Operating Systems > Linux and UNIX
Linux vs Windows a real life comparison
piratePenguin:
Hell, why would you instruct H_TeXMeX_H to stay away from IE after instructing him to use only a limited account if IE/ActiveX/Javascript is okay in a user account?
Having to tweak one little thing isn't so bad, but user accounts aren't little things (Okay that sentence and the start of the next is bad. It's not hard to make a user account, I don't mean to say that. I mean to say that they're important. I'm too lazy to restructure it right now.). They're huge motherfuckers and everybody really should make good use of them. Apple and most GNU/Linux distributors took it on themselves to create a user account at installation time, because they knew it was important. Not only is it important for the individual user, it's important for the world of users because once one machine is cracked, the rest are in danger, especially if the rest are using superuser accounts to browse the web. For this reason, I believe that if Mac OS X or GNU/Linux dominated the market, they wouldn't have so much malware as Windows does now. There are other things to consider, ofcourse, and in the end I might be wrong, but I don't see how any non-retard could predict otherwise. IMO, Windows brought it's malware situation on itself more than anything else (the fact that it's a product of an evil corportion that many people have no/little respect for doesn't help much either).
Knowing how important using user accounts is is one thing, I still wouldn't declare anyone insane for releasing an operating system that doesn't setup a user account at installation time because there are other factors to be taken into account. One is the target market. I don't think Patrick Volkerding is insane because the Slackware installer doesn't setup a user account for the user, and probably most people don't. That's because Slackware is targetted towards people with a clue. Windows isn't.
I do think that Microsoft are insane for not having a user account setup at installation time. Did they expect most users to setup user accounts themselves or what? Microsoft were begging for disaster. Windows is/always has been begging for disaster.
toadlife:
--- Quote from: piratePenguin ---EDIT: Why does muzzy and Aloone_Jonez disable ActiveX if it's not a security issue with their limited accounts?
--- End quote ---
That's a damn good question, because it's rather pointless. Are you sure alone and muzzy actually use limited accounts?
piratePenguin:
--- Quote from: toadlife ---That's a damn good question, because it's rather pointless.
--- End quote ---
Then why don't you answer this one?:
--- Quote from: me ---why would you instruct H_TeXMeX_H to stay away from IE after instructing him to use only a limited account if IE/ActiveX/Javascript is okay in a user account?
--- End quote ---
--- Quote ---Are you sure alone and muzzy actually use limited accounts?
--- End quote ---
/me searches for a bit
Nope, got nothing for muzzy and only this for Aloone_Jonez:
--- Quote ---I set up all of the user accounts with restricted privileges and to show all file extentions to help gaurd against any infection by fire wall breaches or suspicious downloads.
--- End quote ---
Those could be accounts for other people though, so he might be browsing the web as root. There is one way to find out...
toadlife:
--- Quote from: piratePenguin ---Hell, why would you instruct H_TeXMeX_H to stay away from IE after instructing him to use only a limited account if IE/ActiveX/Javascript is okay in a user account?
--- End quote ---
Good question. The reason is because, even though running as a limited user protects the operating system, remote code execution exploits, if coded properly, can still infect the users space and run. There are more than just ActiveX exploits for IE. There are image rendering buffer overflows, javasripts overflows, etc. Due to it's marktshare, IE is highly targeted and whenever some buffer overflow is detected tons of sites carry the exploit code. I've personally seen adware that is coded to run in the users space. Because it was restricted to the users space, it was very easy to clean up, but it was still malware. The most valuable files on a system are the user's files, so a malware infection restricted the users space can still do really bad things, like steal personal info. Thebig difference is malware stuck in the users space is easier to detect (no rootkits!) and easier to remove (just log in as a different account and nuke it!).
I got the clue on IE a loooong time ago and have been using mozilla since before version 1.0 and then firefox before version 1.0.
--- Quote ---I do think that Microsoft are insane for not having a user account setup at installation time. Did they expect most users to setup user accounts themselves or what? Microsoft were begging for disaster. Windows is/always has been begging for disaster.
--- End quote ---
A agree. The default admin user account thing is dumb. It was amde to facilitate backward compatibility with programs coded for older versons of Windows that had no security model at all. Their other choice would have been some wierd sandbox/virtual machine type of workaround incompatible programs, which would probably severely degraded performance. It all comes down to what the customer wants. "Average Joe" computers users want, above all, their computers to work and not be slow. That's what Microsoft gave them.
You might be suprised that I think this, but when Vista comes out and it creates limited accounts by default, nothing will change as far as malware on Windows. Micreants will start to code their malware so that it runs in the users space, and people will continue to have their Windows machines infected just like they are today. Most viruses today propogate today by getting naive users to open up zip attachments and execute the files inside, so there is no reason to think that with Vista, malware will simply ask for the admin password - and naive users will type it in.
piratePenguin:
--- Quote from: toadlife ---Good question. The reason is because, even though running as a limited user protects the operating system, remote code execution exploits, if coded properly, can still infect the users space and run. There are more than just ActiveX exploits for IE. There are image rendering buffer overflows, javasripts overflows, etc. Due to it's marktshare, IE is highly targeted and whenever some buffer overflow is detected tons of sites carry the exploit code. I've personally seen adware that is coded to run in the users space. Because it was restricted to the users space, it was very easy to clean up, but it was still malware. The most valuable files on a system are the user's files, so a malware infection restricted the users space can still do really bad things, like steal personal info. Thebig difference is malware stuck in the users space is easier to detect (no rootkits!) and easier to remove (just log in as a different account and nuke it!).
--- End quote ---
Okay but just one thing:
--- Quote ---Due to it's marktshare, IE is highly targeted
--- End quote ---
There's more to it than market share. Just to make sure you're aware of that.
--- Quote ---
A agree. The default admin user account thing is dumb. It was amde to facilitate backward compatibility with programs coded for older versons of Windows that had no security model at all. Their other choice would have been some wierd sandbox/virtual machine type of workaround incompatible programs, which would probably severely degraded performance. It all comes down to what the customer wants. "Average Joe" computers users want, above all, their computers to work and not be slow. That's what Microsoft gave them.
--- End quote ---
They also got seriously messed up security. Microsoft (or should I say Windows) got themselves into their own mess anyhow.
--- Quote ---
You might be suprised that I think this, but when Vista comes out and it creates limited accounts by default, nothing will change as far as malware on Windows. Micreants will start to code their malware so that it runs in the users space, and people will continue to have their Windows machines infected just like they are today. Most viruses today propogate today by getting naive users to open up zip attachments and execute the files inside, so there is no reason to think that with Vista, malware will simply ask for the admin password - and naive users will type it in.
--- End quote ---
Good think Linux has working MAC (SELinux). Is there work going on to get MAC on Windows (A quick google search doesn't seem to think so... MS really should do be getting MAC on Windows I think...)?
--- Quote from: The SELinux FAQ Q2 (http://www.nsa.gov/selinux/info/faq.cfm#I2) ---# What does Security-enhanced Linux give me that standard Linux can't?
The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).
The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.
--- End quote ---
Kinda cool if you ask me.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version