Comment by naikrovek
21 days ago
My question to Apple, Microsoft, and the Linux kernel maintainers is this: Why is this even possible? Why is it possible for a running application to read information stored by so many other applications which are not related to the program in question?
Why is isolation between applications not in place by default? Backwards compatibility is not more important than this. Operating systems are supposed to get in the way of things like this and help us run our programs securely. Operating systems are not supposed to freely allow this to happen without user intervention which explicitly allows this to happen.
Why are we even remotely happy with our current operating systems when things like this, and ransomware, are possible by default?
>Why is it possible for a running application to read information stored by so many other applications which are not related to the program in question?
This question has been answered a million times, and thousands of times on HN alone.
Because in a desktop operating system the vast majority of people using their computer want to open files, they do that so applications can share information.
>Why is isolation between applications not in place by default?
This is mostly how phones work. The thing is the phone OS makes for a sucky platform for getting things done.
> Operating systems are supposed to get in the way
Operating systems that get in the way get one of two things. All their security settings disabled by the user (See Windows Vista) or not used by users.
Security and usage are at odds with each other. You have locks on your house right? Do you have locks on each of your cabinets? Your refrigerator? Your sock drawer?
Again, phones are one of the non-legacy places where there is far more security and files are kept in applications for the most part, bug they make terrible development platforms.
Are you suggesting that it's impossible to have a system that is secure by default and be usable by normal people? Because I'm saying that's very possible and I'm starting to get angry that it hasn't happened.
Plan 9 did this and that kernel is 50k lines of code. and I can bind any part of any attached filesystem I want into a location that any running application has access to, so if any program only has access to a single folder of its own by default, I can still access files from other applications, but I have to opt into that by making those files available via mounting them into the folder of the application I want to be able to access them.
I am not saying that Plan9 is usable by normal people, but I am saying that it's possible to have a system which is secure, usable, not a phone, and easy to develop on (as everything a developer needs can be set up easily by that developer.)
>as everything a developer needs can be set up easily by that developer.
So yea, developers are the worst when it comes to security. You put up a few walls and the next thing you know the developer is settings access to ., I know, I make a living cleaning up their messes.
I mean, people leave their cars unlocked and their keys in them FFS. Thinking we're going to suddenly teach more than a handful of security experts operating system security abstractions just has not been what has been occurring. Our lazy monkey brains reach for the easy button first unless someone is pointing a gun at us.
3 replies →
You have to balance security with utility, so you find obviously safe compromises. You shouldn't allow applications to share completely different file formats. Your text editor doesn't need to be able to open an mp3 file. Even when it's convenient for an application to open a file, as long as it can't execute the file it can't do too much damage. Be sure to consider that interpreting complex file formats is dangerous, since parsers can and are exploited regularly. So be careful about trusting anything but dead-simple text files.
Oh, and by the way, now we'd like to make all written text treated as executable instructions by a tool that needs access to pretty much everything in order to perform its function.
> Even when it's convenient for an application to open a file, as long as it can't execute the file it can't do too much damage.
Ransomware and `rm` would like to argue with you. lots of damage can be done to a file without the ability to execute that file.
There is no reason that a system can't be created which has it all. That's the beauty of software, you can create your own reality. The solution just needs to be found, and it will never be found by looking for ways to adapt our current operating systems. This needs to be something new, and it needs to look unlike what operating systems look like today. That doesn't mean it can't exist, it just means that it hasn't been invented, yet.
In Plan 9, everything is exposed as files and every process gets its own namespace. The namespace thing is important, because you can easily launch a new window, configure its namespace to remove or add arbitrary filesystem paths from or to it, lock that namespace to prevent changes, then launch programs which inherit that namespace. Those programs can then only see what you gave them permission to see. So you can completely control what parts of the hardware and filesystem that the namespace can see and use.
The only thing it lacks is per-namespace memory isolation; it currently only has per-user memory isolation, so programs running as me can read the RAM of other programs running as me if I don't opt out of that.
Something like this could be made a little more user friendly and we'd have a secure-by-default operating system. It could even run existing programs if we wanted it to do that.
But in this case, isn't the whole pitch that the agent has access to all your data (and the network!) so it can fluidly perform any task you ask of it?
Either the agent needs to be a superuser, with all the attendant risks... or you go the Windows Vista route and constantly prompt users to approve every single access need, which we've all seen how that turns out.
MacOS has some isolation by default nowadays, but in practice when the box pops up asking if you want to let VibecodedBullshit.app access Documents or whatever, everyone just reflexively hits 'yes'.
>Operating systems are supposed to get in the way of things like this
debbie from accounting will say "darn thing wont let me do my job", and get frustrated from all of the prompts and approvals she doesnt understand. she is just going to click yes on every single prompt, not reading it. no meaningful security increase occurs.
debbies boss is going to get annoyed that debbies productivity has fallen 15% because she doesnt understand what her computer is asking for and she is having to stop what she is doing to hit some stupid prompt every 10 minutes. no meaningful security increase occurs.
tier 1 tech support will quit their jobs because now they arent just resetting hundreds of passwords each day, they have to listen to people yelling at them about their computer prompting for permissions every 10 minutes. "just hit yes whenever it shows up", they say. no meaningful security increase occurs.
neckbeard mcneckbeard on HN will screech "mIcRoSlOp thinks they know how to secure my computer better than me!! screeeeeee walled garden screeeeeeeeee if i bought it i should be able to do anything to it". mr. mcneckbeard is very vocal and causing all sorts of bad publicity. they hack some workarounds or change the settings so that they dont get prompted every 10 minutes. no meaningful security increase occurs. (side note: i ~mostly~ agree with mr mcneckbeard)
if security is not convenient, people will work around it, and you'll end up with even worse security because everything will be done in the shadows.
security an extreme balancing act. if the friction is too high, it will end up lowering security, not increasing it.
>Backwards compatibility is not more important than this
in more situations than you probably think, backwards compatibility is literally the most important thing.