From: Michael Richardson (mcr@sandelman.ottawa.on.ca)
Date: Sun Aug 22 2004 - 14:43:34 EDT
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Kevin" == Kevin Sheldrake <kev@electriccat.co.uk> writes:
Kevin> privileged users can write to raw sockets? Perhaps if the XP
Kevin> installation forced the creation of at least one user account
Kevin> and spat out a large alert when someone logged on as
You are right --- the facilities are there. They are just not used.
Kevin> For instance, my girlfriend uses Win2K on a laptop with a
Kevin> wifi card. In order for her to start and stop the built-in
Kevin> IPSec client (required when she switches between wired and
Kevin> wireless), she needs to be a power user of some description.
Kevin> Fine, I'm the administrator so I gave her the capabilities.
Kevin> Now she can let malware act as a power user when it runs -
Kevin> brilliant. On linux, for example, I simply su to start and
Kevin> stop the IPSec and run the rest of my session as a normal
Kevin> user. It's the simple concept of least privilege...
No, on Linux you can do several things:
a) always encrypt everything anyway. (simplies everything)
b) run scripts from dhclient to auto-select things.
c) use "sudo" to let her run a script
d) write a setuid program that does the one task.
Since Win2K, there has been the equivalent of "su". Including the GUI
"Run-As" interface. Is it used? Not that I can tell.
Why not?
This isn't about technology --- it never has been.
It is about letting very brilliant people with no non-MS experience
run the show. They are too smart to bother learning from past mistakes,
even their own.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQSjpUIqHRg3pndX9AQFfRwQAqvJZtep6edkIDr+LXl26dVenqGrSX+Z3
KvbY5OVK9gUePhS3gLnFUbIIwkWlhI3EQ4JvoLPv8ZO/FvN8DzcEgslh2e8m6kMQ
yc9yFZvaM4vl32vbGBpK883iKCWA6njF7Ky2Fftr8tgeN9LUSxxldKzZk7vy9ndW
iSVY+fgGMFE=
=rIzN
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:00 EDT