The description of Capabilities in E in a Walnut by Marc Steiger back in 2000 has some good stuff, replacing the somewhat bland "confused deputy" with a more realistic example:
Suppose all security in the physical world were based on ID badges and ID readers. At your home you might put an ID reader on your door, another on your CD cabinet, and another on your gun vault. Suppose further you had to depend on 4-year-old children to fetch your CDs for you when you were at the office. How would you do it? You would hand your ID badge to the child, and the child could then go through the front door and get into the CD cabinet. Of course, the child with your ID badge could also go into the gun vault. Most of the children would most of the time go to the CD cabinet, but once in a while one would pick up a gun, with lamentable results.go read it now!
When you run ANY program under Windows, Mac, Linux, you're handing it your badge... it can do anything it wants. Trusted code seems to be the order of the day for Microsoft, and most of the security initiatives out there, but it's not going to work. It doesn't allow for mobile code, and it doesn't do anything to eliminate all bugs, so you can't really trust the "trusted" code anyway.
My point in this blog is that we must completely replace the security model underlying our operating systems. Some day, if we do things right, we'll look back on the insanity of trusting that all of our code doesn't contain holes, and cringe.
The Capability Security Model is the only way forward if we are to have truely secure computers. We need truely secure computers if we're to avoid the future of a completely locked down, heavily censored and limited interent.
What will it take to make this happen? Only time will tell... and I'm not getting any younger... and I don't have infinite patience.