I hate to say it, but a lot of this stuff was advocated by Butler Lampson (one of heroes)[1].
Basically, he advocated for having at least two computers (which could be virtual machines) labeled “red” and “green”. The red machine is promiscuous, and accepts inputs from anything; whereas the green machine only accepts inputs from “accountable” sources (n.b. this means it wouldn’t accept input from the red machine).
Crucially, he says that the green machine, which might have access to sensitive information such as your financial records, would ”require professional management”. The user might be able to make course grain adjustments to qualify what it means to be an accountable source, but in this scheme, the system’s integrity is only assured by allowing the professional administrator to preempt the user.
I don’t like it (Win 8 will probably be the last version I use), but since it’s Butler, I have to at least consider that he might be right.
Basically, he advocated for having at least two computers (which could be virtual machines) labeled “red” and “green”. The red machine is promiscuous, and accepts inputs from anything; whereas the green machine only accepts inputs from “accountable” sources (n.b. this means it wouldn’t accept input from the red machine).
Crucially, he says that the green machine, which might have access to sensitive information such as your financial records, would ”require professional management”. The user might be able to make course grain adjustments to qualify what it means to be an accountable source, but in this scheme, the system’s integrity is only assured by allowing the professional administrator to preempt the user.
I don’t like it (Win 8 will probably be the last version I use), but since it’s Butler, I have to at least consider that he might be right.
[1] https://www.youtube.com/watch?v=VJw2SZPjAfA&feature=youtu.be...