| Rich Freeman on 23 Jan 2013 08:11:04 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] "playing nicely with others" |
On Wed, Jan 23, 2013 at 10:12 AM, jeff <jeffv@op.net> wrote: > On 01/23/2013 09:00 AM, Robert Spangler wrote: >> >> 99% of all calls I receive for viruses and malware are directly connected >> to >> the admin account being used for everyday use. > > To be fair, when speaking of a corporate setting, there is entirely too much > poorly-designed Win software that demands admin rights. It causes no small > amount of posterior hurt. All true, but I think that in general we've gotten too used to "just don't give admin rights" as a fix for everything. It really isn't. All of the following can be done without admin rights: 1. Running an executable. 2. Reading just about any file on the system - certainly any file owned by the logged-in user. 3. Sending arbitrary data to an arbitrary destination (via email, sockets, http put, whatever). 4. Monitoring the logged-in user's keystrokes. 5. Deleting/modifying just about anything that actually has real value. The only stuff you can't modify is stuff that comes on the OS install CD. 6. Sending copies of an executable to arbitrary email addresses, network shares (with write acces), etc. About the only thing being non-admin does is protect the OS itself, and other users who use the same computer (99% of the time there are none). Oh, and all of the above works just fine on Linux as well as windows. About the only thing that linux does is make it a bit more of a pain to execute a file (which is a big help), but you're just as vulnerable to application exploits if the file is a document with a registered handler. I think Linux is actually in need of security improvements in this age of spear-phishing and such. Apps need much finer-grained privileges. There is no reason that Libreoffice needs to be able to read my chromium cache. There is no reason that any program that can read my .xauthority file should be able to record all my keystrokes. Of course setting up more granular security takes more work. Certainly some of the RBAC solutions like SELinux and such do address these kinds of problems, but rarely are they configured to this extent. The Linux security model is mainly about keeping users from messing with each other, and that really isn't relevant to the typical desktop user. Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug