I think the interesting thing here is the shift from the target - the "best" target used to be compromising the OS, so OS's made moves to protect themselves from programs running as unprivileged users. Now, it's trivial to wipe an OS and restore from a backup. The real value is the things people store on a computer, which are usually going to be accessible via a user account.
You make an excellent point, but there is a second and perhaps even more sinister side to it. Encrypting your data and holding it hostage is one thing, but even if you have indestructible backups, there are probably still many sensitive pieces of information that can be acquired by a blackmailer with only user-level privileges: bank details, company trade secrets, personal mail/photos/videos, etc.
Having a back-up of these is important, but probably so is ensuring that they aren't distributed to people they shouldn't be. This requires a very different model of access control and user/application privileges, and unfortunately I don't think any mainstream OS is even close to solving this one yet.
> This requires a very different model of access control and user/application privileges, and unfortunately I don't think any mainstream OS is even close to solving this one yet.
I'm not sure it does require a different model of access control. It just requires people to actually use the access control mechanisms that exist already.
You should not access banking details or any other sensitive information in the same user-level context as you use to generally browse the internet. The privileges needed for each task ("browse the internet" vs. "check bank statements") should be different. I personally have a separate user account on my machine set up specifically for "sensitive" tasks.
Separation of data access via privileges is nothing revolutionary, nor is it something that can't be done on any modern OS. Unfortunately, online services are still behind. For example, I would probably switch to an online banking provider that let me create one account for viewing balances and another for transferring cash. But these services will get there in time.
Your proposal is OK if accessing sensitive information is something you only do occasionally, but it's not very practical to switch users completely if you deal with sensitive information often, which many people do.
On the other hand, if only explicitly authorised applications can create outbound Internet connections at all, and if applications like browsers and e-mail clients need explicit permission to read a general user file (as opposed to, say, accessing their own designated configuration or data files), then you significantly decrease the degree of vulnerability a user has to data leakage attacks (among other types).
Check out qubes os if you don't want to trust your kernel to enforce your mandatory access controls (you DO only allow certain applications/users/groups/roles/OS's/Hypervisors/etc... to do certain things, DON'T YOU??). Xen is a smaller attack surface, and depending on how much of a pain in the ass you consider having all of your files stolen and deleted being, there are many options for locking it down quite a lot. XSM-Flask if you are too paranoid, Hypersafe for control flow attacks + invariant violation detection tools for non-control data attacks over nested hypervisors if you are resolute.
>Your proposal is OK if accessing sensitive information is something you only do occasionally, but it's not very practical to switch users completely if you deal with sensitive information often, which many people do.
$ sudo -u banking gnucash &
$ firefox &
Done. My banking files and my Firefox session are now separated.
And for the 99.7% of users in the real world who drive their computers using a GUI and not a command line? Or those who do use a command line but aren't sufficiently competent with system administration to reliably get sudo-based access control right every time?
What about photos? I could see ransomware being very successful just demanding payment to avoid making a bunch of your personal photos publicly available on the internet. They may not be sensitive per se, but they're still likely not something you want out there publicly. Ditto for email, chat messages, etc., etc.
The problem is seemingly solved by OS X app sandbox and Mac App Store review process (the sandbox alone is not enough, because it allows to declare 'exceptions' like full disk access, so human reviewers are needed to watch out for those).
The sandbox may occasionally be causing some pain (in fact, would be very painful if I had to support OS X 10.7), but at the same time my app can no longer access any user data that the user hasn't explicitly whitelisted, which is a good thing.
Windows Metro apps also live in a sandbox, but they are sort of a different platform (no access to the file system at all, as far as I know). Over time, I can see them gaining some access to a subset of the file system, perhaps via SkyDrive.
You make an excellent point, but there is a second and perhaps even more sinister side to it. Encrypting your data and holding it hostage is one thing, but even if you have indestructible backups, there are probably still many sensitive pieces of information that can be acquired by a blackmailer with only user-level privileges: bank details, company trade secrets, personal mail/photos/videos, etc.
Having a back-up of these is important, but probably so is ensuring that they aren't distributed to people they shouldn't be. This requires a very different model of access control and user/application privileges, and unfortunately I don't think any mainstream OS is even close to solving this one yet.