You can't write code that does root stuff without a password coming up.
You're missing the point. There's a great deal of things that can be done *without* requiring root permissions. For example, deleting or modifying just about everything in/Applications and many things in/Library does *not* require any privilege escalation if a user is in the admin group ("admins" have write permissions to those locations and most files in them).
Legitimate applications don't spam the user with password prompts to be nice, they have no choice. Write some code requiring admin access some time and find out for yourself.
Anytime I - as an admin user - run a program installer than does nothing more than copy some files in/Applications and maybe ~, and it pops up a password request, I am being needlessly spammed. My user alredy has write permissions for that location, the machine shouldn't need to ask for any privilege escalation.
I've seen several application installs that do this, and they shouldn't.
However, it may just be that the developer has told the Installer to do something "tricky" - maybe chown the copied files to root:admin - and that's why the dialog is raising. I haven't looked into it that closely. I'd still consider that dialog spam, as well.
Now you can rely on user naivety (I suspect a lot would trust Bob's Smileys). But if you think you can get away without the password being asked you don't know that much about how user and process permissions work.
I know more than enough about unix permissions to see that a user in the "admin" group has write access to places like/Applications and/Library, and that this is a possible vector for malicious code to delete or modify files in these locations.
Let me tell you, they get freaked out and call me ANY TIME the "enter your admin password" box comes up. Even if I'm AT their computer they don't like me doing it (well, have them enter their password for me) and I get a bizillion questions.
I'm glad this happens. My mother does the same thing, but that's because she's terrified of breaking her iMac. However, it's certainly not indicative of the typical user in my experience.
This is probably because of the differences in what we call a "typical user", however. I would expect that sort of behaviour from people using a computer for the first time (or a while thereafter), but not from people who had been using a computer constantly for 12+ months. It is these people who make up the bulk of the userbase and who are the most "dangerous". These are the people who forward millions of emails warning about the latest virus, then promptly go and get themselves infected with it anyway.
I think many non computer literate users don't like something that is not ordinary or looks like they need to enter a password for something that they didn't themselves do.
It doesn't take a great deal of time using OS X for that password prompt to become quite ordinary. What's particularly annoying is that it often pops up needlessly (eg: installing an application as an admin user that only drops files into/Applications and ~).
For those who don't want to click, IIS5 is "Moderately Critical", and Apache 2.0 AND 1.3 are both "Less Critical". Being as these are the most popular versions of these servers... I think you're just a shill. Stop spreading FUD.
I encourage everyone to open up those links and draw their own conclusions. One thing you may wish to consider are the relative numbers of exploits - 28 vs 9 - of Apache and IIS over the last 3 years.
Microsoft is the most often COMPROMISED because of their design.
Actually, they're the most often compromised because of their userbase, because the vast majority of Windows "compromises" require user interaction to work.
It's very difficult to get that virus / worm / trojan to spread to other Linux machines. This is "compromising" Linux. And the reason for that is because Linux's security model and implementation is better than Windows.
No, it's because getting the average Windows user to execute arbitrary code is rarely more difficult than a "click here to see teh free b00bies" box. Getting the average Linux user to execute arbitrary code, OTOH, is substantially more difficult.
Linux's security and implementation aren't better than Windows, assuming you're comparing apples to apples (heavily customised and patched Linux installations ain't apples).
The majority of Windows exploits require interaction by the end user. They're not automatic, they're not remote and they're not really exploiting system weaknesses. While there have certainly been some high profile automated remote exploits for Windows, they're far from common - and most are patched before they're in the wild anyway.
The only thing that marketshare determines is the SPEED at which the virus / worm / trojan spreads. That's because with 90% of the market, the odds of any one infected machine finding an uninfected machine within a minute are very high.
No, it also determines the likelihood of a compromise occurring. More marketshare -> higher number of ignorant end users & more machines -> higher number of compromises.
There is also a correlation between OSes with smaller marketshare and those having userbases with lower levels of ignorance. Smarter users are less likely to be compromised, even by exploits that don't require end user interaction. They're also far, far more likely to notice their system has been compromised, fix it and protect it from happening again.
I find it really, really weird that so many people try to dismiss marketshare as irrelevant, when even a cursory evaluation shows it to be a critical factor of any given platform's "security problems".
Every time you type in your password at one of those "Enter your password" prompts you are running the subsequent code as root.
'sudo passwd root' enables the root account for a GUI login (assuming you type in a password).
I would call all of those fairly trivial.
The root user is disabled by default and can only be enabled by going into the network utility.
Because of the primitive unix security model, "disabling" the root account doesn't stop the ability to run code as root. It just stops you being able to directly login as root.
The vast majority of users have no idea the root user even exist.
Never the less, they are running code as root every time they type their password into one of those graphical (or console) sudo prompts.
The administrative user, which can su to root, is not the user default either.
This is not correct. The default first user created on an OS X system *is* in the admin group.
Even if someone is running as admin, they are presented with password request for every process launched.
Most of which are spurious. An "admin" user on OS X can do a *lot* of damage, even without elevating their privileges. Just because all your legitimate applications like to spam the user with password prompts, doesn't mean malicious code will.
Most Macs spend most of their time running in standard user space making it hard to seize control of the machine remotely.
I'm not sure what you're trying to say here.
I would say that the biggest problem windows permissions is not the permissions model per se but rather the large number of legacy/poorly written apps that will not work under it. A lot of windows boxes are running exposed because their apps won't work any other way.
This is certainly a problem. It is not, however, a problem that can be blamed on either Microsoft or Windows, certainly not any more.
Largely I would agree, except I would not describe the additional protection as marginal - realistically it has proven sufficient.
I would argue that it has hardly been tested, so one can't really say that it has "proven" anything.
The usefulness of non-root users in protecting the typical desktop machines is *vastly* overstated. The only reason most malware fails with a low privilege account is because it is poorly written, not because it actually needs the higher privileges.
I'd have to say that being callous I have little concern for the user's own data. They should be backing it up anyway*. Nor can I see an easy way of protecting it (a database style approach may work, where the data is owned by another user and only accessible via specific client applications, but this would be annoying for many reasons).
Never the less, it is still the most important data on the machine. An OS (and applications) can be reinstalled in a matter of hours. Some types of data can *never* be recreated.
(This is why the "but it's a regular user account" is bogus for machines that aren't servicing multiple users.)
Installing automatically executing code that survives between reboots, without alerting the user, is not something anyone has yet achieved - despite the fact that there have been known auto-execution AND privilege escalation issues, no one has yet been able to combine the two in a dangerous way.
Well, it wouldn't be particularly *hard* - just get something into the user's LoginItems.
Added to that, get a user to throw in a password to a sudo prompt wouldn't be difficult, to get something in/etc/rc.local.
Of course, viruses aren't the only threat. Trojans are increasingly significant (especially as virus-delivery becomes harder on Windows) - and the Mac is not substantially more 'trojan-proof'.
I would argue that trojans are *very* significant. They're certainly the most common vector on Windows. Pretty much every "email virus" for example, is/was a trojan, as are most ActiveX exploits.
Apple, like Microsoft, deserve shooting for not incorporating backup as a standard feature in their consumer operating system - selling it as part of a.Mac subscription is completely underhand.
Microsoft at least have always included a backup program with Windows. The UI - along with automation for typical useres - however, could use improvement.
First, how about moving to least privileged users? Separating binaries and data: Program Files and Documents and Settings (usr/bin,/etc,/home). Shipping with only the necessary services turned on. Detaching IE from the OS. Sure, some of these have to wait for Vista, but they've already made improvements. Whether it is enough or is effective is up to debate, but Microsoft are making efforts.
These things are "taken from unix" only if your worldview ends at unix and windows.
Multiuser OSes were around before unix, and implemented better. Windows NT has always been multiuser.
Windows NT has always seperated user profiles from application files. Windows 9x has done it since about 1997 (although, obviously, it couldn't be enforced by filesystem permissions).
IE is no more "detached" (or "attached", for that matter) to the OS than it was before. It's architecture has remained basically unchanged since IE3 back in 1996. It's still just a shared component like khtml is in KDE.
Just about all the stuff you're talking about - and likely thinking of - aren't really changes to Windows at lower levels, they're just improvements in default configurations and UI.
I've even seen examples that suggested installing compilers and tools to build modules needed by SpamAssasin. Anyone installing a compiler on a production web server should be shot.
I think the additional exposure this creates on modern systems is vastly overstated.
It's not like compiling code for an x86 Linux machine is a particularly difficult thing to do.
A flaw in the OS to allow exploit #1's installation without throwing up the "Enter your administrator password" dialog so the user isn't tipped off something bad is happening.
Ignoring that there's a *lot* that can be done without needing this, I think you vastly, vastly overestimate the number of users who will be "tipped off" by having to enter their admin password.
The Apple "limited-Administrator" model is vastly preferable to the "Everybody is totally-Administrator with no checks ever" model in Windows.
This is not the Windows security model.
Who's going to put in their Admin password to visit CNN.com?
Most of them. Why wouldn't they, if they needed to so they could visit cnn.com ? What bad thing would cnn.com possibly do to them ?
If it pops up at an unexpected time, the user becomes suspicious, and the machine is less likely to be exploited.
Most users have no concept of what is and isn't "an unexpected time". Users that realise this sort of thing, don't really need that level of protection in the first place.
Incorrect. OS 9 and prior certainly had viruses, despite a market share comparable to OS X based machines. Not as many as Windows, but enough to cause problems for Mac users.
Not even *close* to as many as DOS and Windows. Heck, I don't think the number of MacOS Classic viruses even hit triple figures.
Even taking out the obligatory fifty-odd minor variants of every DOS/Windows virus, there would still be an order of magnitude plus more pieces of malicious code on that platform.
Added to that, MacOS - particularly in its heyday - had much more marketshare than it has now. Indeed, it's only relatively recently OS X has exceeded MacOS Classic in marketshare and both must share the relatively smaller MacOS pie.
OS X is substantially more resistant to virus attack than all prior Mac operating systems, and most default Windows installations.
Not really. Marginally more resistant, yes - many areas of the system are protected. Just about everything in/Applications and many parts of/Library, however, are writable by Admin users (the default for most users). Not to mention any files - both local and networked copied and/or created by the user themselves.
So, OS X *isn't* especially more resistant. Certain parts of the system will withstand an attack from malicious code, but many won't and neither will any of the user's own data (the most important on the machine).
Failing to be 'immune' does not mean 'equally vulnerable'.
Neither does "exploited more frequently" mean "less secure", but try explaining that to the typical slashbot.
The default installation implements much of what corporate Windows admins have to implement to secure a Windows system / will be implemented by default in Vista.
A default *corporate* Windows install is reasonable, assuming even a barely competent IT department. It's the default *non-corporate*, unmanaged install where OS X has a superior configuration (although realistically the additional protection is marginal).
Heck, the "virus" described in the article isn't a virus at all. It's a trojan, and a shitty one at that. The guy downloaded an executable from an unknown source, and willingly ran it. "strange commands ran as if the machine was under the control of someone -- or something -- else."
That also describes the majority of Windows "viruses".
Don't bother with silly semantic games that only Slashbots care about. In the media when they say virus, they're talking about malware in general. Most Windows malware falls into the "trojan" category and requires varying levels of user interaction to get started.
Not only did the guy make a boneheaded move that would effect even the most secure operating system in the world, it was obviously apparent that the file being run was a virus the second he opened it. I don't think this is any cause for concern.
I do, because it's by far the most common vector for malware and, indeed, all security breaches.
It's also damn near impossible to defend against programmatically.
What's more, in order to inflict any serious damage on an OS X machine, you've got to provide the Administrator password.
Bollocks. For a start, any user can delete files they own - ie: the most important data on the machine.
Secondly, any user's account can turn the machine into just about anything an attacker might want, include allowing a remote login for further attempts at privilege escalation (because the OS X firewall is disabled by default).
Finally, any user in the Admin group (the default for most users) can delete (or modify !) not only just about everything in/Applications, but also other "system" files in/Library and/System.
It is impossible to run OS X as root.
Actually it's trivial. Running code as root is marginally easier than actually logging in to the GUI as root, but neither are particularly difficult to do.
If a program's trying to screw with your settings and files, you're going to know about it!
Highly doubtful. Most users have no ideas what processes run on the systems and even fewer actually monitor them.
Likewise, unlike Windows, file permissions are properly implemented (it's Unix after all...).
Windows's file permissions - indeed its security capabilities in general - are vastly more capable that OS X's.
In short the whole "but root is disabled" argument (and variants) is largely irrelevant. Elevated privileges are simply not required for the vast majority of things malware wants to do.
By your logic, because approximately 70% of the internet's web servers run Apache, [..]
(Wow, the good old Apache argument, what a surprise.)
Websites != Servers.
Also People Running Apache != People Running IIS. The bar for running an Apache server is set higher.
[...] we should be seeing tons of apache exploits, hacks, and viruses cropping up. The reason we don't is because Apache is a well-written and secure program, [...]
Actually we do. For the last few years, Apache has had a worse security record than IIS.
[...] and because administrators are generally not stupid enough to run unmarked executables.
Users are not administrators. Users have *extreme* difficulty identifying malicious code before running it.
OS X and unix are inherently more secure by design than Windows is.
False. There are many aspects of traditional UNIX "design" - including that in OS X - what are inherently less secure than Windows. For example, the concept of 'root'.
I'll go a step further and say that because OS X is only 5 years old, and NT has had 10+ years to mature, that Windows should be more secure than OS X is. We all know this isn't the case.
Firstly, the product OS X was is actually a touch older than NT. Secondly, it was basically yet another reimplementation of the flawed unix "design".
True, Macs haven't been tested with a huge market share like Windows has, but you seem to be using that as proof that Macs have as bad-a security model as Windows.
From a technical perspective, they have a *worse* security model.
(Note to standard responders: default configuration of user accounts for a certain subset of installations has *nothing* to do with the security *model*. It's a configuration semantics issue, nothing more.)
That doesn't mean they're as bad as Windows though, so if you say something like "Nor even markedly more resistant" how about you back up that comment...
Simply by observing that there's no technical aspect that *makes* them more resistant. A somewhat better default configuration ? Yes. Technical barriers ? No.
If the system is designed properly, it doesn't have to be interlinked.
I agree completely, and the kind of system you're thinking of is the kind of system that could actually make people's lives easier without adding significant risk of abuse.
Were I designing it, I would also add a feature that reported to the individual - via email, snail mail, whatever - whenever their personal data was accessed, by whom (both department and individual), why (a reason would have to be supplied to gain any access at all) and exactly what data was retreived. The system would be designed such that this feature was as difficult as humanly possible to work around.
However, this is *not* the kind of system the typical Government is talking about when they talk about "National ID". They want something that ties all your information together, to make it easier for them to access it quickly and, ideally, without your knowledge.
I how a problem understanding how it is to distrust your government like that. Not that i agree with everything my government do, but isn't something wrong if your have that little faith in the people that governs your country?
I do not trust anyone who seeks to put himself in a position of power over others and especially me. Very few people do this with altruistic goals and even of those that do, very few of them do not succumb to the subsequent corruption offered by the power they weild.
This describes 99% of politicians. Ergo, I don't trust them. I assume anything they do is either with objective of furthering their own personal ambitions, furthering their party's ambitions or reducing any possibility of their position being eliminated or otherwise endangered.
History demonstrates that this assumption holds in most cases, therefore is quite justifiable as the default. Better to be pleasantly surprised occasionally than bitterly disappointed most of the time, IMHO.
I have to say, however, that I have never been able to use a Windows machine for anything like software development; On my Linux box, I have 2 21" LCD flat panels, with 3 or 4 tasks I'm working on, in parallel, with clusters of windows open using various applications simultaneously (it was *way* worse, before tabbed browing...) If I try to do anything *remotely* like that with Windows (*any* Windows version I've tried, and much less agressively actually, since I only waste one monitor on the Windows box;), it'll crash within hours; often, within a few minutes.
Speaking as someone running Windows with 2 or 3 - sometimes even 4, depending on whether or not I can "borrow" the extras - displays using up to 3 video cards, typically with dozens of windows open, along with a few VMWare machines running pretty much all the time, I think you're full of crap.
Currently - and it's a nice quiet weekend day - I have 37 windows open, spread amongst Word, Remote Desktop, Excel, Putty, GAIM, Thunderbird, Firefox (6 windows and 74 tabs on its own), IE, Explorer, VNC, X11 apps (Cygwin) and some horrible IP KVM client. There's also 3 VMWare machines running in the background. My uptime is sitting at 27.something days. By far the most unstable piece of software I run is Firefox, which is lucky to last more than a couple of days without freezing up (thank god for SessionSaver) and typically sits at 300M+ memory usage.
It's unfortunate you're having trouble running Windows stably, but I can confidently say Windows itself is not the problem.
But, I have to admit, Windows is a better office OS than Linux (Gnome or KDE), and it's not even close.
I'll second that. I'm a SysAdmin by trade, originally FreeBSD and Solaris but currently almost 100% Linux[0] with a smattering of Windows (AD and fileservers). I've got a rough idea of what I'm doing when it comes to using unix.
Every 6 - 9 months I decide to give Linux a go on the desktop[1] (I long ago gave up on FreeBSD and Solaris as desktop platforms). I go through the usual suspects of desktop distros - RHEL/CentOS (for that "official" feeling), SuSe, Mandrake/Mandriva and more recently Ubuntu and Fedora, generally giving each one a week of full-time usage to try it out.
Generally it's the little things that eventually annoy me too much to continue. Inconsistent UI, copy & paste or drag & drop not working (or working inconsistently), applications that break, applications that have bugs that are "fixed in CVS" (which usually leads to good old dependency hell trying to install/update things outside of the package management system). Probably the biggest annoyance (ie: the one that has remained consistently bad for as long as I can remember) is multi-monitor support which - assuming you can get it going at all - is clumsy to setup and often breaks applications and GUIs in weird and wonderful ways.
OTOH, being a unix platform, in many ways it does allow easier interaction with other unix machines (eg: with X11 apps). But that list is just too small and not impressive enough to outweight the problems.
To put it bluntly, it's simply too much ongoing work to maintain and access functionality that should simply be transparent. Ubuntu has come closest, IMHO, to offering a decent alternative for an "it just works" desktop (except for its installer - why people rave about that I'll never know).
I don't care about the customisability of Linux for my desktop - while it's nice to be able to twist and mold servers into specific tasks, or tasks that are a bit out of the ordinary (which we do), I have zero interest in doing it on my desktop PC. I want it to work, to work consistently and to not get in the way of me doing my job. It should be little more than a transparent enabler device, not a patchwork quilt of loosely-connected functionality with an ongoing improvement plan.
[0] Personally I'm not a huge fan of Linux as a server, either - I think both FreeBSD and Solaris are superior in pretty much every way. Linux is the current darling, however, which means everyone supports it. (The exception to this is Linux's LVM and software RAID, which IMHO are its most impressive features and dramatically better than any other mainstream - ie: freely included - equivalents.)
[1] I'm talking about a work desktop here, not home. The only thing I do on my home PCs these days is play games and watch/record TV and movies. So I'm doing things like web browsing, word processing, spreadsheets, presentations, email, VMWare and dozens of SSH sessions. My platform of choice would actually be OS X, except that a) work won't buy me a Mac (although the new intel ones improve the chances markedly - I think I'll wait for 2nd gen 64bit machines to ask for one though) and b) it's annoyingly slow with anything other than trivial workloads (a couple of apps) or a monstrously fast Mac (dual G5 and up).
The point your making is the point they are making, microsoft never have really been interested in the customer, just the customer's money.
To get the customer's money, they must give him a product he is prepared to pay for.
What the customers wants or needs, ceased to be a microsoft priority since IBM and Intel provided them with the OS monopoly, their only goal has been the maintaining of and the exploitation of that monopoly for the maximum possible return.
If that is true then why has Microsoft released anything since DOS 3.3 and Windows 1.0 ? Why would Microsoft bother improving their products if they didn't care about their customers "wants or needs" ?
Your claim doesn't even pass the laugh test.
The costs and damages suffered by the customer in achieveing that are only now just starting to be addressed EU court cases, which is long over due, what will be interesting to see is whether the EU can create an effective resolution for europeon customers or whether they will buckle under the pressure (massive fines, enforced restrictions on future behaviour and ample oppurtunity for civil redress and class action law suits).
The EU case is cynical political maneuvering against one of the poster-children for "evil American capitalism". It's a fundraiser, nothing more.
To extrapolate from "Microsoft won't release a product pandering to the requirements of 0.0001% of their potential customers" to "Microsoft are not interested in their customers", is ludicrous. Microsoft are as interested in their customers as any corporation - that is, to the point of providing them with a product they'll pay for.
No matter how much a bunch of wannabe uber-geeks on Slashdot like to argue otherwise, very, very few people - even amongst the technically capable - have any desire to be piecing together their own OS like a patchwork quilt. Of those, the ones who want to do it with Windows are ever fewer. Microsoft aren't "ignoring their customers" by not having a version of Windows that's just a kernel and win32, they're choosing not to market their product towards a tiny proportion of a tiny proportion of the market.
It's really quite simple. If you want a platform that is infinitely customisable by the end user, that you have to put together yourself, that lets you chop and change even the finest detail, then Windows is not a product being marketed at you. Go and install Linux, FreeBSD, or something else that better suits your needs (or wants, as the case may be).
Here in Australia, we have not seen much evidence that we have to be afraid of our government unless we're committing crimes.
Like, say, recording a show off TV or downloading a song ?
How about engaging in some peaceful protest or exercising free speech ?
Maybe you'd like to ingest a harmless substance someone has decided you shouldn't ?
The fundamental flaw with the "if you're not doing anything wrong you have nothing to fear" line, is the implicit trust that the Government will never decide to define something you think is perfectly ok as "wrong". This trust is naive at best, blatantly stupid at worst.
We dont' even have a nationally established "freedom of speech".
Yes, we do, from legal precedent.
However, nobody who isn't taking part in illegal activity has ever been quashed or locked up under these laws.
The issue is not whether or not they have, but the fact they could be at all.
Personally, I'd love a national ID card. When so many places insist on a simple "Your mother's maiden name" as a form of identification outside of a non-photo/biometric ID, identity fraud is all too easy here.
Having to forge but a single piece of documentation to establish an unquestionable false identity is only going to make it easier.
I challenge anyone to find proof of the government using their databases they already have established here in Australia, of ever pursuing someone who was not suspected of committing a crime in the first place.
I am glad you trust all those people in Canberra to always do the right thing. I think it's an incredibly stupid thing to do, but at least you're happy doing it.
However, as always, I am amazed by people's complete and utter inability to learn anything from history.
I fail to see how an ID card, even a compulsory one, lets the government know any more about you than everything else it knows.
It doesn't. It does, however, let Governments (and their agents) know everything about you a hell of a lot *easier* that they otherwise would.
And this is the problem.
Currently, the scope for abuse by Governments is limited by beuracratic overhead. Certainly, between all of them, every Government department that knows about you, knows pretty much everything interesting there is to know. However, a person at department A can't throw in your Universal ID and potentially also be able to find out everything department's B and C know about you instantly.
Basically, if the Government wants to persecute you for whatever reason (and there are plenty), they currently need to expend a large amount of effort and time co-ordinating resources from various different departments who all hate each other (assuming they're even aware of each other's existence). A National ID makes this sort of information collection trivial - too trivial for it to not be abused, even if the abuse is not systemic.
Then there's the casual abuse it enables by Government agents like Police and welfare agencies. This is what most people will fall victim to.
Then there's the inevitable over-estimation of how reliable the system will be, such that the National ID is considered to be a failsafe, uncorruptable, infallible piece of documentation. Heaven help you if some part of your personal information is wrong or cross-referenced with someone else's, because you'll never be able to convince Government officials that their system is in error. Similarly, a forged National ID card will be vastly more successful for purposes of fraud simply because it will be assumed that such a forgery cannot occur.
A National ID card system offers benefits that are, at best, extremely questionable to the average citizen (mainly minor issues of convenience, very little of real substance), significant advantages to those with criminal intentions and makes systemic abuse far, far too easy.
In short, it's simply not worth the risk. The only types of people who push National ID systems as "good" are those who are either a) intent on abusing the system or b) assume Governments and their agents will always do the right thing. If there is one thing each and every Government has demonstrated time and time again, it is that it cannot be trusted to a) not abuse the powers it has, b) not attempt to expand its powers to enable further abuse and c) not screw up and expose its citizens to more risk. A Government is like a small child - you cannot expose it to temptation, because it has no self-control.
The issue is not the National ID card system you and I want, it's the National ID card system *they* want.
You're missing the point. There's a great deal of things that can be done *without* requiring root permissions. For example, deleting or modifying just about everything in /Applications and many things in /Library does *not* require any privilege escalation if a user is in the admin group ("admins" have write permissions to those locations and most files in them).
Legitimate applications don't spam the user with password prompts to be nice, they have no choice. Write some code requiring admin access some time and find out for yourself.
Anytime I - as an admin user - run a program installer than does nothing more than copy some files in /Applications and maybe ~, and it pops up a password request, I am being needlessly spammed. My user alredy has write permissions for that location, the machine shouldn't need to ask for any privilege escalation.
I've seen several application installs that do this, and they shouldn't.
However, it may just be that the developer has told the Installer to do something "tricky" - maybe chown the copied files to root:admin - and that's why the dialog is raising. I haven't looked into it that closely. I'd still consider that dialog spam, as well.
Now you can rely on user naivety (I suspect a lot would trust Bob's Smileys). But if you think you can get away without the password being asked you don't know that much about how user and process permissions work.
I know more than enough about unix permissions to see that a user in the "admin" group has write access to places like /Applications and /Library, and that this is a possible vector for malicious code to delete or modify files in these locations.
I'm glad this happens. My mother does the same thing, but that's because she's terrified of breaking her iMac. However, it's certainly not indicative of the typical user in my experience.
This is probably because of the differences in what we call a "typical user", however. I would expect that sort of behaviour from people using a computer for the first time (or a while thereafter), but not from people who had been using a computer constantly for 12+ months. It is these people who make up the bulk of the userbase and who are the most "dangerous". These are the people who forward millions of emails warning about the latest virus, then promptly go and get themselves infected with it anyway.
I think many non computer literate users don't like something that is not ordinary or looks like they need to enter a password for something that they didn't themselves do.
It doesn't take a great deal of time using OS X for that password prompt to become quite ordinary. What's particularly annoying is that it often pops up needlessly (eg: installing an application as an admin user that only drops files into /Applications and ~).
I encourage everyone to open up those links and draw their own conclusions. One thing you may wish to consider are the relative numbers of exploits - 28 vs 9 - of Apache and IIS over the last 3 years.
Actually, they're the most often compromised because of their userbase, because the vast majority of Windows "compromises" require user interaction to work.
It's very difficult to get that virus / worm / trojan to spread to other Linux machines. This is "compromising" Linux. And the reason for that is because Linux's security model and implementation is better than Windows.
No, it's because getting the average Windows user to execute arbitrary code is rarely more difficult than a "click here to see teh free b00bies" box. Getting the average Linux user to execute arbitrary code, OTOH, is substantially more difficult.
Linux's security and implementation aren't better than Windows, assuming you're comparing apples to apples (heavily customised and patched Linux installations ain't apples).
The majority of Windows exploits require interaction by the end user. They're not automatic, they're not remote and they're not really exploiting system weaknesses. While there have certainly been some high profile automated remote exploits for Windows, they're far from common - and most are patched before they're in the wild anyway.
The only thing that marketshare determines is the SPEED at which the virus / worm / trojan spreads. That's because with 90% of the market, the odds of any one infected machine finding an uninfected machine within a minute are very high.
No, it also determines the likelihood of a compromise occurring. More marketshare -> higher number of ignorant end users & more machines -> higher number of compromises.
There is also a correlation between OSes with smaller marketshare and those having userbases with lower levels of ignorance. Smarter users are less likely to be compromised, even by exploits that don't require end user interaction. They're also far, far more likely to notice their system has been compromised, fix it and protect it from happening again.
I find it really, really weird that so many people try to dismiss marketshare as irrelevant, when even a cursory evaluation shows it to be a critical factor of any given platform's "security problems".
'sudo blah' runs 'blah' as root.
'sudo -i' gets you a root shell.
Every time you type in your password at one of those "Enter your password" prompts you are running the subsequent code as root.
'sudo passwd root' enables the root account for a GUI login (assuming you type in a password).
I would call all of those fairly trivial.
The root user is disabled by default and can only be enabled by going into the network utility.
Because of the primitive unix security model, "disabling" the root account doesn't stop the ability to run code as root. It just stops you being able to directly login as root.
The vast majority of users have no idea the root user even exist.
Never the less, they are running code as root every time they type their password into one of those graphical (or console) sudo prompts.
The administrative user, which can su to root, is not the user default either.
This is not correct. The default first user created on an OS X system *is* in the admin group.
Even if someone is running as admin, they are presented with password request for every process launched.
Most of which are spurious. An "admin" user on OS X can do a *lot* of damage, even without elevating their privileges. Just because all your legitimate applications like to spam the user with password prompts, doesn't mean malicious code will.
Most Macs spend most of their time running in standard user space making it hard to seize control of the machine remotely.
I'm not sure what you're trying to say here.
I would say that the biggest problem windows permissions is not the permissions model per se but rather the large number of legacy/poorly written apps that will not work under it. A lot of windows boxes are running exposed because their apps won't work any other way.
This is certainly a problem. It is not, however, a problem that can be blamed on either Microsoft or Windows, certainly not any more.
I would argue that it has hardly been tested, so one can't really say that it has "proven" anything.
The usefulness of non-root users in protecting the typical desktop machines is *vastly* overstated. The only reason most malware fails with a low privilege account is because it is poorly written, not because it actually needs the higher privileges.
I'd have to say that being callous I have little concern for the user's own data. They should be backing it up anyway*. Nor can I see an easy way of protecting it (a database style approach may work, where the data is owned by another user and only accessible via specific client applications, but this would be annoying for many reasons).
Never the less, it is still the most important data on the machine. An OS (and applications) can be reinstalled in a matter of hours. Some types of data can *never* be recreated.
(This is why the "but it's a regular user account" is bogus for machines that aren't servicing multiple users.)
Installing automatically executing code that survives between reboots, without alerting the user, is not something anyone has yet achieved - despite the fact that there have been known auto-execution AND privilege escalation issues, no one has yet been able to combine the two in a dangerous way.
Well, it wouldn't be particularly *hard* - just get something into the user's LoginItems.
Added to that, get a user to throw in a password to a sudo prompt wouldn't be difficult, to get something in /etc/rc.local.
Of course, viruses aren't the only threat. Trojans are increasingly significant (especially as virus-delivery becomes harder on Windows) - and the Mac is not substantially more 'trojan-proof'.
I would argue that trojans are *very* significant. They're certainly the most common vector on Windows. Pretty much every "email virus" for example, is/was a trojan, as are most ActiveX exploits.
Apple, like Microsoft, deserve shooting for not incorporating backup as a standard feature in their consumer operating system - selling it as part of a .Mac subscription is completely underhand.
Microsoft at least have always included a backup program with Windows. The UI - along with automation for typical useres - however, could use improvement.
First, how about moving to least privileged users? Separating binaries and data: Program Files and Documents and Settings (usr/bin, /etc, /home). Shipping with only the necessary services turned on. Detaching IE from the OS. Sure, some of these have to wait for Vista, but they've already made improvements. Whether it is enough or is effective is up to debate, but Microsoft are making efforts.
These things are "taken from unix" only if your worldview ends at unix and windows.
Multiuser OSes were around before unix, and implemented better. Windows NT has always been multiuser.
Windows NT has always seperated user profiles from application files. Windows 9x has done it since about 1997 (although, obviously, it couldn't be enforced by filesystem permissions).
IE is no more "detached" (or "attached", for that matter) to the OS than it was before. It's architecture has remained basically unchanged since IE3 back in 1996. It's still just a shared component like khtml is in KDE.
Just about all the stuff you're talking about - and likely thinking of - aren't really changes to Windows at lower levels, they're just improvements in default configurations and UI.
I think the additional exposure this creates on modern systems is vastly overstated.
It's not like compiling code for an x86 Linux machine is a particularly difficult thing to do.
Ignoring that there's a *lot* that can be done without needing this, I think you vastly, vastly overestimate the number of users who will be "tipped off" by having to enter their admin password.
The Apple "limited-Administrator" model is vastly preferable to the "Everybody is totally-Administrator with no checks ever" model in Windows.
This is not the Windows security model.
Who's going to put in their Admin password to visit CNN.com?
Most of them. Why wouldn't they, if they needed to so they could visit cnn.com ? What bad thing would cnn.com possibly do to them ?
If it pops up at an unexpected time, the user becomes suspicious, and the machine is less likely to be exploited.
Most users have no concept of what is and isn't "an unexpected time". Users that realise this sort of thing, don't really need that level of protection in the first place.
Like what ?
Yes.
Shatter attacks require a) a local login and b) a suitably exploitable application.
It should not be difficult to see how an equivalent set of circumstances on other platforms would make them similarly vulnerable.
Not even *close* to as many as DOS and Windows. Heck, I don't think the number of MacOS Classic viruses even hit triple figures.
Even taking out the obligatory fifty-odd minor variants of every DOS/Windows virus, there would still be an order of magnitude plus more pieces of malicious code on that platform.
Added to that, MacOS - particularly in its heyday - had much more marketshare than it has now. Indeed, it's only relatively recently OS X has exceeded MacOS Classic in marketshare and both must share the relatively smaller MacOS pie.
OS X is substantially more resistant to virus attack than all prior Mac operating systems, and most default Windows installations.
Not really. Marginally more resistant, yes - many areas of the system are protected. Just about everything in /Applications and many parts of /Library, however, are writable by Admin users (the default for most users). Not to mention any files - both local and networked copied and/or created by the user themselves.
So, OS X *isn't* especially more resistant. Certain parts of the system will withstand an attack from malicious code, but many won't and neither will any of the user's own data (the most important on the machine).
Failing to be 'immune' does not mean 'equally vulnerable'.
Neither does "exploited more frequently" mean "less secure", but try explaining that to the typical slashbot.
The default installation implements much of what corporate Windows admins have to implement to secure a Windows system / will be implemented by default in Vista.
A default *corporate* Windows install is reasonable, assuming even a barely competent IT department. It's the default *non-corporate*, unmanaged install where OS X has a superior configuration (although realistically the additional protection is marginal).
That also describes the majority of Windows "viruses".
Don't bother with silly semantic games that only Slashbots care about. In the media when they say virus, they're talking about malware in general. Most Windows malware falls into the "trojan" category and requires varying levels of user interaction to get started.
Not only did the guy make a boneheaded move that would effect even the most secure operating system in the world, it was obviously apparent that the file being run was a virus the second he opened it. I don't think this is any cause for concern.
I do, because it's by far the most common vector for malware and, indeed, all security breaches.
It's also damn near impossible to defend against programmatically.
What's more, in order to inflict any serious damage on an OS X machine, you've got to provide the Administrator password.
Bollocks. For a start, any user can delete files they own - ie: the most important data on the machine.
Secondly, any user's account can turn the machine into just about anything an attacker might want, include allowing a remote login for further attempts at privilege escalation (because the OS X firewall is disabled by default).
Finally, any user in the Admin group (the default for most users) can delete (or modify !) not only just about everything in /Applications, but also other "system" files in /Library and /System.
It is impossible to run OS X as root.
Actually it's trivial. Running code as root is marginally easier than actually logging in to the GUI as root, but neither are particularly difficult to do.
If a program's trying to screw with your settings and files, you're going to know about it!
Highly doubtful. Most users have no ideas what processes run on the systems and even fewer actually monitor them.
Likewise, unlike Windows, file permissions are properly implemented (it's Unix after all...).
Windows's file permissions - indeed its security capabilities in general - are vastly more capable that OS X's.
In short the whole "but root is disabled" argument (and variants) is largely irrelevant. Elevated privileges are simply not required for the vast majority of things malware wants to do.
By your logic, because approximately 70% of the internet's web servers run Apache, [..]
(Wow, the good old Apache argument, what a surprise.)
Websites != Servers.
Also People Running Apache != People Running IIS. The bar for running an Apache server is set higher.
[...] we should be seeing tons of apache exploits, hacks, and viruses cropping up. The reason we don't is because Apache is a well-written and secure program, [...]
Actually we do. For the last few years, Apache has had a worse security record than IIS.
[...] and because administrators are generally not stupid enough to run unmarked executables.
Users are not administrators. Users have *extreme* difficulty identifying malicious code before running it.
OS X and unix are inherently more secure by design than Windows is.
False. There are many aspects of traditional UNIX "design" - including that in OS X - what are inherently less secure than Windows. For example, the concept of 'root'.
I'll go a step further and say that because OS X is only 5 years old, and NT has had 10+ years to mature, that Windows should be more secure than OS X is. We all know this isn't the case.
Firstly, the product OS X was is actually a touch older than NT. Secondly, it was basically yet another reimplementation of the flawed unix "design".
From a technical perspective, they have a *worse* security model.
(Note to standard responders: default configuration of user accounts for a certain subset of installations has *nothing* to do with the security *model*. It's a configuration semantics issue, nothing more.)
That doesn't mean they're as bad as Windows though, so if you say something like "Nor even markedly more resistant" how about you back up that comment...
Simply by observing that there's no technical aspect that *makes* them more resistant. A somewhat better default configuration ? Yes. Technical barriers ? No.
They have just been less targeted.
I cannot see the change to x86 having a significant impact on this situation. An increase in popularity, however, certainly will.
What's "inherently" insecure about AD and Exchange ?
I agree completely, and the kind of system you're thinking of is the kind of system that could actually make people's lives easier without adding significant risk of abuse.
Were I designing it, I would also add a feature that reported to the individual - via email, snail mail, whatever - whenever their personal data was accessed, by whom (both department and individual), why (a reason would have to be supplied to gain any access at all) and exactly what data was retreived. The system would be designed such that this feature was as difficult as humanly possible to work around.
However, this is *not* the kind of system the typical Government is talking about when they talk about "National ID". They want something that ties all your information together, to make it easier for them to access it quickly and, ideally, without your knowledge.
I do not trust anyone who seeks to put himself in a position of power over others and especially me. Very few people do this with altruistic goals and even of those that do, very few of them do not succumb to the subsequent corruption offered by the power they weild.
This describes 99% of politicians. Ergo, I don't trust them. I assume anything they do is either with objective of furthering their own personal ambitions, furthering their party's ambitions or reducing any possibility of their position being eliminated or otherwise endangered.
History demonstrates that this assumption holds in most cases, therefore is quite justifiable as the default. Better to be pleasantly surprised occasionally than bitterly disappointed most of the time, IMHO.
Speaking as someone running Windows with 2 or 3 - sometimes even 4, depending on whether or not I can "borrow" the extras - displays using up to 3 video cards, typically with dozens of windows open, along with a few VMWare machines running pretty much all the time, I think you're full of crap.
Currently - and it's a nice quiet weekend day - I have 37 windows open, spread amongst Word, Remote Desktop, Excel, Putty, GAIM, Thunderbird, Firefox (6 windows and 74 tabs on its own), IE, Explorer, VNC, X11 apps (Cygwin) and some horrible IP KVM client. There's also 3 VMWare machines running in the background. My uptime is sitting at 27.something days. By far the most unstable piece of software I run is Firefox, which is lucky to last more than a couple of days without freezing up (thank god for SessionSaver) and typically sits at 300M+ memory usage.
It's unfortunate you're having trouble running Windows stably, but I can confidently say Windows itself is not the problem.
I'll second that. I'm a SysAdmin by trade, originally FreeBSD and Solaris but currently almost 100% Linux[0] with a smattering of Windows (AD and fileservers). I've got a rough idea of what I'm doing when it comes to using unix.
Every 6 - 9 months I decide to give Linux a go on the desktop[1] (I long ago gave up on FreeBSD and Solaris as desktop platforms). I go through the usual suspects of desktop distros - RHEL/CentOS (for that "official" feeling), SuSe, Mandrake/Mandriva and more recently Ubuntu and Fedora, generally giving each one a week of full-time usage to try it out.
Generally it's the little things that eventually annoy me too much to continue. Inconsistent UI, copy & paste or drag & drop not working (or working inconsistently), applications that break, applications that have bugs that are "fixed in CVS" (which usually leads to good old dependency hell trying to install/update things outside of the package management system). Probably the biggest annoyance (ie: the one that has remained consistently bad for as long as I can remember) is multi-monitor support which - assuming you can get it going at all - is clumsy to setup and often breaks applications and GUIs in weird and wonderful ways.
OTOH, being a unix platform, in many ways it does allow easier interaction with other unix machines (eg: with X11 apps). But that list is just too small and not impressive enough to outweight the problems.
To put it bluntly, it's simply too much ongoing work to maintain and access functionality that should simply be transparent. Ubuntu has come closest, IMHO, to offering a decent alternative for an "it just works" desktop (except for its installer - why people rave about that I'll never know).
I don't care about the customisability of Linux for my desktop - while it's nice to be able to twist and mold servers into specific tasks, or tasks that are a bit out of the ordinary (which we do), I have zero interest in doing it on my desktop PC. I want it to work, to work consistently and to not get in the way of me doing my job. It should be little more than a transparent enabler device, not a patchwork quilt of loosely-connected functionality with an ongoing improvement plan.
[0] Personally I'm not a huge fan of Linux as a server, either - I think both FreeBSD and Solaris are superior in pretty much every way. Linux is the current darling, however, which means everyone supports it. (The exception to this is Linux's LVM and software RAID, which IMHO are its most impressive features and dramatically better than any other mainstream - ie: freely included - equivalents.)
[1] I'm talking about a work desktop here, not home. The only thing I do on my home PCs these days is play games and watch/record TV and movies. So I'm doing things like web browsing, word processing, spreadsheets, presentations, email, VMWare and dozens of SSH sessions. My platform of choice would actually be OS X, except that a) work won't buy me a Mac (although the new intel ones improve the chances markedly - I think I'll wait for 2nd gen 64bit machines to ask for one though) and b) it's annoyingly slow with anything other than trivial workloads (a couple of apps) or a monstrously fast Mac (dual G5 and up).
To get the customer's money, they must give him a product he is prepared to pay for.
What the customers wants or needs, ceased to be a microsoft priority since IBM and Intel provided them with the OS monopoly, their only goal has been the maintaining of and the exploitation of that monopoly for the maximum possible return.
If that is true then why has Microsoft released anything since DOS 3.3 and Windows 1.0 ? Why would Microsoft bother improving their products if they didn't care about their customers "wants or needs" ?
Your claim doesn't even pass the laugh test.
The costs and damages suffered by the customer in achieveing that are only now just starting to be addressed EU court cases, which is long over due, what will be interesting to see is whether the EU can create an effective resolution for europeon customers or whether they will buckle under the pressure (massive fines, enforced restrictions on future behaviour and ample oppurtunity for civil redress and class action law suits).
The EU case is cynical political maneuvering against one of the poster-children for "evil American capitalism". It's a fundraiser, nothing more.
To extrapolate from "Microsoft won't release a product pandering to the requirements of 0.0001% of their potential customers" to "Microsoft are not interested in their customers", is ludicrous. Microsoft are as interested in their customers as any corporation - that is, to the point of providing them with a product they'll pay for.
No matter how much a bunch of wannabe uber-geeks on Slashdot like to argue otherwise, very, very few people - even amongst the technically capable - have any desire to be piecing together their own OS like a patchwork quilt. Of those, the ones who want to do it with Windows are ever fewer. Microsoft aren't "ignoring their customers" by not having a version of Windows that's just a kernel and win32, they're choosing not to market their product towards a tiny proportion of a tiny proportion of the market.
It's really quite simple. If you want a platform that is infinitely customisable by the end user, that you have to put together yourself, that lets you chop and change even the finest detail, then Windows is not a product being marketed at you. Go and install Linux, FreeBSD, or something else that better suits your needs (or wants, as the case may be).
Like, say, recording a show off TV or downloading a song ?
How about engaging in some peaceful protest or exercising free speech ?
Maybe you'd like to ingest a harmless substance someone has decided you shouldn't ?
The fundamental flaw with the "if you're not doing anything wrong you have nothing to fear" line, is the implicit trust that the Government will never decide to define something you think is perfectly ok as "wrong". This trust is naive at best, blatantly stupid at worst.
We dont' even have a nationally established "freedom of speech".
Yes, we do, from legal precedent.
However, nobody who isn't taking part in illegal activity has ever been quashed or locked up under these laws.
The issue is not whether or not they have, but the fact they could be at all.
Personally, I'd love a national ID card. When so many places insist on a simple "Your mother's maiden name" as a form of identification outside of a non-photo/biometric ID, identity fraud is all too easy here.
Having to forge but a single piece of documentation to establish an unquestionable false identity is only going to make it easier.
I challenge anyone to find proof of the government using their databases they already have established here in Australia, of ever pursuing someone who was not suspected of committing a crime in the first place.
I am glad you trust all those people in Canberra to always do the right thing. I think it's an incredibly stupid thing to do, but at least you're happy doing it.
However, as always, I am amazed by people's complete and utter inability to learn anything from history.
Excellent work. Right up until this last sentence, I thought you were serious.
It doesn't. It does, however, let Governments (and their agents) know everything about you a hell of a lot *easier* that they otherwise would.
And this is the problem.
Currently, the scope for abuse by Governments is limited by beuracratic overhead. Certainly, between all of them, every Government department that knows about you, knows pretty much everything interesting there is to know. However, a person at department A can't throw in your Universal ID and potentially also be able to find out everything department's B and C know about you instantly.
Basically, if the Government wants to persecute you for whatever reason (and there are plenty), they currently need to expend a large amount of effort and time co-ordinating resources from various different departments who all hate each other (assuming they're even aware of each other's existence). A National ID makes this sort of information collection trivial - too trivial for it to not be abused, even if the abuse is not systemic.
Then there's the casual abuse it enables by Government agents like Police and welfare agencies. This is what most people will fall victim to.
Then there's the inevitable over-estimation of how reliable the system will be, such that the National ID is considered to be a failsafe, uncorruptable, infallible piece of documentation. Heaven help you if some part of your personal information is wrong or cross-referenced with someone else's, because you'll never be able to convince Government officials that their system is in error. Similarly, a forged National ID card will be vastly more successful for purposes of fraud simply because it will be assumed that such a forgery cannot occur.
A National ID card system offers benefits that are, at best, extremely questionable to the average citizen (mainly minor issues of convenience, very little of real substance), significant advantages to those with criminal intentions and makes systemic abuse far, far too easy.
In short, it's simply not worth the risk. The only types of people who push National ID systems as "good" are those who are either a) intent on abusing the system or b) assume Governments and their agents will always do the right thing. If there is one thing each and every Government has demonstrated time and time again, it is that it cannot be trusted to a) not abuse the powers it has, b) not attempt to expand its powers to enable further abuse and c) not screw up and expose its citizens to more risk. A Government is like a small child - you cannot expose it to temptation, because it has no self-control.
The issue is not the National ID card system you and I want, it's the National ID card system *they* want.