1. 5
  1. 3

    I think trust is the wrong way to frame the question of how to deal with user-level worms or Word macro viruses. In those attacks the trusted parts of the computer continue to do what they’re specified to. The problem is that we give untrusted code privileges, authorities that it doesn’t need.

    We need to understand what it is we want users - and user programs - to have the authority to do. The current view is that users are authorized to send email, therefore user programs may send out arbitrarily large quantities of email. Users are authorized to edit their own documents, therefore user programs may put macros in all a user’s documents.

    Maybe a microtransactional approach could solve this. Or maybe an append-only approach to user data could render such programs harmless. We have the tools to solve these problems on the large scale (see e.g. wiki vandalism). But we don’t apply them at the user-and-their-programs level.