Re: So, the security industry has given up on the principles of least privilege and separation?

[Joanna Rutkowska <joanna () invisiblethingslab com>]

Dave Korn wrote:

> "UAC should only be considered an extra security feature, which will remind
> users that the code they run potentially could harm their systems - it is not
> meant as a guarantee against code's ability to harm a system," Secunia's
> Kristensen added.
> --------------------<snip>--------------------

Heh ;) That rings a bell ;)

>   That made me snort into my breakfast cereals, I can tell you.  Has the
> entire security industry abandoned all hope of using the principle of least
> privilege and limited user accounts, or just him?

It seems so. Why otherwise everybody would be getting so excited about
yet-another-remote-bug-in-IE/Firefox/Safari? Why would the Flash/QT/etc exploits
be worth tens of thousand of $ on the black market?

Least privilege, seems to be a rocket science for the majority of population.
Sadly, this seems to include the ITSec community as well.

I wish more people make comments like Dave.

Cheers,
joanna.

"Give less shit about browser bugs -- run them in VMs!" (The 's' is important)

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave