| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050112051557.GA8846@specialk> From: fd.lists.dmargoli at af0.net (Dan Margolis) Subject: [Fwd: Re: Microsoft AntiSpyware: Will it be free and Vulnerable] On Wed, Jan 12, 2005 at 05:30:08AM +0100, devis wrote: > Thats is where we do not agree. I do not beleive an user should be able > to install anything. I have set up few unfortunates of my clients that > get bugged randomly, with a 'user' limited user account and an admin > account. Sorry, I think I was unclear. I meant home users, which is why I referred to the PC's owner. I fully agree that in a corporate/educational/enterprise setting, users should not be admins. I merely intended to point out that a large percentage of PCs out there have "admins" who are ordinary users, and hence are prey to banner ads that promise to speed up one's connection, e-mails claiming to be from Microsoft, and the like. > Write a POC if it doesn't exist and please show that unix > spywares in the home directory of the user are efficient. It'd be trivial for me to write, say, a Perl script that daemonizes and uploads IP address information (in fact, these exist, as clients for services like DynDNS), who is logged on, etc. Or that uploads available logfiles (browser history, etc). Please don't make me go to the trouble to actually write this. And yes, it'd require a user to execute the code. But my point all along is that user privileges alone, so long as they are able to execute code (which they are on nearly every major Linux distro), are sufficient for running spyware. In other words, so long as there are ignorant users, there will be spyware and viruses and worms. This in no way is to say that OS security is not important, but, as I said before, to blame it solely on OS (in)security, or to assume that spyware -> insecurity, is incomplete. > but it does to install and therefore do its task. How so? Not if an ignorant user runs it voluntarily. You may be entirely right that much spyware on Windows exploits software holes, but much of it also does not (even I, a non-Windows user, knows of Kazaa, RealPlayer, and similar). > Not trusting the user to improve is a big mistake. not explaining why is > equally a big mistake. The products got to change, and the users will > learn. Education is the key, not covering the bad tracks of the OS writer. This is basically what I've been saying: user ignorance circumvents most software security. As long as the user (who is, of course, the admin as well on a home computer) is uneducated, he is vulnerable, hence my point before: software security is insufficient to prevent malware. It seems we agree, after all. :) -- Dan
Powered by blists - more mailing lists