I think that what he was getting at is that in all current-day OSes, any program that a user runs has permission to do anything that that user is authorized to do. That's what he meant about Minesweeper having ability to write to or format a drive.

What he is suggesting is that OSes should be designed so that programs only have authority to do what they need to do, so that Minesweeper, for instance, would only be able to read mouse and/or keyboard input and output to the screen, and possibly write to a scorekeeping or config file. Anything else, like being able to call a program that could format or delete would be forbidden by the security model.

It's a very foreign concept, since it's totally different than everything we've dealt with so far, so it may be a bit hard for some people to grasp, but it makes a lot of sense.

An analogy would be like security in a company. People that have to have access to everything, like the security people, would have a key that would open everything, or a set of keys that will open everything. Others would only get keys to open doors that they have a need to enter an no others.

So in our theoretical OS, a Minesweeper program would never get access to the network or most areas of disk. The browser would not be given access to call a format or file delete program or function.

I don't know exactly how that would be built, but it would take the concept of least privilege and apply it not only to the user, but also to the programs, if not the OS itself. So I can see where Ivan is coming from, and I don't think it's a matter of his lack of knowledge of OSes, but rather that he is proposing a new concept of security.