Dangerous Neighborhoods

Blaming the User

Today most of the world has been warned to avoid untrusted web sites. There are no general guidelines as to where those dangerous places might be or how to inquire about safety of a particular site. It is the ultimate cop-out for not having solved a solvable technical problem.

The simple solution is to run the browser with only the authority to write on the screen and communicate via Internet. The objection is that the browser, having moved towards becoming the new application platform, needs access to the whole computer, like applications! Then there is the simple idea of downloads. Most use of a browser would be served by a burner machine that you threw away after visiting each web site. That is a metaphor but easily emulated in a cap system. No you do not even have to read the browser code off the disk for each site. When downloading I would like some program of my choosing allocating a name in my downloads directory and keeping a note of the URL via which the file was summoned.

I have paid the NY Times so I can read it online. The cookies they have left to make this easy for me can be included in an object which can invoke a Browser. I invoke that new object to read the Times.

It is difficult to find an authoritative list of things that a Browser I run can do to me. It is even difficult to find guesses.


The personal computer or smart phone is a general purpose machine and it is a pity that we must be careful what programs we run there. Games and such often come from some unexpected but creative person. Sometime they come from the bad guys. You should not have to worry about your Solitaire game deleting all your C source files. In a cap system it is really easy to use software without first psychoanalysing the author or reading the binary code. A snap in caps. If the foreign code must do the right thing to support your mission critical stuff, then you must indeed worry.


Today there are nearly as many installer systems or ‘package managers’ as there are computer languages. They all want to manage several global directories with much of my mission critical content. They want root authority. They seldom manage to describe well what their management plan and then there is no assurance that the plan is safe or that they follow it. They do not say what they would do with this authority and neither Mac OS nor Unix will tell me what they are doing. There are currently compilers for several languages that want to come to my machine but they cannot come with package managers that each want exclusive access to some of my global files. There is the sheer yet simple problem of insuring access to widely shared data, such as libraries. See this.

Of course the apartment is the ultimate package manager 😉.


Often some foreign code is running and attempts some action that the operating system consults me on. That is good but too often the action requires root authority. The problem I raise here is that the query coming from the OS appears in a simple small box. I have no way of knowing who put the box on the screen and thus who gets to see what I enter, which is often the top administrative password. Tartans are one solution for many purposes.