Secure Coding mailing list archives
how far we still need to go
From: dinis at ddplus.net (Dinis Cruz)
Date: Thu, 26 Jul 2007 02:03:18 +0100
It's a simple economics problem. The moment these companies and developers lose sales (or market share) because their products require admin / root privileges to run, is the moment they start to REALLY support it. And the reason why there isn't such REAL demand (with the exception of crazy security dudes like us and the poor unlucky guys who actually GOT attacked) is because the attackers are not exploiting the fact that these apps need admin / root. And if the attackers are not exploiting it, the customers are not losing money, and if the customers are not losing money they will not demand more secure systems. So its good news, we are still safe, since the Risk is quite low :) Btw, at OWASP we are trying to organize an OWASP Day to coincide with the Global Security Week. See http://www.owasp.org/index.php/OWASP_Day for more details and please feel free to get involved :) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 7/25/07, William L. Anderson <band at acm.org> wrote:
I was trying out a new web service that permits sharing files from the desktop to others online. It does seem a bit dodgy, but I was curious about how it worked. Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the /Applications area), but I need to run it as admin. After a few e-mails to the developers I get the following response: "the only other thing that I can suggest is to install it (and run it) in an admin account. Starting from scratch. I'll have to log it as an issue that non-admin users can't install it (I've honestly never created a non-admin account on OS X and I guess no one else here has either because we didn't think of it!)" I am flabbergasted. When I first encountered Unix in 1983 I was taught that you always run as an ordinary user, and only use admin (root) privileges when needed. If OS X developers are running as admin, and building and testing their products as admin, well ... I'm still in shock. And I weep for the species. -Bill Anderson http://praxis101.com/blog/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070726/acc544ec/attachment-0001.html
Current thread:
- how far we still need to go William L. Anderson (Jul 25)
- how far we still need to go Steven M. Christey (Jul 25)
- how far we still need to go Kenneth Van Wyk (Jul 25)
- how far we still need to go Blue Boar (Jul 25)
- how far we still need to go William L. Anderson (Jul 25)
- how far we still need to go Dinis Cruz (Jul 25)
- how far we still need to go ljknews (Jul 25)
- how far we still need to go McGovern, James F (HTSC, IT) (Aug 28)
- how far we still need to go ljknews (Jul 25)