Re: [PLUG] Windows security -- Was: X11 server for Windows

Art Alexion on 22 Aug 2010 12:37:07 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Windows security -- Was: X11 server for Windows

From: Art Alexion <art.alexion@gmail.com>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: Re: [PLUG] Windows security -- Was: X11 server for Windows

Date: Sun, 22 Aug 2010 15:36:59 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:received :in-reply-to:references:date:message-id:subject:from:to:content-type; bh=2eEXTSKh7iZlJ2ul47CgrE3yKlBDswBFe2JLxdzrbhc=; b=g95rnl8ANInrvmkmlPG0zSQYGr8LXaKMODvWB0QnPKJ/0244goLzKDbPyEDca4Dsrd rx+OJuQLYr3w/tfsId/T6eLyMLZeQUGDm/UIDdtpo0htQ2XFGJpmf5nQR+pwMWsdEZ/i F1d/wLJtcYecqvWr1hdW4RGVIrwiJg1WPozfg=

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

Fred, thanks for pointing that out. I had never thought uid/gid through. Realized that it allowed regular users to run programs that normally required elevated permissions, but never concluded that that gave the user the other elevated permissions associated with the program.

--
Art Alexion

On Aug 22, 2010 1:26 PM, "Fred Stluka" <fred@bristle.com> wrote:
Art,

I absolutely agree with you overall, but some comments:

In my experience, Windows greatest vulnerability is its preference for complexity where simplicity would do a better job. I don't think this is a matter of poor engineering so much as the difficult goal of satisfying both users and marketers.

Yes, I prefer to see simple solutions to simple problems, and
ideally even simple solutions to complex problems. The last
resort is a complex solution to a complex problem. Too many
Microsoft solutions are complex solutions to simple problems.
This IS poor engineering.

In order to make Windows easier to use and to include some whiz-bang features in its application products, MS creates some intentional security holes.

For example, even though I may not have permissions to a certain directory, an instance of Outlook which I run may have permissions to write to it. Contrast that with Linux aged my processes do not have greater permissions than I have directly.

Good point, but bad example. It is common practice in Unix/Linux
for you to be able to run a program that has more privileges than
you do directly. See:
http://en.wikipedia.org/wiki/Setuid

--Fred
---------------------------------------------------------------------
Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
---------------------------------------------------------------------

Art Alexion wrote:

In my experience, Windows greatest vulnerability is its preference for complexity where simplicity would do a better job. I don't think this is a matter of poor engineering so much as the difficult goal of satisfying both users and marketers.

In order to make Windows easier to use and to include some whiz-bang features in its application products, MS creates some intentional security holes.

For example, even though I may not have permissions to a certain directory, an instance of Outlook which I run may have permissions to write to it. Contrast that with Linux aged my processes do not have greater permissions than I have directly.

Add to that, the fact that in order to create some of these backdoors, MS engineers had to create a system that was more complex than otherwise necessary, and complex systems tend to be more vulnerable than simpler systems.

--
Art Alexion

On Aug 19, 2010 1:24 PM, "Edmond Rodriguez" <erodrig97.list@gmail.com <mailto:erodrig97.list@gmail.com>> wrote:
> On Wed, Aug 18, 2010 at 5:05 PM, JP Vossen <jp@jpsdomain.org <mailto:jp@jpsdomain.org>> wrote:
>
>> "Microsoft Tax" = the additional hardware & yearly fees for the add-on
>> software required tlo protect Windows from its own poorly designed and
>> implemented self, while the overhead incidentally flattens Moore's Law.
>
> I am all for Linux and have been using it almost exclusively. I have
> used XP quite a bit.
>
> At a Central meeting once I brought the Windows vulnerability thing up
> and asked what some of the vulnerabilities were. I know there is all
> the buffer overrun stuff that comes up all the time. I sometimes get
> security advisories in email similar to the buffer stuff for Linux
> software. Don't most of the problems come from people trying to trick
> users into running various exe files or installing software?
>
> I ask the question, if Linux were as highly used as Windows, would we
> feel threatened? Would people write software to try and trick us
> (especially a novice user)? Like trying to run some binary file from
> some web dialog box made to look like a system dialog box or other
> trickery to get an exe to run.
>
> One person responded that a major problem with Windows vulnerabilities
> is that many people run as administrator by default. I never thought
> of that before, but it does seem true.
>
> So I guess I am wondering, other than it's popularity causing people
> to want to do harm, what are the major vulnerabilities of Windows?
> How much of the vulnerability is because of it's popularity (not
> design) as compared to Linux?
>
> Again, I prefer Linux, and it's performance and ease, but that is
> another topic.
>
>
> Edmond
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

------------------------------------------------------------------------

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] Setuid programs -- Was Windows security -- Was: X11 server for Windows
From: Fred Stluka <fred@bristle.com>

References:

Re: [PLUG] X11 server for Windows
From: JP Vossen <jp@jpsdomain.org>

Re: [PLUG] X11 server for Windows
From: Edmond Rodriguez <erodrig97.list@gmail.com>

Re: [PLUG] X11 server for Windows
From: Art Alexion <art.alexion@gmail.com>

Re: [PLUG] Windows security -- Was: X11 server for Windows
From: Fred Stluka <fred@bristle.com>

Prev by Date: Re: [PLUG] Windows security -- Was: X11 server for Windows

Next by Date: Re: [PLUG] Setuid programs -- Was Windows security -- Was: X11 server for Windows

Previous by thread: Re: [PLUG] Windows security -- Was: X11 server for Windows

Next by thread: Re: [PLUG] Setuid programs -- Was Windows security -- Was: X11 server for Windows

Index(es):

Date

Thread