| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <324B5FB5102B408BACD88A3FADC7CFA7@ionicoffice.ionic.co.uk> Date: Fri, 28 Aug 2009 14:50:10 +0100 From: "Michal" <michal@...rescope.co.uk> To: <full-disclosure@...ts.grok.org.uk> Subject: Re: [Fwd: Re: windows future] Computers are far too easy to use (and far too easy to use badly) so people use them very badly. There was a time when only people intelligent enough to use computers, could. This was one of the best things...though that being said there are many LOL's to be had because stupid people get on the internet. Example; http://www.theregister.co.uk/2009/08/24/4chan_pwns_christians/ -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: 28 August 2009 14:39 To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] [Fwd: Re: windows future] > On Thursday 27 August 2009 13:33:37 Thor (Hammer of God) wrote: > > But that's the same on my Mac and Ubuntu distro too. The first user > is the > > admin. Granted, the default behavior on Mac/nix requires the admin > > password > > That's a big difference. Entering a password counts as more of a > deterrence. > Having seen my co-workers on their home machines, it's pretty clear > that it's > too easy to click OK without thinking. Entering a password, especially > when > the prompt doesn't occur as often as the UAC prompt is a more > significant > action. Personally, I prefer arrangements where the administrator uses > a > separate password. Not only do you need a password, but it's a > different one. > It's seldom used. The end user probably has to go look it up. I'm not a > big > fan of sudo. Right - which was my original point. Only if you are running as admin do you get the UAC "confirm" dialog (by default). I always run as a regular user, and must enter an admistrator username and password when I need to escalate. Even if you are running as admin, you still get the dialog, but you can certainly change that if you want to require an admin username and password. The point still stands: if you have ignorant users who won't read anything, but you insist on letting them run as admin (which is just crazy in the first place) then change the behavior of the UAC. They, of course, should be running as normal user anyway. Again, it's all in what you want. You can remove the UAC completely if you want to, but there's no feasible excuse to hold on to the "they running as admins, but won't read anything, and won't ever read anything, but we're going to let them continue to be admins even though they're stupid, but will still contend that it's the OS's fault" mindset. If the entire argument is around the default escalation behavior being "enter a password" (which they already know) vs clicking OK because you assume entering the password is more of a deterrent, then OK, but the premise of "the people I work with are too stupid to know the difference" kind of takes away from that. And one should also note that in a domain environment, the default behavior is indeed username and password. Just thought I'd throw that in as well. t _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists