Accountability
and Freedom Slides
Butler Lampson
Microsoft
September 2005
After thirty-five years of work on computer security, why are almost all computers extremely vulnerable to attack? It's natural to think that because computers are precise, perfect computer security should be easy. In fact, like real world security, it costs: a little in dollars, much more in convenience. Since bad computer security hasn't done much damage, people decide that they don’t need much of it. Real-world security is about value, locks, and especially punishment for misdeeds. When it works, you get good enough locks (not too many break-ins), painful enough punishment (so break-ins aren't a paying business), and minimum interference with daily life. This doesn't work on the Internet because you can't find the bad guys, so there is no accountability. The obvious way to fix this is to demand accountability. This doesn’t require a network-wide change—each individual can demand accountability from people from whom they accept input. Accountability means that you can punish misbehavior. This doesn’t only mean being able to send people to jail—you can fine them, fire them, or ostracize them.
The trouble with accountability is that it stops you from running games, browsing dubious web pages, and in general living wild and free on the network. The way to fix this is to have two computers:
· A green computer that is locked down and demands accountability from all its inputs, where you keep data and do work that you care about.
· A red computer that you use freely, but not for important data, and that you reinitialize whenever it gets corrupted.
With virtual machines you can have two computers in one box.