Reactive Security and Social Control

A major security problem for a network oriented environment is executing untrusted code. Private information risks being disclosed or tampered with if unveri ed remote code manages to gain access to local resources. Since a program only shows to the user what it wants the user to see, it can hide some of its actual actions. This is the essence of a Trojan horse. In the days before global networking the acts of malicious programs mainly perpetrated random acts of vandalism, like erasing les. Now, as computers get increasingly connected, programs can communicate back to their creators. This enables a new range of crimes. As we begin to use open computer networks to transfer information of more direct economic value, we'll nd that programs can to do more malicious things than erasing les. Viruses can be used to snoop passwords to valuable information services or getting hold of e-cash stored on our hard disks. As the trend leads towards where we are down-loading and executing many new programs every day, these problems are only likely to increase. Certifying every program on the Internet would hinder the introduction of new programs, services and even of bugxes. The essence of the open net is that new information is put there almost instantaneously. Hence we can't do away with the concept of an untrusted program. Cryptographic methods like digital signatures can be used to authenticate the sender and/or guarantee that the program hasn't been tampered with. However, the program's hostility cannot be decided by any level of cryptography. For the untrusted software to be useful it may have to be granted access to information that it