funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Administrator Accounts

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 23 Feb 2006 14:09:13 +1300
Todd Towles wrote:


My friend Susan Bradley said it in 2005 -

 "We need to understand that we need to protect ourselves a little bit
better. At the same time, the vendors need to step up to the plate.
Intuit, in particular, and other vendors that do not support limited
user rights are forcing me to make security decisions. They are the ones
causing insecurity on the desktop, not me."

But not all applications will run if the user does not have
administrative privileges, Bradley said.

"The ultimate goal is that every single application that we have
installed in our systems will run in user modes," Bradley said. "The
Microsoft applications do run in user mode. I cannot say that for the
rest of my stupid line-of-business applications. To get certified for
design for a Windows XP logo, you have to run as a user mode."


So, why pray tell, is _any_ corporate system running any of these 
crappy apps?

If it doesn't "run in user mode" WTF was it ever get approved for use 
in the business?

Had corporates taken this "we actually really do care, maybe just a 
little though, about security" this problem would not exist _for 
"business use" software_ today.

The reason the problem exists is that "too many" corporate IT folk 
either don't have the balls to front a major s/w developer like Intuit 
(and all the others) and demand that they fix their crappy software, or 
the IT folk's advice is overidden by some security-clueless morron 
(probably an accountant) who decides it is cheaper (in terms of up-
front dolars and cents) to stick with the app that they were using when 
Win9x ruled their roost (and don't get me started on the question of 
why that PoS was _ever_ used in a business that claims to care about 
security) and not face the re-training, data conversion, process 
conversion, etc, etc, etc costs of switching to Product X which does 
offer the intangible benefit of allowing a better security design for 
their IT system.

Thinking in the small by small-minded folk who can only see their 
constrained view of the world...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: