On Thursday, June 26, 2003, at 06:00 PM, Barry Shein wrote:
These long-winded apologias for microsoft are touching (and I hope
paid for!)
HOWEVER, what would've been so hard about putting in a goddamn pop-up
confirm box triggered at the system level which said something like:
THAT ACTION IS TRYING TO MODIFY YOUR SYSTEM
SOFTWARE AND/OR THE REGISTRY etc etc.
Proceed? [YES] [NO] [HELP]
based on some reasonable rules so it's a reasonably meaningful
warning? Lord knows they ask confirmation for everything else you do
it seems.
The interesting thing is that it's mostly possible to configure a
Windows 2000 system this way. I have to use Windows 2000 at work, and I
always run as a completely untrusted user with no registry or system
modification privileges. I also remove Outlook Express and its various
hidden components which many worms and viruses use to do their nasty
tricks, and disable ActiveX and scripting in IE. I use Mozilla as my
web browser.
This week I twice had a warning dialog caused by an installer failing
to install some piece of unidentified software which I had not asked
for. I tried to track down where it came from, but Windows doesn't seem
to offer much of an audit trail for "What launched this process?"
Of course, there are still all the unpatched security holes that allow
privilege elevation, but 99% of the problem is IE, ActiveX, Outlook,
and running as admin the whole time. Microsoft could fix those problems
tomorrow if they wanted to.
The sad thing is, running as an unprivileged user breaks a *lot* of
software, including some commercial applications. The culture of zero
security in Windows is so ingrained now that it's assumed your Windows
system will be wide open to the world.
Mac OS X is mostly locked down by default. You can trash the
applications, but you can't change the OS or startup sequence without a
dialog requesting root privileges. Apple also recommend the "running as
an unprivileged user" approach, though they don't make that the default.
Unlike in Windows, running as an unprivileged user on a Mac doesn't
break much. So far I've only had one application have problems. (Adobe
Photoshop Elements, in case anyone's curious, and they have a note
about it in their knowledgebase.)
mathew
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg