Full Disclosure mailing list archives
RE: [in] Re: IE is just as safe as FireFox
From: "joe" <mvp () joeware net>
Date: Sat, 20 Nov 2004 09:21:02 -0500
Devis: I guess you probably mean me. I don't take offense to it though as you aren't really technically correct but I understand where you are trying to come from (I think) and trust that you believe what you say versus just being a zealot and thinking anything but Windows. 1. The first account created on Windows is Administrator, it is the administrator account, just like *NIX's first account is root. Outside of that then the next account is the account of the person building the box. I haven't built one through the default processes in several months but I think the last time I did I was offered the choice of making the account limited or admin. I personally didn't like the term limited because who is going to give themselves a limited account if an unlimited account is available as an option. Everyone wants the bigger/better whatever when the two choices sit next to each other even if they don't know what is supposed to be better about it. It is why people buy the newer electronics every couple of years and the single guy buys the Excursion over the Expedition over the Explorer over the escort. He has one person to carry around but the SUVs are bigger and better even though he may never carry a single thing or another living soul the whole time he has it. Anyway, the base cause is a simple one, Windows is consumer based and *nix wasn't and really still isn't. Look at the market penetrations. *nix tends to have people already knowledgeable with its workings or people who WANT to learn the details using it, windows primary users have no experience and want none. A *nix user with no computer experience will get extremely frustrated very quickly, every time they go to do something they feel they should, they get slapped down (I, in my security thoughtful opinion do not think this is a bad idea). Windows initially was a standalone OS, recall it was Microsoft initially thinking there was nothing to the internet and spinning the opposite direction. UNIX was designed from scratch to be networked, and even it had poor initial security when it was really tested. Couple that with the idea that MS doesn't like to leave people behind and it is all logical progression as to where we have gotten where we are (contrast with Apple - can you run an Apple II app on OSX? I have DOS apps written in 86/87 still running fine today, doesn't require admin either). However, that being said, they are offering more and more tools to make it possible to run securely. You will be seeing a rather cool app in the fairly near time frame to help the whole running as admin issue. Outside of new stuff that is coming, there are a ton of features that have been around for some time to help with this stuff. I personally have run corporate Windows NT Machines as non-admin for some time, had a whole bank division department running as Power User at best in 1996, it was possible if you knew what you were doing as an admin. You had SU and net user /user: in NT4 and the API was fully open but sorry if you can't write something based on docs and instead need the source of the API instead. The big issue from my standpoint was that it wasn't pushed as the way to do things, this stuff wasn't mentioned in the MCSE courses[1]. In the end however, you could blame the OS or you could blame the people using the machines. You have blinkers on a car, it is the drivers choice to actually use them. 2. I completely disagree here. Your experience is most likely with tech people. Most users don't know and don't want to know the differences between accounts and have to work out the idea that you have to log on in special ways to install the latest game or image editing software for their digital camera they just got for xmas. They are there to use the machine, not understand it. Something MS could have done a long time ago and didn't probably because it was outside of the normal mindset is to reduce permissions when running certain apps. Say someone is running as admin, if they fire up IE, that process gets run as guest or anything that is only available to the administrator group is unavailable because that admin group SID is removed from the token. This is done with the most recent version of netmon which was surprising and quite annoying the first time I used it and tried to save a CAP to c:\temp.
Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code.
Imagine, if you will, if they did this. Think of the fall out of SP2 alone on this list which is supposed to have competent security professionals primarily... Bill might as well just say, you know, I have made enough money for myself and those I care about, let me just close the company down. Doing this would most likely break just about everything if not everything. People who already don't want to move from Win9x to WinXP because some odd piece of crap software doesn't work the same way won't ever consider moving to the new platform Q or whatever they choose to call it. This is such a non-realistic viewpoint it is actually quite laughable. And again, if you go back to a previous conversation from this list, it isn't all of Windows, especially Windows kernel/core level stuff that has an issue. It is some key pieces of the shell. Possibly in your understanding of Windows though, the Shell is all of what you believe Windows is comprised of. joe [1] Don't get me started on MCSEs. As a whole I think they hurt Windows far more than any other thing. A bunch of people who feel they are experts in Windows because they took a couple of tests that 10 year olds could memorize and pass and yet still not be able to run anything. The best I can say about MCSEs is that I will *try* not to look down upon them for being MCSEs and let them prove themselves to be worthless before I assume it in person. -- Pro-Choice Let me choose if I even want a browser loaded thanks! -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of devis Sent: Friday, November 19, 2004 11:10 AM Cc: full-disclosure () lists netsys com Subject: Re: [in] Re: [Full-disclosure] IE is just as safe as FireFox This message is primarily destined to all MS trolls, no matter their levels, and i can see so many in this list that i am happy to target a large audience. Please run some unix or at least read about the unix permission system, and lets pray god this sheds some light in your mono cultured brains. Here are the relevant points: 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, despite all wrong arguments i read on this list. VERY BAD practice generally. So its user friendly, as the user has admin rights and can therefore install and remove software and change major configuration. Majority of users don't and will never know there is an 'administrator' user that hides from their eyes. This little detail that apparently Ms people can't 'understand' is a huge step. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. 2) "After all, they don;t need to know" . " You're on a need to know basis job" Do MS really think the users are stupid ? Do understanding different IDs/ roles / accounts on a computer that much of a tough message to pass to the end user ? Isn't security important and supposedly the goal of recent MS developpements ? If they really did target security, their efforts will have been into making the user understand that he should be admin to install programs, and a non priviledged user to surf the web. IS that that hard to understand ? And that much hidden into high IT security professionnal unreachable knowledge ? I don;t think so. Doesn't a company such as MS has enough ressources to make that a priority and educate the users ? Off course it has. Just not very 'commercially' friendly as if user then understand roles, it might requires less Anti virus, personnal firewall and other bullshit FUD's scareware ( Yes its scareware, and it is the best selling software category OF ALL times of software history ). This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and backward compatibility, is likely more secure than the in house integrated application. Now if u are running Firefox as an administrator .....don't be surprised if something happens. Don;t blame the software, but your poor security practices. Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Hopes that clears things. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [in] Re: IE is just as safe as FireFox, (continued)
- Re: [in] Re: IE is just as safe as FireFox Borja Marcos (Nov 18)
- Re: [in] Re: IE is just as safe as FireFox GuidoZ (Nov 18)
- Re: [in] Re: IE is just as safe as FireFox Borja Marcos (Nov 19)
- Re: [in] Re: IE is just as safe as FireFox Kenneth Ng (Nov 19)
- Re: [in] Re: IE is just as safe as FireFox Valdis . Kletnieks (Nov 19)
- Re: [in] Re: IE is just as safe as FireFox Vincent Archer (Nov 22)
- Re: [in] Re: IE is just as safe as FireFox Xavier Beaudouin (Nov 19)
- Re: [in] Re: IE is just as safe as FireFox Andrew Farmer (Nov 19)
- Re: [in] Re: IE is just as safe as FireFox bkfsec (Nov 19)
- Re: [in] Re: IE is just as safe as FireFox devis (Nov 19)
- RE: [in] Re: IE is just as safe as FireFox joe (Nov 20)
- Re: [in] Re: IE is just as safe as FireFox Shoshannah Forbes (Nov 21)
- RE: [in] Re: IE is just as safe as FireFox joe (Nov 21)
- Re: [in] Re: IE is just as safe as FireFox Stefan Schatzl (Nov 22)
- Re: [in] Re: IE is just as safe as FireFox devis (Nov 22)
- Re: IE is just as safe as FireFox Colin . Scott (Nov 12)
- Re: IE is just as safe as FireFox Rafel Ivgi, The-Insider (Nov 12)
- Re: IE is just as safe as FireFox Colin . Scott (Nov 12)
- RE: IE is just as safe as FireFox Michael Evanchik (Nov 12)