Full Disclosure mailing list archives
Counseling not to use Windows (was Re: Anonymoussurfing my ass\!)
From: full-disclosure () lists netsys com (Schmehl, Paul L)
Date: Mon, 15 Jul 2002 14:59:59 -0500
Comments inline. Paul Schmehl (pauls () utdallas edu) Supervisor of Support Services The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
-----Original Message----- From: David F. Skoll [mailto:dfs () roaringpenguin com] Sent: Monday, July 15, 2002 2:10 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Counseling not to use Windows (was Re: Anonymoussurfing my ass\!)Sorry to pick on your example but an extension merly indicates what kind of data is in the file.Not under Windows as it is configured by 99.99% of end-users. If you name a file "foo.txt", very different things happen if you click on the file than if you click on the exact same file named "foo.exe".
That depends on how the admins configure things. :-) Here at UTD, for example, it isn't possible to execute a VBS file unless you know what you're doing. It's also possible to restrict the executables that a user can run, using group policies.
A .txt extension suggests that a user might want to hand the file to a program that'll treat the file as plain ASCII, similarly an .exe extension suggests that a user might want to give the file some memory and time slices and treat it as aprogram in it'sown right. You could load the .exe into notepad, and youcould executethe .txt file.Again, for 99.99% of end users, such fine points are irrelevant. To them, clicking on an .exe runs the program. Windows even "helpfully" hides the extension by default.
And you think they will do *better* at this in *nix? You've pinpointed the problem, but missed the solution. The problem is the *users* who are ignorant and chose to remain that way. The solution is for the *conscientious* admins to understand that truth and find ways to defend the enterprise *anyway*.
That is true when it comes to memory protection, but what you're talking about is filesystem protection, and Linux doesn't "pretend" anything -- it enforces it. I believe it is possible under some versions of Windows to allow read access but not execute access to files and directories, but again, 99% of end-users don't know this and don't configure it.
Your ignorance of Windows is showing. It is possible, under all "modern" versions of Windows (not the 9x variety) to get as granular as this (at the directory or file level): Full Control Traverse Folder / Execute File List Folder /Read Data Read Attributes Read Extend Attributes Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes Delete Read Change Take Ownership It isn't the OS that's the problem. It's the manufacturer's choices of default settings and the ignorance of the users (and admins in many cases.) Isn't this precisely the same problem on *nix? Give me an ignorant user on a default install of *nix and I'll give you a hacked box in a few minutes (except perhaps OpenBSD, which is one of the few that ship "secure" out of the box.) Please don't misunderstand - I am NOT saying Windows is a good as or as secure as Unix. Given the choice, I'll take OpenBSD. But the *real* problem isn't software, it's humans.
Current thread:
- Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) Schmehl, Paul L (Jul 15)
- Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) David F. Skoll (Jul 15)
- Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) Ron DuFresne (Jul 15)
- Counseling not to use Windows (was Re: Anonymoussurfing my ass\!) Raju Mathur (Jul 15)