Slashdot Mirror
Viewfinity CEO Says Many Computer Users Are Overprivileged (Video)
This isn't about your place in society, but about user privileges on your computers and computer networks. The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers, right? So Leonid Shtilman's company, Viewfinity, offers SaaS that helps you grant system privileges in a more granular manner than just allowing "root" and "user" accounts with nothing in between.
Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.
Give me Classic Slashdot or give me death!
and it asks for the root password when adding a new wifi hotspot.
Most of what I'm seeing there we already achieve through Active Directory without any third party solutions. Any company that only implements two levels of permissions (root and user) is either stuck in the 80s or else only has one user.
Wow Nice Slashvertisement!
This seems to be an advert for some sort of sorry Windows admin tool. WTF?
root and user accounts are typical for crappy unix security model
And no mention in your post of group permissions...? There is a bit more flexibility at the most basic levels and has been for many years.
Your site.. feel free to disagree.. but I think you're making a huge mistake with these ads.
There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.
I can't think of a single successful site that has advertising as the content. Nytimes, washpost, wsj, digg, ... There's always separation between the content and the ads.
With the solution being....'Buy our product!'
Too many fucking commercials on this Slashdot TV channel. Anyone got a Tivo'd version of Slashdot I can read?
First and last time watching slashtv.
There have been much more granular permissions on Linux and all other Unix-likes for decades as well.
This is very advertisement-centric, that's all.
This is the second one of these non-stories posted in as many days. I, like many people, have been reading and posting to Slashdot for years. I'm starting to wonder exactly why I continue to do so....
I was raised on the command line, bitch
"Nemo me impune lacesset"
This is very Linux-centric. There have been much more granular permissions on Windows for probably well over a decade.
Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.
Not to mention technologies like SELinux and Apparmor.
The days of UID 0 being king and everyone else being a peasant have been over for a long time. Some examples:
Solaris: Root is a role, not a user.
Linux: AppArmor and SELinux come into play.
AIX: Root can be removed and assigned to roles, where UID 0 is just another user.
BSD: Plenty of ways to limit access via ACLs and other mechanisms.
OS X: Root has to be explicitly enabled.
Pretty much, the only reason the concept of root exists these days is a "master override" when one just needs to get something done without roles/ACLs/et. al. coming into the picture, such as doing hardware configurations, or booting from recovery media. Almost all new operating systems tend to not allow the user to run as root unless it is explicitly enabled.
This "slashdottv" thing is pretty much turning out to be "yourdailyinfomercial".
Anyone got a good suggestion on how to filter this spam out?
Welcome to the Panopticon. Used to be a prison, now it's your home.
Not quite. Not even Administrator is root. LocalSystem is root.
quod erat demonstrandum
We're supposed to pay for a product that effectively replaces sudo & user/group privelages?
and many CEO'S mouths are over privileged and we should remove there ability to speak ...like htis guy. LAST i checked after i reach a certain age i can think and do what i want within hte law. IN fact i can break laws if i want to pay consequences. WOW isn't freedom great!
THIS shit for brains ceo wants control and ot make you think its ok to be controlled.
FIGHT CONTROL.....
That's why Bill Gates made the Windows so successful. Make things simple, who cares (except geeks) about how you make it as long as it works.
This is very Linux-centric
No, it's very UNIX Release 6 centric. It hasn't been true of most modern UNIX and UNIX-like systems for about 20 years.
I am TheRaven on Soylent News
... security to begin with. The problem was no one predicted the internet would become the thing it was and most people are not intelligent enough to be using connected PC's to begin with. It's about the cognitive level of intelligence needed to be using such machines to begin with. It's not hard to keep safe without overbearing security and permissions it's about being intelligent about what kinds of machines with certain data you hook up to the net to begin with.
Lets remind ourselves that it is usually the users themselves that get into trouble by downloading or running things they shouldn't be. And many hackers would naturally "socially hack" people rather then 'hack things the hard way'. Security is only as good as the people who use your machines anyway. The idea that it "Users are too privileged" is a farce.
There, I said it.
Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.
Running as admin on Windows doesn't give you access to groups you're not a part of (though you can jump through some hoops to alter permissions on anything if you really want to). Proper group permissions have been in the Windows NT and NTFS codebases since very early days.
Anyhow, XP has not been the latest Windows for most of the past decade. It's been more than 5 years since the latest Windows release had you running as the administrator account by default.
Socialism: a lie told by totalitarians and believed by fools.
Sure, if he is talking about on a windows machine, but on linux/unix/bsd/osx, this already exists in sudo. If you need "root" privileges for something, you setup a sudo rule for that individual user for running that individual command.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Anyhow, XP has not been the latest Windows for most of the past decade
90% of the Windows machines I see are still running XP. I was surprised today when I visited a customer site and saw them running Windows 7 on one of their PCs... the other thirty or so that I saw were all XP.
I notice an Ad tag on this story. Can I filter so I can't see these anymore? I come here for the content, not the adds. However, to support y'all I don't hide the "official" adds. However, if these slashvertisements keep up, I may have to rethink that.
Don't block my access to anything! Also, remove those "safety" things from my table saw!! And "protective eyewear"?? How can I cut when I can't see!? Those come off too.
It's an ongoing battle in my agency to fend of user's who want admin rights. It's even harder to remove admin rights from user's who already have it. Particularly on laptops. We have instituted various mechanisms for software installs thru a process but these users are still a pain in the ass.
Title: Leonid Shtilman Says Many Computer Users are Overprivileged
Description: The more privileges, the more risk of getting hacked and having Bad People do Bad Things to your company's computers.
[00:00] <TITLE>
"Privilege Management and Application Control Solutions Are Essential security Tools" appears over a stylized view of the interviewee, sitting in what appears to be a food court.
The SlashdotTV logo bar appears in the bottom and reads "Leonid Shtilman - CEO, Viewfinity"
[00:02] Leonid>
My name is Leonid Shtilman, and I'm CEO of Viewfinity.
Viewfinity as a company started 4 years ago, and the main business is providing security solution as Software-as-a-Service.
What kind of security solution?
It's management of privileges of end users.
By privileges we mean, by the end point are you administrator, are you standard users, or, shortly, what you can do and what you can not do on your personal computer or, in the case of administrators of servers, what you can do as administrator of server.
[00:43] <TITLE>
The SlashdotTV logo bar fades in and out of view, reading "You have a new product coming out / Can you tell us a little about it?"
[00:44] Leonid>
The problem with privileges is that if you want to do it granularly - I mean that you say "You are not administrator but I will allow you to certain functions as administrator" - the problem is how to manage those requests.
One person, let's call it developer say "I cannot live without full administrative privileges", our software is telling him "You can live as standard users, but we will allow you, as administrator, to use your Visual Studio" or "... we can allow you, as administrator, to use another tool."
But generally speaking, we don't want you will be master of the universe and you will do whatever with you computer.
Why?
Because it's dangerous.
So this account, somebody can get more important and most sensitive corporative servers, and this is our main business.
The business how to manage enormous amount of requests to have administrative rights for this or for another purpose.
[01:52] <TITLE>
The SlashdotTV logo bar fades in and out of view, reading "Those are IT benefits. What about business benefits?"
[01:52] Leonid>
I can give you an example:
Usually end users are standard users let's say, in a bank.
And then some of them is going to travel to conference, like this one.
In this case he needs to print, he cannot print; because he is standard user he cannot install printer.
Or "I need to use particular website with ActiveX on it", you can not use it because you're standard user.
So for business is how to have still secure environment but not to disturb business.
This is what we are all about.
Not to disturb business process, but still stay secure.
[02:35] <TITLE>
The SlashdotTV logo bar fades in and out of view, reading "What benefits does your product give specifically to software developers?"
[02:36] Leonid> .. they can develop any software which requires administrative rights without thinking twice because this software will be later managed with our package, package of Viewfinity.
So, actually, it's two benefit.
One benefit is for the managers of this group of developers.
The managers will be sure if they will use our software that the environment is secure, they will not afraid of, what is called sometimes, 'insider', that insider will do some damage.
So it is a protection of organization from developers.
Another benefit is that with our software, developers can actually
So Viewfinity will take care who can use this software, who will be blocked from using this software, and so on.
So it's more freedom for developers, and more secure environment for the managers of development team.
[03:38] <TITLE>
The SlashdotTV logo bar fades in and out of view, reading "One last question - From a top-level perspective, what is the num
No it's not. There is no direct equivalent to root in Windows. The concept of a superuser simply doesn't exist in its security model.
They way I see it, Viewfinity's CEO not-so-subtly says that people should not have control over their computers, and offers SaaS so that Viewfinity can assert that control.
I'll go sorta OT here, but I am fed up with articles, here or elsewhere, that can be summed up as "here, watch this video."
Thanks for making me ingest content at the speed of the slowest talker in the video, not at my reading speed.
If you post a video in lieu of text, you just wasted the world's time.
---------------------------------------
Rotate the pod, please, HAL....
I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.
The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder. A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.
Running as admin on Windows doesn't give you access to groups you're not a part of
If you can add yourself to a group, you're part of that group for the purpose of any competent security analysis.
Come on slashdot... If i wanted to read stuff like this i would read my email spam folder. I refuse to get sucked into discussing security when this is just blatent pulp advertising. Booo! Hisss!
But it's different from Unix root - you can't accidentally change stuff ACLd to a group you don't belong to, which is the vast majority of problems. If you want to stretch the definition (or we're talking about malware payloads, not user error), anyone can add themselves to any group, because every OS will have some sort of priveledge escalation flaw somewhere.
Realistically, if you care about groups, you're in a domain and you're not running as the domain admin.
Socialism: a lie told by totalitarians and believed by fools.
We know you need to keep the revenue coming in, and people don't begrudge you that. But this is the second time I've seen a story and slowly realized "This is just an ad. Did I miss something? Nope, it looks just like any other story."
It's this kind of thing that makes people lose trust in you, and then they stop coming.
Usually because the author never did a proper rewrite after Windows 9x.
Or there's some semi-trivial thing that's "well-secured" for uncertain reasons
At one job I had, there was a weather station connected via serial port.
Automatically required admin rights, since NT doesn't let mere users muck about with important peripherals like the serial port...
If this were for Linux, I'd be asking "So did you ever hear about groups?"
SYSTEM is pretty damn close. That's the user account the core services run at, like the FS and RAID daemons, any that didn't get pulled back into the kernel for performance.
How the hell do you call it "UNIX like" when its nowhere close to UNIX design? the shitty unix rwx 'security' is the most brain dead model anyone has ever come up with. Even the creators of unix admit it is a horrible design.
Granular controls on root/admin logins have been around for years, (Solaris & others).
IT pro's know it, even I know it.
What we have here, is a failure to communicate...
It's not the user.
Nor is in the internet
Nor is it the administrator
Nor is in the OS vendors
It's a very deep paradigm/vocabulary issue
The problem IS lack of security.... quick... how can You, in YOUR CHOICE OF ENVIRONMENT tell your OS that you want a program to enforce this set of rules on a program you want to test:
If you can even begin to fulfill this list of un-restrictions, you're probably approaching it in terms of a locked down user account, which is exactly the problem. This list of un-restrictions is otherwise known as a capabilities list, and should be assigned on the basis of the needs of the moment, not some static definition.
If you can't even express the correct answer, you'll never get it right.