it i should be able to do anything to it". mr. mcneckbeard is very vocal and causing all sorts of bad publicity. they hack some workarounds or change the settings so that they dont get prompted every 10 minutes. no meaningful security increase occurs. (side note: i ~mostly~ agree with mr mcneckbeard)
if security is not convenient, people will work around it, and you'll end up with even worse security because everything will be done in the shadows.
security an extreme balancing act. if the friction is too high, it will end up lowering security, not increasing it.
>Backwards compatibility is not more important than this
in more situations than you probably think, backwards compatibility is literally the most important thing.