Women get many autoimmune disorders more frequently than men. E.g. Lupus. Pregnancy contributes because of leftover fetal cells. (Plentyofdocumentationforthis.)
(Indeed, the fetus often gets cells from the mother, too. Many women have cells of their own, and from their mothers, and from their children...)
Well, it would be more than simple to write a virus that sends itself out to every address in the Outlook address book and then c:\deltree -y
It would spread quickly and wipe out A LOT of systems.
Yes, it would spread quickly and wipe out a fair number. But it wouldn't spread as far as less harmful malware, because it would trigger immediate alerts, news would spread fast via other channels, and countermeasures would be initiated quickly. A bit like what happened with the "Kama Sutra" worm or whatever it's called. It would spread fast, cause damage... and then die out very quickly, never to be seen again. Conversely, I still get probes from Code Red, and that thing's five years old. It also doesn't cause obvious symptoms (at least, obvious to the casual user).
You see this in nature continuously. Diseases decrease in virulence with time. Killing your hosts too quickly is not a good survival strategy. It's happening with malware now, especially since it's mostly being written from a profit motive, not as some kind of lowbrow prank. You don't want to alert someone that you've taken control of their system! You want them to keep it unpatched and working for you for as long as possible. Overt symptoms are the worst possible side effect from their perspective.
The vast majority of malware is already, and will continue to be, much more stealthy than that. On Windows, they can easily worm into the actual OS and conceal their presence. This is much harder on Linux (note I did not say impossible) and the problem is compounded by the diversity of platforms. Worms with rootkit functionality will be more common, but they will face a much tougher environment in Linux than Windows.
There's a reason most malware doesn't delete files and such. It keeps them from spreading. To spread you need infected hosts out there infecting others. If you clobber a users files you alert them to the problem and they take steps to clean out the problem even if the malware is still running after deleting everything.
My understanding was that if a trade secret gets out, the company doesn't really have any legal standing to go after people distributing it. They can go after the people who leaked or stole it, provided they actually did something illegal in the process of discovering it, but people that they give the secret to (so long as they weren't co-conspirators in the illegal acts) didn't do anything wrong under the law.
So apparently this is wrong, or at least has been amended a bit by the act referenced in the summary. Would this guy have been in the clear if he'd just been offering a trade secret for download? (With source code, it's complicated by the fact that the code is subject to copyright, too, though. What if we were dealing with, say, the formual for Coca Cola, to take the canonical example?)
I'm still baffled into how you can efficiently break up a game into 8 threads.
TFA says they are contemplating a job-queue organization, with cores taking jobs as they become available. Provided the size of the 'jobs' are limited so they fit comfortably within the overall time it takes to calculate a frame, it should work fairly well. A lot of physical-simulation problems are close to 'embarassingly parallel', anyway.
This would be an interesting post if what you described was not actually physically impossible given the basic constraint of 24-hour days, and the need to eat, sleep, and work for money.
Aw, a troll! And I tried so hard...:->
You're right, I can't bike and play soccer at the same time. Therefore, I must be lying when I say I do them regularly, since the only possible meaning of such a statement is that I do all possible activities simultaneously. You caught me!
(BTW, kids that age? They only want to play any one game for about half an hour or so... maybe an hour tops. I know, there's no possible way to squeeze that into a day...)
For a while, you can totally school them, and then when they start winning, you can send them to bed.
At the rate he's learning, I figure I have max two years before my five-year-old is kicking six kinds of crap out of me in videogames. Used to be you'd have to wait until they were teenagers before they'd start beating you at something...
Re:The family that games together...
on
35% Of Parents Game
·
· Score: 3, Insightful
My five-year-old and three-year-old like to play Half-Life (original) with me. Well, really, watch me play, though if I turn on god mode I can let the five-year-old run the mouse and I use the keyboard. We finished Tron 2.0 that way. I do the same with Descent 3, he uses the mouse and I use the joystick (it's like having really noisy controls).
They love it. So much so that when our three-year-old drew on our carpet, the punishment my wife gave (in addition to helping clean it up) was "No Blue Shift for three days!" They have imaginary pet headcrabs and bullsquids, I kid you not.
Now, we worked up to HL from D3, and I stick to the parts where you're shooting at monsters, not people. I've determined that my kids are not traumatized by the images and don't have nightmares or anything from them. They don't get in fights (indeed, from the comments we get from other parents they're unusually well-behaved), no signs of hyperactivity or poor attention span. Our five year old's first report card was quite good.
Since they like games so much, we try to encourage the kinds we like. They love playing with the Eye Toy and dance pads we have for the PS2. (Okay, the 3.5-year-old doesn't do so hot with the dancing, but he has fun anyway...) Good exercise.
(Just to forestall the trolls, we also go swimming, camping, biking, and the 5-year-old loves his karate class. It's winter so no soccer or baseball, but we do that too.)
Temporal lobe epilepsy is most often caused by mesial temporal or hippocampal sclerosis, this means that that part of the brain has become scarred and shrunk and this damage is causing the seizures.
Y'know, when you think about how complex, sensitive, and fast-reacting brains must be, it's kind of remarkable how few seizures they're actually prone to. We have a hard enough time building something like a robot to be both fast-acting and stable. Do you have any information on how the brain manages to damp out such things normally?
So you could teach him to ride a bike but he'd be unable to to remember that he can ride a bike? Now that would be a weird experience.
If this is the same guy I've heard of, then it's already happened. Every time he plays ping-pong for the first time, he thinks he's got a natural gift for it.
Given the turn in many of the games I've seen lately to produce "larger" more realistic (visually if not dimenensionally) boobies, I'd say that booth babes are rather representative in ways of the games being advertised.
"Realistic physics in games will never catch on. Lara Croft would keep falling over forwards." - Stephen Turner
How about out-of-the-box *nix support that doesn't involve me devoting my spare time, work hours and waking moments getting it to run, or run as it should...
Ran with NDISWrapper for a long time on my laptop, gave up after my last upgrade when Ubuntu dicked me.
Just got my D-Link DWL-G520 running on Ubuntu 5.10. Didn't work with 5.04, but I was going to upgrade anyway. No problems at all. Now, on the Windows (98SE) side of the same box, well, I'd put the card in before installing the drivers. Major no-no. At some point I'll fix it (remove the driver software, open the machine, remove the card, boot, install the drivers, insert the card, boot, make sure it works, close the machine) but I'm not in a hurry.
Does having admin rights make it easier? Sure does. Makes it harder to get rid of too. But not having them doesn't stop me. It doesn't even signficantly limit me for the vast majority of systems (where there's exactly one user per system).
It does keep you from doing low-level things like replacing the network stack, preventing some kinds of badness (e.g. transparent redirects). Not only is it easier to get rid of, it's easier to detect it as well (it can't replace the kernel file APIs to hide virus files, for example). I consider this sort of thing significant. It also makes it harder to run background services and so forth that persist after the user has logged off. (Far from impossible, I know, but more difficult.)
And, again, if you're the sole user of the system, you'll know the admin password and get used to typing it in when prompted. The average user (who trusts the computer, or at least fears breaking something if they don't do as requested -- always) will simply enter the admin password if prompted.
I dunno about that. On Ubuntu, it uses sudo, so you have to type in your password, not the admin password (there actually isn't a password for the root account). But being prompted for your password is a rare event, unless you're actually doing administration. It just doesn't come up in day-to-day operation. Having an email suddenly pop up a password prompt would kinda stand out.
Now, I don't deny that effective social engineering techniques can be brought to bear to get them to enter that password. But it really is an order of magnitude more difficult than for a Windows virus writer who can count on 95% of the recipients to be running with Administrator rights.
My cognitive abilities upon waking are nearly non-existent... My physical abilities aren't much better...
I'm definitely slow and semi-coherent for up to twenty minutes upon waking. A source of much amusement to my wife, who doesn't experience the same effects. I also don't wake up too easily in the night, which annoys my wife to no end (I don't hear babies crying as well as she does).
However, twice our kids have fallen out of bed, once breaking a collarbone (I dunno how, the bed's maybe two feet off the floor), and I was up out of bed, down the hall, and comforting them before my wife had even stirred. Apparently adrenaline is a mitigating factor.
Hey, five years ago called and wants that statement back.
That's really clever. It's a reflexive statement on itself, isn't it?
But if it makes you happy, how about: "Apache has had more vulnerabilities than IIS 6 and yet, despite its popularity, it hasn't been subjected to any major worms the way IIS 5 has."
Malware now has enough of a profitable ecosystem that people are being paid for writing it. It's not just some kid in their parent's basement any more. Malware is far more complex than it was even two years ago.
Yes, I acknowledge that. But defense-in-depth is the way to deal with that. My personal web server takes that to an extreme, and is virtually unhackable. It's running an undisclosed version of a relatively obscure httpd in a chroot jail on a relatively obscure OS on a relatively obscure processor architecture. It is also on a DMZ with no way to get out to the broader Internet. The amount of effort needed to hack that, relative to the reward involved, is extremely prohibitive.
Putting up layers of defense will not necessarily stop a targeted attack (spear phishing and so forth) but it does have a direct inhibitory effect on self-propogating, automatic malware. It has to be far more focused and specific.
For example, on Windows, almost any browser exploit gets you automatic Administrator access since so many users run as Administrator because it's painful to do it any other way. On Linux, the kind of tricks to conceal and pervert the OS that malware use are much harder, simply because you need *two* exploits, one for the application and another to elevate privileges. This is a significantly harder problem and limits the potential victims to those with both flaws. Patching one or the other at least mitigates the potential damage. This reduces network effects and helps minimize spread.
Patch-based security and signature-based detection are routinely being overcome by the current generation of malware.
So, again, adding more layers of defense is a good thing. If nothing else, making yourself an inconvenient target means the malicious types will usually go look for lower-hanging fruit.
This is a big step in the right direction, and it's been proposed before by many people. The problem is that it takes coordinated work in the OS and the browser to make it work. If you get it wrong, you block some current attack vectors but create new ones... Would you give up tabbed browsing and browser toolbars to get security? Ask your users that.
Maybe it wouldn't solve all the problems, but just making things a bit harder has a dramatic effect on the prevalence of malware. Apache is far from vulnerability-free, but all the major worms target IIS. I'm willing to accept a certain amount of inconvenience to get better security, though I admit probably not pain-in-the-ass inconvenience to get near-total security.
I read your pages about Ostiary. I don't see why its better than ssh. Maybe you could add that info to the FAQ.
It's not "better than" SSH. For certain uses it offers better security; for other uses Ostiary is totally inadequate and SSH is a better choice. See this and the first paragraph of the Introduction.
How would you save a file from your web browser without a nightmare of permission settings?
To a "downloads" directory like "/home//Firefox/Downloads". The user can retrieve the file from there easily; as noted, they have the permission to do so.
Furthermore it doesn't do what you want: Exploiting "user1Firefox:user1Firefoxgroup" is good enough to send spam and DoS attacks.
I never said it did - in fact I said the opposite, "It wouldn't solve everything". Linux separates normal user activity from administration, and that's good, but a virus that deletes all your financial data (or just emails it elsewhere) can be just as destructive as hosing the operating system.
Putting an httpd as an untrusted user doesn't prevent a suborned server from, say, serving up fake data, but does help prevent it from corrupting (or even accessing) data it's not supposed to. This extends the concept to the user level. The truly paranoid could run a browser under VMWare or UML if they really wanted, but this scheme would have a lot less overhead.
Check "Capabilities"-based systems that do what you really want. They've been around for a while.
And they haven't really caught on. I'm with you, really, I hope they do catch on eventuall, but I was trying to come up with something that would work with what we have now, warts and all.
Users want Data Exchange between applications. Firefox need to talk to plugins like Java and RealPlayer.
Nothing stops them from doing so with this scheme, it just limits what kind of data they can access.
People want to embed spreadsheets into word processor documents.
I wasn't proposing doing this for all applications, though I can see I wasn't entirely clear about that. I'm proposing something like this for apps that regularly work with potentially untrusted data like web browsers and email clients.
So you'd have a firefox account for each human user! In other words you want:
number_of_users * number_of_apps accounts. Doesn't seem like a nice, simple, elegant solution.
But it could be managed behind the scene, by scripts and such. The real human users wouldn't need to see the 'virtual' users. And it requires zero changes to the existing Unix security model. Admittedly, at large installations with a lot of users, you might get close to the limits of a 16-bit uid_t, but even if you had, say, 2,000 users that'd leave at least 16 (actually 32, I think) 'virtual' UIDs available per user.
And I'm certainly not proposing doing this with all applications. Just ones that could really benefit from it, that accept potentially untrustworthy data from elsewhere. We already do that with servers, for that very reason.
Perhaps we need something like subusers - which would be a user within a user.
That requires a different security model. There are efforts to do that (ACLs, capabilities) and good for them, but they haven't really caught on yet.
What if we sandbox major apps like browsers?
on
Future Trends of Malware
·
· Score: 4, Insightful
We already put servers in their own groups (e.g. an httpd running as "www-data" or something). What if we made similar limitations for user-level apps. Something like this.
user1 is member of group "users" and "user1group", "user1Firefoxgroup",
etc.
Firefox is user "user1Firefox" and a member of "user1group" and
"user1Firefoxgroup".
Thunderbird is user "user1Thunderbird" and a member of "user1group" and
"user1Thunderbirdgroup".
In/home/user1 is a directory called "protected_applications" owned by
user1:user1group with "rwxr-x---" permission. General config information
common to all apps goes in here, probably only readable, not writable,
by "user1group". Below it are subdirectories like "Firefox" (owned by
"user1Firefox:user1Firefoxgroup" with permissions "rwxrwx---". Maybe
some sticky bits set.
This way the apps can only write to and read from their own little
subdirectory tree, and not any of the others, but the main user can read
and write to any of the subdirectories.
It wouldn't solve everything, but it would help limit further the damage malware could do. It could access (and corrupt) the data for the particular application it suborned, but without exploiting secondary holes it couldn't do more. This would prevent, say, a hole in Firefox from allowing malware to get at your Gnucash data. It also doesn't require much any new permission-checking code, the kernel already does file-access checks anyway.
Except rational people believe in plenty of things that are not proven, foremost being Reason itself.
A couple of relevant quotes that might cause you to reconsider:
"Is knowledge knowable? If not, how do we know this?" - Woody Allen
"Those who invalidate reason ought seriously to consider whether they
argue against reason with or without reason; if with reason, then
they establish the principle that they are laboring to dethrone, but
if they argue without reason, (which, in order to be consistent with
themselves, they must do) they are out of the reach of rational
conviction, nor do they deserve a rational argument." - Ethan Allen
If you want to play tennis without a net, fine. But in that case, I don't have to play with a net, either, and I can dismiss anything you say with something irrational like "You're just a ham sandwich, and nobody listens to them." By what grounds would you dispute it?
On the other hand, if you do want to stick with reason, consider this.
There's a bit in one of David Gerrold's "War against the Chtorr" novels where the main character sets up a software agent to run a trust. There's a side discussion of a really complex case where software guardians for a set of twins due to inherit money end up suing the doctor over which child should have been delivered first in the emergency c-section that was performed, etc. etc. Things get more complicated from there. Basically a description of a 'fork bomb' in the legal system...:->
Competed with DOS, so was never pushed for general use.
Or, the AT&T Unix PC?
Stripped down, and not marketed to users. The basic "Unix Utilities" software package was a $500 add-on.
Or, AUX on a 680x0 Macintosh?
Aimed at programmers, not end users.
Or, NeXTStep?
Or, Sun Workstations?
Aimed at a higher-end crowd (NeXT machines sold for $10,000).
Truly, though, Unix needs a good MMU (Memory Management Unit) to work well, and those were expensive for a long time. If someone had decided to go big and try to sell enough volume to make it work, though, who knows?
Slashdot Mirror
(Indeed, the fetus often gets cells from the mother, too. Many women have cells of their own, and from their mothers, and from their children...)
It would spread quickly and wipe out A LOT of systems.
Yes, it would spread quickly and wipe out a fair number. But it wouldn't spread as far as less harmful malware, because it would trigger immediate alerts, news would spread fast via other channels, and countermeasures would be initiated quickly. A bit like what happened with the "Kama Sutra" worm or whatever it's called. It would spread fast, cause damage... and then die out very quickly, never to be seen again. Conversely, I still get probes from Code Red, and that thing's five years old. It also doesn't cause obvious symptoms (at least, obvious to the casual user).
You see this in nature continuously. Diseases decrease in virulence with time. Killing your hosts too quickly is not a good survival strategy. It's happening with malware now, especially since it's mostly being written from a profit motive, not as some kind of lowbrow prank. You don't want to alert someone that you've taken control of their system! You want them to keep it unpatched and working for you for as long as possible. Overt symptoms are the worst possible side effect from their perspective.
The vast majority of malware is already, and will continue to be, much more stealthy than that. On Windows, they can easily worm into the actual OS and conceal their presence. This is much harder on Linux (note I did not say impossible) and the problem is compounded by the diversity of platforms. Worms with rootkit functionality will be more common, but they will face a much tougher environment in Linux than Windows.
See, for example, this thread.
Successful malware tries to hide itself and keep the user from noticing anything's amiss. This is much much harder if you can't subvert the OS.
So apparently this is wrong, or at least has been amended a bit by the act referenced in the summary. Would this guy have been in the clear if he'd just been offering a trade secret for download? (With source code, it's complicated by the fact that the code is subject to copyright, too, though. What if we were dealing with, say, the formual for Coca Cola, to take the canonical example?)
TFA says they are contemplating a job-queue organization, with cores taking jobs as they become available. Provided the size of the 'jobs' are limited so they fit comfortably within the overall time it takes to calculate a frame, it should work fairly well. A lot of physical-simulation problems are close to 'embarassingly parallel', anyway.
Aw, a troll! And I tried so hard... :->
You're right, I can't bike and play soccer at the same time. Therefore, I must be lying when I say I do them regularly, since the only possible meaning of such a statement is that I do all possible activities simultaneously. You caught me!
(BTW, kids that age? They only want to play any one game for about half an hour or so... maybe an hour tops. I know, there's no possible way to squeeze that into a day...)
At the rate he's learning, I figure I have max two years before my five-year-old is kicking six kinds of crap out of me in videogames. Used to be you'd have to wait until they were teenagers before they'd start beating you at something...
They love it. So much so that when our three-year-old drew on our carpet, the punishment my wife gave (in addition to helping clean it up) was "No Blue Shift for three days!" They have imaginary pet headcrabs and bullsquids, I kid you not.
Now, we worked up to HL from D3, and I stick to the parts where you're shooting at monsters, not people. I've determined that my kids are not traumatized by the images and don't have nightmares or anything from them. They don't get in fights (indeed, from the comments we get from other parents they're unusually well-behaved), no signs of hyperactivity or poor attention span. Our five year old's first report card was quite good.
Since they like games so much, we try to encourage the kinds we like. They love playing with the Eye Toy and dance pads we have for the PS2. (Okay, the 3.5-year-old doesn't do so hot with the dancing, but he has fun anyway...) Good exercise.
(Just to forestall the trolls, we also go swimming, camping, biking, and the 5-year-old loves his karate class. It's winter so no soccer or baseball, but we do that too.)
Y'know, when you think about how complex, sensitive, and fast-reacting brains must be, it's kind of remarkable how few seizures they're actually prone to. We have a hard enough time building something like a robot to be both fast-acting and stable. Do you have any information on how the brain manages to damp out such things normally?
If this is the same guy I've heard of, then it's already happened. Every time he plays ping-pong for the first time, he thinks he's got a natural gift for it.
"Realistic physics in games will never catch on. Lara Croft would keep falling over forwards." - Stephen Turner
That's just the IP equivalent of a telephone number like 555-4561. It's not going to correspond to any real address and cause problems.
(Of course, they missed out on a chance for some viral marketing, like how "Lost" did a fake airline website...)
Ran with NDISWrapper for a long time on my laptop, gave up after my last upgrade when Ubuntu dicked me.
Just got my D-Link DWL-G520 running on Ubuntu 5.10. Didn't work with 5.04, but I was going to upgrade anyway. No problems at all. Now, on the Windows (98SE) side of the same box, well, I'd put the card in before installing the drivers. Major no-no. At some point I'll fix it (remove the driver software, open the machine, remove the card, boot, install the drivers, insert the card, boot, make sure it works, close the machine) but I'm not in a hurry.
It does keep you from doing low-level things like replacing the network stack, preventing some kinds of badness (e.g. transparent redirects). Not only is it easier to get rid of, it's easier to detect it as well (it can't replace the kernel file APIs to hide virus files, for example). I consider this sort of thing significant. It also makes it harder to run background services and so forth that persist after the user has logged off. (Far from impossible, I know, but more difficult.)
And, again, if you're the sole user of the system, you'll know the admin password and get used to typing it in when prompted. The average user (who trusts the computer, or at least fears breaking something if they don't do as requested -- always) will simply enter the admin password if prompted.
I dunno about that. On Ubuntu, it uses sudo, so you have to type in your password, not the admin password (there actually isn't a password for the root account). But being prompted for your password is a rare event, unless you're actually doing administration. It just doesn't come up in day-to-day operation. Having an email suddenly pop up a password prompt would kinda stand out.
Now, I don't deny that effective social engineering techniques can be brought to bear to get them to enter that password. But it really is an order of magnitude more difficult than for a Windows virus writer who can count on 95% of the recipients to be running with Administrator rights.
I'm definitely slow and semi-coherent for up to twenty minutes upon waking. A source of much amusement to my wife, who doesn't experience the same effects. I also don't wake up too easily in the night, which annoys my wife to no end (I don't hear babies crying as well as she does).
However, twice our kids have fallen out of bed, once breaking a collarbone (I dunno how, the bed's maybe two feet off the floor), and I was up out of bed, down the hall, and comforting them before my wife had even stirred. Apparently adrenaline is a mitigating factor.
That's really clever. It's a reflexive statement on itself, isn't it?
But if it makes you happy, how about: "Apache has had more vulnerabilities than IIS 6 and yet, despite its popularity, it hasn't been subjected to any major worms the way IIS 5 has."
Yes, I acknowledge that. But defense-in-depth is the way to deal with that. My personal web server takes that to an extreme, and is virtually unhackable. It's running an undisclosed version of a relatively obscure httpd in a chroot jail on a relatively obscure OS on a relatively obscure processor architecture. It is also on a DMZ with no way to get out to the broader Internet. The amount of effort needed to hack that, relative to the reward involved, is extremely prohibitive.
Putting up layers of defense will not necessarily stop a targeted attack (spear phishing and so forth) but it does have a direct inhibitory effect on self-propogating, automatic malware. It has to be far more focused and specific.
For example, on Windows, almost any browser exploit gets you automatic Administrator access since so many users run as Administrator because it's painful to do it any other way. On Linux, the kind of tricks to conceal and pervert the OS that malware use are much harder, simply because you need *two* exploits, one for the application and another to elevate privileges. This is a significantly harder problem and limits the potential victims to those with both flaws. Patching one or the other at least mitigates the potential damage. This reduces network effects and helps minimize spread.
Patch-based security and signature-based detection are routinely being overcome by the current generation of malware.
So, again, adding more layers of defense is a good thing. If nothing else, making yourself an inconvenient target means the malicious types will usually go look for lower-hanging fruit.
Maybe it wouldn't solve all the problems, but just making things a bit harder has a dramatic effect on the prevalence of malware. Apache is far from vulnerability-free, but all the major worms target IIS. I'm willing to accept a certain amount of inconvenience to get better security, though I admit probably not pain-in-the-ass inconvenience to get near-total security.
It's not "better than" SSH. For certain uses it offers better security; for other uses Ostiary is totally inadequate and SSH is a better choice. See this and the first paragraph of the Introduction.
To a "downloads" directory like "/home//Firefox/Downloads". The user can retrieve the file from there easily; as noted, they have the permission to do so.
Furthermore it doesn't do what you want: Exploiting "user1Firefox:user1Firefoxgroup" is good enough to send spam and DoS attacks.
I never said it did - in fact I said the opposite, "It wouldn't solve everything". Linux separates normal user activity from administration, and that's good, but a virus that deletes all your financial data (or just emails it elsewhere) can be just as destructive as hosing the operating system.
Putting an httpd as an untrusted user doesn't prevent a suborned server from, say, serving up fake data, but does help prevent it from corrupting (or even accessing) data it's not supposed to. This extends the concept to the user level. The truly paranoid could run a browser under VMWare or UML if they really wanted, but this scheme would have a lot less overhead.
Check "Capabilities"-based systems that do what you really want. They've been around for a while.
And they haven't really caught on. I'm with you, really, I hope they do catch on eventuall, but I was trying to come up with something that would work with what we have now, warts and all.
Users want Data Exchange between applications. Firefox need to talk to plugins like Java and RealPlayer.
Nothing stops them from doing so with this scheme, it just limits what kind of data they can access.
People want to embed spreadsheets into word processor documents.
I wasn't proposing doing this for all applications, though I can see I wasn't entirely clear about that. I'm proposing something like this for apps that regularly work with potentially untrusted data like web browsers and email clients.
But it could be managed behind the scene, by scripts and such. The real human users wouldn't need to see the 'virtual' users. And it requires zero changes to the existing Unix security model. Admittedly, at large installations with a lot of users, you might get close to the limits of a 16-bit uid_t, but even if you had, say, 2,000 users that'd leave at least 16 (actually 32, I think) 'virtual' UIDs available per user.
And I'm certainly not proposing doing this with all applications. Just ones that could really benefit from it, that accept potentially untrustworthy data from elsewhere. We already do that with servers, for that very reason.
Perhaps we need something like subusers - which would be a user within a user.
That requires a different security model. There are efforts to do that (ACLs, capabilities) and good for them, but they haven't really caught on yet.
It wouldn't solve everything, but it would help limit further the damage malware could do. It could access (and corrupt) the data for the particular application it suborned, but without exploiting secondary holes it couldn't do more. This would prevent, say, a hole in Firefox from allowing malware to get at your Gnucash data. It also doesn't require much any new permission-checking code, the kernel already does file-access checks anyway.
A couple of relevant quotes that might cause you to reconsider:
"Is knowledge knowable? If not, how do we know this?" - Woody Allen
"Those who invalidate reason ought seriously to consider whether they argue against reason with or without reason; if with reason, then they establish the principle that they are laboring to dethrone, but if they argue without reason, (which, in order to be consistent with themselves, they must do) they are out of the reach of rational conviction, nor do they deserve a rational argument." - Ethan Allen
If you want to play tennis without a net, fine. But in that case, I don't have to play with a net, either, and I can dismiss anything you say with something irrational like "You're just a ham sandwich, and nobody listens to them." By what grounds would you dispute it?
On the other hand, if you do want to stick with reason, consider this.
There's a bit in one of David Gerrold's "War against the Chtorr" novels where the main character sets up a software agent to run a trust. There's a side discussion of a really complex case where software guardians for a set of twins due to inherit money end up suing the doctor over which child should have been delivered first in the emergency c-section that was performed, etc. etc. Things get more complicated from there. Basically a description of a 'fork bomb' in the legal system... :->
Competed with DOS, so was never pushed for general use.
Or, the AT&T Unix PC?
Stripped down, and not marketed to users. The basic "Unix Utilities" software package was a $500 add-on.
Or, AUX on a 680x0 Macintosh?
Aimed at programmers, not end users.
Or, NeXTStep?
Or, Sun Workstations?
Aimed at a higher-end crowd (NeXT machines sold for $10,000).
Truly, though, Unix needs a good MMU (Memory Management Unit) to work well, and those were expensive for a long time. If someone had decided to go big and try to sell enough volume to make it work, though, who knows?