Viewfinity CEO Says Many Computer Users Are Overprivileged (Video)

Slashvertisment by Hatta · 2012-04-04 05:49 · Score: 5, Insightful

Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.

--
Give me Classic Slashdot or give me death!

Re:Slashvertisment by Anonymous Coward · 2012-04-04 06:07 · Score: 3, Insightful

Not just dislike, but cost (in terms of time spent managing it, and time spent with people twiddling their thumbs waiting for someone to give them permission to something they need to do their job). Granularity always comes down to a balance between practicality and security. Lock down the super secret stuff.. apply reasonable rules to the less critical stuff.. throw the office lottery pool list on the wiki.
Re:Slashvertisment by lgw · 2012-04-04 06:19 · Score: 4, Insightful

Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.
End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.

--
Socialism: a lie told by totalitarians and believed by fools.
Re:Slashvertisment by TheRaven64 · 2012-04-04 06:22 · Score: 5, Funny

There seems to be a bug. I have the 'Ads Disabled' checkbox ticked, but I still see this big ad right in the top-centre of the front page.

--
I am TheRaven on Soylent News
Re:Slashvertisment by Anonymous Coward · 2012-04-04 06:24 · Score: 2, Interesting

And still... every security model you've seen in SaaS exists on your LAN, too.
It's not as though we haven't had group membership, directories, user objects, service-level security, and every other imaginable sort of permissions control since... well... forever.
The only advantage of SaaS is that it's on someone else's infrastructure, which is probably better funded and maintained than your own.
Re:Slashvertisment by Anonymous Coward · 2012-04-04 06:28 · Score: 2, Interesting

Which also just means that you'll be twiddling your thumbs that much longer when you don't have the appropriate permissions to do your job. I find SaaS in general to be a lot like an Apple product. When everything is working right, it's 100x better than any of the alternatives. When something goes wrong, you curse the day you bought it.
Re:Slashvertisment by ColdWetDog · 2012-04-04 06:30 · Score: 1

I think I'm going to kill myself with the mains power cord before they take that away from me.
Sounds like 1984 on ketamine.

--
Faster! Faster! Faster would be better!
Re:Slashvertisment by Lumpy · 2012-04-04 06:59 · Score: 1

And in many companies it's because of craptastic software written by idiots that require admin rights to run. Most Vertical market software is a steaming turd that barely runs.
This garbage is the problem of most corporate IT, One really important program we used at Comcast REQUIRED write access to the Windows OS install location (C;/windows) and it would write to parts of the registry that it had no business writing to, so it needed admin rights there.
So in essence all users had to run as local admin. A major bad thing to do.

--
Do not look at laser with remaining good eye.
Re:Slashvertisment by Microlith · 2012-04-04 07:01 · Score: 2

They're already working on it. Apple accomplished it on all iOS devices, and Microsoft looks to do so with ARM devices. Hell many Android devices do as well.
The user is the enemy, just like the MPAA/RIAA have always said. Now the tech industry is in on the conspiracy as well.
Re:Slashvertisment by goombah99 · 2012-04-04 07:09 · Score: 1

Another useless slashvertisement. People don't use the granular permissions that exist already (e.g. ACLs), no one's going to bother with even finer grained control. The problem isn't granularity, it's a completely understandable dislike of spending time managing permissions.
Wow a succinct and insightful first post!
On my macs I always run with two user accounts one is root and one is standard. I never need to log into the root account because my user account just prompts me for root credentials whenever I'm doing something root-ish. The way the macs do this is not obnoxious so it encourages you to run a standard account.
I have also used the parental controls on macs at home. These are in principle a very simple subset of user limitations that are easy to adjust. Sadly it has two sucky aspects that makes it very obnoxious. first, I can't figure out how to add top level domain names as white listed. for example I want to add google.com so that all the various google services that just about every website needs these days are not blocked. but instead it barfs and tells me g7768.google.com is not allowed. I allow it and the next page refresh asks me about h774.google.com. There needs to be a syntax to just allow anything *.google.com. I think these are really just interface issues not fundamental. They might even simply be a lack of documentation. The other hickup is that a lot of evil softwares (I talking about you HP) install difficult to remove log in hooks. So at log in a whol series of "do you want to allow HP scanner.app " dialog boxes pop up. There needs to be a way to say "no, and don't ever ask me again because HP software sucks" checkbox.
I've also used the mac sandbox. this is pretty darn cool. I wish it was better documented, but you can sort of guess the right syntax from all the examples. I don't understand why every app is not in a sandbox these days. The apple sandbox is magical because you don't even realize it is there. It should be a default that when you launch any downloaded app that the first time it exceeds a tight sandbox, the OS should tell you about its requests.

--
Some drink at the fountain of knowledge. Others just gargle.
Re:Slashvertisment by Tassach · 2012-04-04 07:59 · Score: 1

It's trivial to jailbreak an iOS device or Playstation. It's even more trivial to root an Android device.
If you make it, someone will figure out how to root/jailbreak it and put the crack on the internet.
The only reason there hasn't been a bigger backlash against locked platforms is that unlocked platforms are readily available to anyone who cares.

--
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Re:Slashvertisment by mounthood · 2012-04-04 08:23 · Score: 1

Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.
This is still backwards: The end users files are what's valuable! Almost all security today (accounts + ACLs) is focused on protecting the OS and isolating software. In practice, anything running under a users account can do anything to a users documents, even though security should be the focused on protecting those documents, since they're why the user has a computer in the first place. The cloud idea, where the computer is just a browser or thin-client, might become reality, but it isn't today and history shows the opposite trend: smart phones and tablets are not replacing computers at work.
AppArmor and UAC are both attempts to restrain software in an automated way, and both are hard to use for the end user. We should be empowering the user to protect their documents (I don't have that answer), instead of moving the information in those documents to a new location and thinking the new place is somehow safer; store information in the cloud and viruses will start using the cloud apis.
Also, FUCK THESE SLASHVERTISMENTS!

--
tomorrow who's gonna fuss
Re:Slashvertisment by Zeromous · 2012-04-04 08:27 · Score: 2

Just because a manager or someone uses it wrongly does not mean it is a bad term.
>paradigm shift (hate that phrase - someone have a better one?)
No. It's a real paradigm shift in how we think about client-server relationships. Sometimes I refer to it as a pendulum, swinging back and forth between client and server lockdown. The same could be said of virtualization being the pendulum swinging back toward centralization after the decentralization party of the 90s.
Either way, you can still use paradigm shift and not sound like a moron. Just, you know, be careful to not overstate :D

--
---Up Up Down Down Left Right Left Right B A START
Re:Slashvertisment by Culture20 · 2012-04-04 10:05 · Score: 2

Plus, this company has just missed the ongoing paradigm shift (hate that phrase - someone have a better one?). End users should have full control over their (untrusted) endpoints, becuase we won't be storing anything important there, and any incoming files will be handled with appropriate suspicion.

End user endpoints simply need to be outside the "zone of trust" in the modern world, partly because anything a user touches should be assumed to be infected, and partly because it's time to stop caring what device the user likes - traditional PC, thin client, iPad, phone, whatever they like as long as it has a browser for the web-based software and a desktop virtualization client for all the rest.
End users should not have full control over their desktops, just like they aren't allowed to bring a cameraphone into the secure-information areas (that's not just a paranoid military rule, lots of companies follow it). If hackers own the end user's workstation because he/she was running a vulnerable browser as admin/root, then they can keylog the user's passwords to get to the data in the "zone of trust". If they've got sensible authentication and are using two-factor, then the bad guys could still watch the screen in real time or take screen shots.

Bottom line is that if "anything a user touches should be assumed to be infected" then that means anything a user touches shouldn't be allowed to connect.
Re:Slashvertisment by Travoltus · 2012-04-04 12:19 · Score: 1

And when that something that goes wrong is a virus, you will curse the day you were born.

--
--- Grow a pair, liberals... stop letting the Republicans bully you!
Re:Slashvertisment by Aqualung812 · 2012-04-05 02:27 · Score: 1

It's trivial to jailbreak an iOS device
Go tell that to the iOS Dev Team. They're having a hell of a time getting the 5.x jailbreaks from the sound of it. I know they did for 5.0.1, but 5.1 is still not there yet.

--
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.

But then you overdo it... by Anonymous Coward · 2012-04-04 05:49 · Score: 1

and it asks for the root password when adding a new wifi hotspot.

Re:But then you overdo it... by DickBreath · 2012-04-04 05:59 · Score: 5, Funny

That's okay to require use of the root password. I never forget my root password because on my WiFi I make the root password also be the broadcast SSID. Problem solved.

--

I'll see your senator, and I'll raise you two judges.
Re:But then you overdo it... by RenderSeven · 2012-04-04 06:37 · Score: 1

Thats perversely brilliant! No one stupid enough to do that knows how to change their SSID!

(And I always wondered why my neighbor's WiFi was named 'password'...)
Re:But then you overdo it... by TechyImmigrant · 2012-04-04 16:40 · Score: 1

His SSID is "password"

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.

AD by SJHillman · 2012-04-04 05:49 · Score: 3, Insightful

Most of what I'm seeing there we already achieve through Active Directory without any third party solutions. Any company that only implements two levels of permissions (root and user) is either stuck in the 80s or else only has one user.

Sorry, did I click on one of the Slashdot ads? by tphb · 2012-04-04 05:54 · Score: 2

This seems to be an advert for some sort of sorry Windows admin tool. WTF?

slashdot editors: please read by rgbrenner · 2012-04-04 05:57 · Score: 5, Insightful

Your site.. feel free to disagree.. but I think you're making a huge mistake with these ads.

There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.

I can't think of a single successful site that has advertising as the content. Nytimes, washpost, wsj, digg, ... There's always separation between the content and the ads.

Re:slashdot editors: please read by rgbrenner · 2012-04-04 06:00 · Score: 2

One other thing: if you're doing this just so you can create a video section.. maybe try something a little different. Instead of posts by companies, try covering trade shows, etc.. the videos with timothy that were posted in the beginning I thought were great.
Re:slashdot editors: please read by Maximum+Prophet · 2012-04-04 06:10 · Score: 1

http://www.classictvads.com/classicindex.shtml

(:-) That site's thing isn't really advertisement. It's *about* ads.

--
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Re:slashdot editors: please read by ColdWetDog · 2012-04-04 06:33 · Score: 1

'Trade shows' huh? The only part of trade shows that this demographic wants to see is the stuff in the hotel rooms after the exhibits close.

--
Faster! Faster! Faster would be better!
Re:slashdot editors: please read by rgbrenner · 2012-04-04 06:41 · Score: 1

I said successfull... that site has an alexa rank of 2.3m. Judging from the sites I run, 250k is about 1250-2000 visitors a day. So I can only imagine what 2.3m is in visitors.
Re:slashdot editors: please read by rgbrenner · 2012-04-04 06:47 · Score: 2

there are often interesting things to report on at trade shows (CES, Macworld, etc)
interviews with people have authority on a subject would be good too (like iphone security from someone at ossec..)
Re:slashdot editors: please read by JesseMcDonald · 2012-04-04 07:07 · Score: 1

I can't think of a single successful site that has advertising as the content.
I don't know about that. eBay, Amazon.com, craigslist... there are quite a few successful sites which consist almost entirely of advertising. The problem is the mixed sites. Advertising is fine in a commercial context, when it's relevant, but it shouldn't intrude where non-commercial context is expected. In particular, no reputable news site should be publishing obviously-biased press releases as if they were stories. It's poor journalism, even for a mere "aggregator".

--
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Re:slashdot editors: please read by Zeromous · 2012-04-04 08:29 · Score: 1

I for one come here for the +5 insightful.
When +5 insightful is complaining about ads, you can bet it's already jumped the shark.

--
---Up Up Down Down Left Right Left Right B A START
Re:slashdot editors: please read by mounthood · 2012-04-04 08:51 · Score: 1

There has to be some separation between the ads and the content. No one is going to visit a site explicitly to see ads. And if the content becomes the advertising, users will leave.
Slashdot should try this (if they must mix advertising with content): Create clearly labeled 'discussions' about a product (like RHEL6) or type of product (like SMB databases or CRMs) and sell companies video/text space in that discussion, and give them 'official' accounts to comment with. Open source advocates or lead developers could also contribute.
Let the community talk about what works and what sucks, what the open source alternatives are, etc... It would be like product reviews, but technically focused and including competing products. Slashdot users would get the insight of their peers. Companies would get honest feedback from their users.
Finally, this system would encourage technical discussions. The more technical the topic, the more narrowly focused, the better and more useful the discussion. If the editors make a generic 'discussion' of "Windows vs. Linux", it'll be vacuous and useless. But if the 'discussion' is "Postgres or SQL Server for a new public forum website?" we'll get people talking about character encodings and replication options.

--
tomorrow who's gonna fuss

Lol ads by Desler · 2012-04-04 05:57 · Score: 1

With the solution being....'Buy our product!'

Re:Lol ads by PessimysticRaven · 2012-04-04 05:59 · Score: 1

Like it's any different when we see another scary set of Security Studies, Sponsored by Symantec.
Alliteration intended.

--
Consistency is only a virtue if you're not a screw-up.
Re:Lol ads by Desler · 2012-04-04 06:01 · Score: 1

Yes, but Slashdot doesn't overtly run paid-for ads for Symantec like these Slashvertisement TV segments.
Re:Lol ads by PessimysticRaven · 2012-04-04 06:02 · Score: 1

I'm actually waiting to see that change, actually.

--
Consistency is only a virtue if you're not a screw-up.

Too Many Fucking Commercials on Slashdot TV by Anonymous Coward · 2012-04-04 05:59 · Score: 1

Too many fucking commercials on this Slashdot TV channel. Anyone got a Tivo'd version of Slashdot I can read?

I am an AC by Anonymous Coward · 2012-04-04 05:59 · Score: 1

First and last time watching slashtv.

Re:Is he not aware of Windows? by Anonymous Coward · 2012-04-04 06:00 · Score: 1

There have been much more granular permissions on Linux and all other Unix-likes for decades as well.

This is very advertisement-centric, that's all.

Cruising way past sad.... by atriusofbricia · 2012-04-04 06:00 · Score: 3, Insightful

This is the second one of these non-stories posted in as many days. I, like many people, have been reading and posting to Slashdot for years. I'm starting to wonder exactly why I continue to do so....

--
I was raised on the command line, bitch

"Nemo me impune lacesset"

Re:Cruising way past sad.... by keytoe · 2012-04-04 06:33 · Score: 3, Insightful

I clicked through looking for a solution to blocking these myself. There doesn't seem to be a way to block them in the user settings that I can see. Anyone had any luck?
I don't have high hopes since these are pretty obviously revenue generators for the site. It just seems incongruous to offer users a 'block ads' option and then turn around to make these slashvertisements unblockable.
To be honest, if there were an option to 'block all videos' I'd take that. I dislike this trend of locking information in a format I can't search, skim, read at work, use while also listening to music, etc.
Sorry for the off topic.

--
Culture is more than commerce
Re:Cruising way past sad.... by aiken_d · 2012-04-04 06:37 · Score: 2

Nothing wrong with a little brand destruction in the name of increasing short term revenue, especially if you're looking to make an exit.
But yeah, I've noticed my visits to slashdot have gone from twice-daily to daily to weekly over the past few months. I'm not even sure how much to ascribe to the slimy mix of content and advertising and how much reflects the general loss of quality and tendency to be days behind CNN rather than days ahead.

--
If I wanted a sig I would have filled in that stupid box.
Re:Cruising way past sad.... by FunPika · 2012-04-04 08:31 · Score: 3, Insightful

The biggest offender appears to be Roblimo, and I never see anything of value from him, so I exclude him in my options (I only noticed this story because I looked at the front page on a computer I wasn't logged into).

--
After years of not using a signature, I am going to make one to say the following: Fuck Beta
Re:Cruising way past sad.... by Flammon · 2012-04-04 11:56 · Score: 2

4 Digit UID here with the same sentiment. I've been here for 15 years and boy have things changed. Some for the good but god I miss the days when Rob would post about a WindowMaker app that he wrote and you could download the source and compile it. It was pure geek stuff and the subject of monetization no where to be seen. The geek purity made it great.
This is the stuff that we used to talk about. http://cmdrtaco.net/linux/
I read Rob's blog because he talked about stuff that I was into. Linux, X, AfterStep, the Internet, programming and I have a feeling that Rob really wanted to keep it that way but as site ownership slipped away, he no longer had control and the direction changed.
Maybe it's time to look for a new "Slashdot". This one has been infected by the Profit virus which has no known cures.

--
ayottesoftware.com

Re:Is he not aware of Windows? by Anonymous Coward · 2012-04-04 06:02 · Score: 2, Informative

This is very Linux-centric. There have been much more granular permissions on Windows for probably well over a decade.

Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.

Not to mention technologies like SELinux and Apparmor.

We have long gone past the god/peasant model... by mlts · 2012-04-04 06:03 · Score: 1

The days of UID 0 being king and everyone else being a peasant have been over for a long time. Some examples:

Solaris: Root is a role, not a user.

Linux: AppArmor and SELinux come into play.

AIX: Root can be removed and assigned to roles, where UID 0 is just another user.

BSD: Plenty of ways to limit access via ACLs and other mechanisms.

OS X: Root has to be explicitly enabled.

Pretty much, the only reason the concept of root exists these days is a "master override" when one just needs to get something done without roles/ACLs/et. al. coming into the picture, such as doing hardware configurations, or booting from recovery media. Almost all new operating systems tend to not allow the user to run as root unless it is explicitly enabled.

At least once a day. by idontgno · 2012-04-04 06:03 · Score: 1

This "slashdottv" thing is pretty much turning out to be "yourdailyinfomercial".

Anyone got a good suggestion on how to filter this spam out?

--
Welcome to the Panopticon. Used to be a prison, now it's your home.

Re:At least once a day. by ColdWetDog · 2012-04-04 06:35 · Score: 2

Anyone got a good suggestion on how to filter this spam out?
There's likely to be an 'off' button somewhere on the device you're using. Power down!

--
Faster! Faster! Faster would be better!

Re:Is he not aware of Windows? by sqlrob · 2012-04-04 06:07 · Score: 4, Informative

Not quite. Not even Administrator is root. LocalSystem is root.

What the hell man by atari2600a · 2012-04-04 06:13 · Score: 2

We're supposed to pay for a product that effectively replaces sudo & user/group privelages?

Freedom for the majority people is not bad ! by slashdottoy · 2012-04-04 06:19 · Score: 1

That's why Bill Gates made the Windows so successful. Make things simple, who cares (except geeks) about how you make it as long as it works.

Re:Is he not aware of Windows? by TheRaven64 · 2012-04-04 06:23 · Score: 1

This is very Linux-centric

No, it's very UNIX Release 6 centric. It hasn't been true of most modern UNIX and UNIX-like systems for about 20 years.

--
I am TheRaven on Soylent News

Problem was never the lack of... by blahplusplus · 2012-04-04 06:24 · Score: 1

... security to begin with. The problem was no one predicted the internet would become the thing it was and most people are not intelligent enough to be using connected PC's to begin with. It's about the cognitive level of intelligence needed to be using such machines to begin with. It's not hard to keep safe without overbearing security and permissions it's about being intelligent about what kinds of machines with certain data you hook up to the net to begin with.

Lets remind ourselves that it is usually the users themselves that get into trouble by downloading or running things they shouldn't be. And many hackers would naturally "socially hack" people rather then 'hack things the hard way'. Security is only as good as the people who use your machines anyway. The idea that it "Users are too privileged" is a farce.

Re:Is he not aware of Windows? by lgw · 2012-04-04 06:27 · Score: 1

Most Windows users for the last decade have run as 'root' since it's the default on XP, and there have been much more granular permissions on Unix for decades through group permissions.

Running as admin on Windows doesn't give you access to groups you're not a part of (though you can jump through some hoops to alter permissions on anything if you really want to). Proper group permissions have been in the Windows NT and NTFS codebases since very early days.

Anyhow, XP has not been the latest Windows for most of the past decade. It's been more than 5 years since the latest Windows release had you running as the administrator account by default.

--
Socialism: a lie told by totalitarians and believed by fools.

This already exists and is called sudo by Fallen+Kell · 2012-04-04 06:30 · Score: 1

Sure, if he is talking about on a windows machine, but on linux/unix/bsd/osx, this already exists in sudo. If you need "root" privileges for something, you setup a sudo rule for that individual user for running that individual command.

--
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"

Any way to filter AD tag? by Formorian · 2012-04-04 06:37 · Score: 1

I notice an Ad tag on this story. Can I filter so I can't see these anymore? I come here for the content, not the adds. However, to support y'all I don't hide the "official" adds. However, if these slashvertisements keep up, I may have to rethink that.

Screw that! by erroneus · 2012-04-04 06:48 · Score: 1

Don't block my access to anything! Also, remove those "safety" things from my table saw!! And "protective eyewear"?? How can I cut when I can't see!? Those come off too.

Non-stop battle by jweller13 · 2012-04-04 07:04 · Score: 1

It's an ongoing battle in my agency to fend of user's who want admin rights. It's even harder to remove admin rights from user's who already have it. Particularly on laptops. We have instituted various mechanisms for software installs thru a process but these users are still a pain in the ass.

Re:Is he not aware of Windows? by drsmithy · 2012-04-04 08:21 · Score: 1

Not quite. Not even Administrator is root. LocalSystem is root.

No it's not. There is no direct equivalent to root in Windows. The concept of a superuser simply doesn't exist in its security model.

"We should have access to your computer!" by sick_soul · 2012-04-04 08:38 · Score: 1

They way I see it, Viewfinity's CEO not-so-subtly says that people should not have control over their computers, and offers SaaS so that Viewfinity can assert that control.

How fast do YOU read? by theoriginalturtle · 2012-04-04 09:43 · Score: 1

I'll go sorta OT here, but I am fed up with articles, here or elsewhere, that can be summed up as "here, watch this video."

Thanks for making me ingest content at the speed of the slowest talker in the video, not at my reading speed.

If you post a video in lieu of text, you just wasted the world's time.

--
---------------------------------------
Rotate the pod, please, HAL....

No opendir() in Mac sandbox by tepples · 2012-04-04 10:36 · Score: 1

I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.

The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder. A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.

Re:No opendir() in Mac sandbox by goombah99 · 2012-04-04 16:38 · Score: 1

I've also used the mac sandbox. this is pretty darn cool. [...] I don't understand why every app is not in a sandbox these days.
The last time I checked, the Mac OS X sandbox allowed access to user-specified files, but there was no entitlement allowing scanning all files in a user-specified folder.
better check again. this has been there for years. From the start I think

A program that backs up your files or performs batch operations on all pictures in your camera's memory would not be able to run in such a sandbox.
So you get a dialog box requesting the permissions. You start every app in the sandbox then expand it if you need it. The concept is not unfamiliar: this is how smart phones do it.
This is also how I tailor my sandboxes. I lock everything down. Then I watch the console messages while I launch the app. I see it trying to access things and being denies. I open up those. After a while it runs in a minimal authority. Now that's pretty clumsy. You could automate this in principle.

--
Some drink at the fountain of knowledge. Others just gargle.

Re:Is he not aware of Windows? by tepples · 2012-04-04 10:38 · Score: 1

Running as admin on Windows doesn't give you access to groups you're not a part of

If you can add yourself to a group, you're part of that group for the purpose of any competent security analysis.

What a leonid of shtil (man) by WombleGoneBad · 2012-04-04 10:54 · Score: 1

Come on slashdot... If i wanted to read stuff like this i would read my email spam folder. I refuse to get sucked into discussing security when this is just blatent pulp advertising. Booo! Hisss!

Re:Is he not aware of Windows? by lgw · 2012-04-04 11:45 · Score: 1

But it's different from Unix root - you can't accidentally change stuff ACLd to a group you don't belong to, which is the vast majority of problems. If you want to stretch the definition (or we're talking about malware payloads, not user error), anyone can add themselves to any group, because every OS will have some sort of priveledge escalation flaw somewhere.

Realistically, if you care about groups, you're in a domain and you're not running as the domain admin.

--
Socialism: a lie told by totalitarians and believed by fools.

You can't even express the correct answer.... by ka9dgx · 2012-04-05 10:12 · Score: 1

What we have here, is a failure to communicate...

It's not the user.
Nor is in the internet
Nor is it the administrator
Nor is in the OS vendors

It's a very deep paradigm/vocabulary issue

The problem IS lack of security.... quick... how can You, in YOUR CHOICE OF ENVIRONMENT tell your OS that you want a program to enforce this set of rules on a program you want to test:

read access to itself, and it's install directory
read access to all of the system libraries
read-write access to a single folder
access to a specific set of windows in the gui (if any)
and nothing else?

If you can even begin to fulfill this list of un-restrictions, you're probably approaching it in terms of a locked down user account, which is exactly the problem. This list of un-restrictions is otherwise known as a capabilities list, and should be assigned on the basis of the needs of the moment, not some static definition.

If you can't even express the correct answer, you'll never get it right.

Slashdot Mirror

Viewfinity CEO Says Many Computer Users Are Overprivileged (Video)

66 of 95 comments (clear)