lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <002d01c22c31$9002afb0$0a00a8c0@violetclub>
From: mail at blazde.co.uk (Roland Postle)
Subject: Counseling not to use Windows (was Re: Anonymous surfing my ass\!)

> because of programming errors.  Encoding metadata such as "executableness"
> in a filename, for example, is a fundamental design flaw, and one that's
> impossible to correct without changing Windows' design.

Sorry to pick on your example but an extension merly indicates what kind of
data is in the file. A .txt extension suggests that a user might want to
hand the file to a program that'll treat the file as plain ASCII, similarly
an .exe extension suggests that a user might want to give the file some
memory and time slices and treat it as a program in it's own right. You
could load the .exe into notepad, and you could execute the .txt file.

As for the actual security of whether a user /can/ execute a file, Windows
doesn't seperate 'read' and 'execute' privileges well enough. However it's
my understanding that's got more to do with the design of the x86 memory
architecture than Windows' design. Linux just pretends to seperate 'r' and
'x' privs because it's a unix clone. I'm prepared to stand corrected on that
though.

I agree completly that Windows does have some fundamental design flaws that
prevent it being locally secure. A better example might be the ability of an
application to send messages to another application, apparently without
regard for who the owner of the target application is.

- Blazde


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ