Anthropic’s Restraint Is a Terrifying Warning Sign

[H. S. Teoh]

On Thu, Apr 09, 2026 at 02:57:17AM +0000, madwebness via Digitalmars-d wrote:
[...]
> But on a serious note, I think the real issue isn't programming
> languages, but OS design. I am entirely convinced the real problem is
> that Unix and Windows are by definition vulnerablt because of how it's
> possible for them to just launch a program that has access to whatever
> user has access to.

This is old news.  Linux already has built-in ability to restrict
programs by capabilities.  You can use this to, say, restrict the
browser process' permission to a much smaller subset than the full
permissions of the user who launched it.  And these policies can apply
to arbitrary processes, subprocesses, process groups, and can be
arbitrarily complex.

It also makes it a royal pain to configure.


> If we had a proper first-class sandboxing / capability in an OS, this
> wouldn't even be a problem. A well designed capability OS would
> literally be so safe that a package manager could just download stuff
> from random urls and run it and the system would still be largely
> uncompromised.

Also old news. Things like Snap run individual applications inside their
own encapsulated sandbox, and they literally cannot break out because
it's enforced at the OS level.

It also makes it a royal pain to use, because you cannot even access the
local filesystem without jumping through hoops.

And when something is inconvenient to use, guess what happens?  That's
right, it motivates the user to disable the protections so that he can
just download files of questionable origin into his home directory
without navigating a labyrinth of prohibitions.

Also, just because something runs in an unbreakable sandbox does not
stop them from causing chaos from inside the sandbox.  Consider the case
of a compromised browser doing crypto mining, spam forwarding, and being
a member of a botnet.  You cannot stop this, because the whole point of
the browser is to talk to the internet.  Yes, it cannot harm the host
OS, but it *can* wreak havoc online.  Restrict this, and the browser
becomes useless, nobody will use it, and will go back to "insecure"
systems.


> The problem is that modern systems are "good enough", people largely
> don't care and there's so much stuff written for the existing systems
> - the inertia is real and almost inescapable.

People are also lazy, and prone to make compromises in the name of
convenience.  You can have the world's most secure OS with the strictest
protections ever, but either nobody will use it, or users will disable
(some of) the protections because they find it too inconvenient to work
with strict permissions.  As long as convenience is a deciding factor,
you cannot escape this.

Same applies to programming languages.  Most programmers will not bother
writing secure code, because it gets in the way of getting the job done
before the boss fires you. It takes you away from the parts you enjoy
working on.  The incentives are wrong, and so no matter what you do,
vulnerable systems will always be the default.  It takes effort to be
secure, and most people are not ready to pay that price. Until this
mindset changes, the security situation will not change.


> Was honestly thinking going full Terry Davis at some point and start
> writing that OS, because it's very interesting to me personally, but
> I'm still a little less unhinged than him as of right now, so I have
> to come up with some path wherein there's some adoption.

I used to be young and foolish, and opinionated to think that had I been
the one to write the OS, things would be different.  Now that I'm a
little less young and less foolish, I've come to concede that writing an
OS is Hard(tm), and probably I wouldn't do much better than what's out
there today.  Of the hundred things that I think I can do better, there
are probably a thousand things I overlooked that others have plugged
long ago, and if were to write my own OS from scratch, my OS would have
these thousand security holes even if I successfully plugged the hundred
I criticize other OSes for.

And yes, adoption is a big question. Because, as I said, people are lazy
and want convenience; security requires effort and is often
inconvenient.  These are contradictory requirements; *some* compromise
has to happen somewhere.  We may disagree on exactly what is permissible
to compromise on and what's not, but make no mistake, there will be
compromises.  Otherwise, you will have zero adoption.

The only truly 100% secure system is one that does not connect to the
internet and does not allow the user to do anything useful.  Once you
have the requirement that it also be useful, security has to be
compromised in *some* way.  And here reasonable people will disagree on
exactly what these compromises should be.


T

-- 
If lightning were to ever strike an orchestra, it'd always hit the conductor first.